Am Fri, 21 Feb 2014 13:09:13 -0700 schrieb Nels Lindquist <nli...@maei.ca>:
> I'm attempting to configure Cyrus IMAPD with ldapdb for SASL > authentication. As I'm using virtual domains, I need users to be able > to authenticate using their e-mail addresses, or just a bare userid > for the default domain. I'm having some trouble getting everything > working[1]. > > Based on this documentation extract from Cyrus SASL, I've been > primarily focussing on the OpenLDAP configuration: > > "Unlike other LDAP-enabled plugins for other services that are common > on the web, this plugin does not require you to configure DN search > patterns to map usernames to LDAP DNs. This plugin requires SASL name > mapping to be configured on the target slapd. This approach keeps the > LDAP-specific configuration details in one place, the slapd.conf, and > makes the configuration of remote services much simpler." > > I've set up a number of olcAuthzRegexp entries similar to (from the > OpenLDAP 2.4 admin guide): > > "A more complex site might have several realms in use, each mapping > to a different subtree in the directory. These can be handled with > statements of the form: > > # Match Engineering realm > authz-regexp > uid=([^,]*),cn=engineering.example.com,cn=digest-md5,cn=auth > > ldap:///dc=eng,dc=example,dc=com??one?(&(uid=$1)(objectClass=person)) > > # Match Accounting realm > authz-regexp > uid=([^,].*),cn=accounting.example.com,cn=digest-md5,cn=auth > > ldap:///dc=accounting,dc=example,dc=com??one?(&(uid=$1)(objectClass=person)) > > # Default realm is customers.example.com > authz-regexp > uid=([^,]*),cn=digest-md5,cn=auth > > ldap:///dc=customers,dc=example,dc=com??one?(&(uid=$1)(objectClass=person))" > > However, from what I can determine I'm not getting any realm component > in the searches coming through. The "default" realm configuration > works when I use a bare userid to authenticate, but when using a full > e-mail address, that comes through as > "uid=exam...@example.com,cn=[authmech],cn=auth". That said, I haven't > found a LogLevel which includes AuthzRegexp processing; I've tried > various settings, but the closest I've come is logging the resulting > bind requests (eg. BIND dn="uid=example,ou=people,dc=example,dc=com" > mech=DIGEST-MD5 sasl_ssf=128 ssf=128). > > So my question is, how is the realm determined in such a scenario? > Do I need to design olcAuththzRegexp entries to determine the realm > based on the e-mail address supplied? If so, how does that > information get passed back to Cyrus IMAPD so that the correct > virtual domain is selected? Is there an appropriate olcLogLevel to > see detailed olcAuthzRegexp processing? > > I'd be grateful for any suggestions or references to documentation, > etc. I've done some searching of the mailing list archives to little > avail. > > In case it matters, this is on CentOS 6.5 (x86_64) with stock OpenLDAP > 2.4.23 and Cyrus SASL 2.1.23 packages, plus Cyrus IMAPD 2.4.17 built > from Simon Matter's SRPM. > > [1] I *am* able to get authentication + virtual domains working with > saslauthd, but I'd like to be able to support non-plaintext auth > mechanisms. First, you should enable proxy authentication by authz-policy, and create and define a proxy user as part of ldapdb configuration. In order to pass mail attribute values instead uid values, you may define authz-regexp uid=(.*),cn=.*,cn=auth ldap:///dc=example,dc=com??sub?mail=$1 for this mail attribute must be indexed. -Dieter -- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
