Re: cyrus accounts and monitoring activity/usage

2003-08-28 Thread Kervin L. Pierre
have cyrus log to syslog if you haven't.  Then use one of the many 
syslog parsing packages to gather those stats.

Actually, a simple perl script on /var/log/messages would work.

Or maybe get/write an extension to logwatch ( http://logwatch.org ) 
that'll gather those stats .

joe ritter wrote:

Hello,
Some time ago we began offering some free email
accounts. We are using Cyrus/Squirrelmail and
Sendmail.
I am interested in looking at stats such as users that
have never logged in, users that have accessed their
account in the last 30 days, 60 days and 90 days etc.
We are using auxprop and sasldb2 for authentication. I
wanted to see from some of you what the best way to
get this data is. I also wanted to see how some of you
were going about this for reporting and account
deleteion. I am sure there are some gotchas involved.
Thanks in advance.
__
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com
--


Kervin Pierre
http://kervin.net/

[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]


2.2a, virtual domains and squirrelmail

2003-04-02 Thread Kervin L. Pierre
Has anyone tried using squirrelmail with 2.2 virtual domains and got it 
to work with a mailbox on a virtual domain?

http://www.squirrelmail.org/
--

Kervin Pierre
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]


financial support - Re: Per-Domain-Quota in 2.2 with virtual domainsturned on ?

2003-01-21 Thread Kervin L. Pierre
Rob Siemborski wrote:

doc/readme.html:

   If you wish to provide financial support to the Cyrus Project, send a
   check payable to "Carnegie Mellon University" to
  Project Cyrus
  Computing Services
  Carnegie Mellon University
  5000 Forbes Ave
  Pittsburgh, PA 15213
  USA

I'm not sure it can be stated more clearly than that.



With a prominent link on the website, and the ability to use paypal or 
credit card?

--


Kervin Pierre

[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]



Re: Per-Domain-Quota in 2.2 with virtual domains turned on ?

2003-01-20 Thread Kervin L. Pierre
Ken Murchison wrote:

This biggest problem here is that once again there is no incentive to do
so.  Neither I nor CMU have any (current) use for the virtdomain code. 
I did the current implementation because I got sick of hearing all of
the bitching on the list about the lack of support.

What bothers me most is that those people who can benefit the most from
such support (eg, ISPs), don't seem willing to either pay for such
support (either past or future work) or do the work themselves.


Hey, just got round to reading this.

Not a flame, I agree.

I'm not really in a position to offer support financially, but I think 
part of the problem is that there isn't an advertised way to financially 
support Cyrus development.

Maybe your organization could offer a product based on cyrus, and 
promote buying that as one way to support cyrus.  Or maybe a donation 
page can be setup?

Just a few suggestions.

--Kervin



PHP Cyradm extension - Re: Add mailbox automatically

2003-01-01 Thread Kervin L. Pierre

Thanks. I didn't know you could do that.

BTW, I browsed the PHP manual for more IMAP stuff and came across a 
Cyradm extension http://www.php.net/manual/en/ref.cyrus.php .

It is undocumented.  Has anyone used this extension with success??

--Kervin



Scott Russell wrote:
On Wed, Jan 01, 2003 at 05:16:12PM -0500, Kervin L. Pierre wrote:


Just a thought,

I am working on some PHP scripts to manage mailboxes and I have to use 
passthough calls to execute cyradm to add mailboxes.

I'd like to avoid opening a shell from the web for security and 
performance reasons.



Here's a PHP function that I use to create user mailboxes with. It
could use some clean up but it works for us. Beware line wraps.

function imap_acct_create ($mailbox, $quota="") {
// creates user.$mailbox in cyrus 2.1.5
global $imap_error;
$imap = @imap_open("{localhost:143/imap/notls}", "cyrus", "passwd", OP_HALFOPEN);
if (!$imap) { 
$imap_error = imap_last_error(); 
return FALSE; 
}
// create the new top level mailbox
$ret = @imap_createmailbox($imap, "{localhost}user.".$mailbox);
if (!$ret) { $imap_error = imap_last_error(); 
@imap_close($imap);
return FALSE; 
}
// if needed, set the account quota
if ($quota != "") {
$ret = @imap_set_quota($imap, "user.".$mailbox, $quota);
if (!$ret) { $imap_error = imap_last_error(); 
	@imap_close($imap); return FALSE; }
}
@imap_close($imap);
// if we get here everything worked
return TRUE;
}   



--

=
Kervin Pierre

[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]





Re: saslauthd performance anxiety

2003-01-01 Thread Kervin L. Pierre
[EMAIL PROTECTED] wrote:

directory it's binding to is quite slow (it's actually a slapd instance
running a shell backend which routes bind requests to different places
depending on the usercode - don't ask...). Because saslauthd makes


Maybe you should seriously consider moving from back-shell to back-perl, 
which you can optimize much more and is probably quicker right of the 
bat, since it does not spawn a separate process for the interpreter.

Better still, have you thought of back-meta or back-ldap?  These were 
designed for ldap routing.

I suspect you're optimizing the the wrong bottleneck.

--

=
Kervin Pierre

[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]




Add mailbox automatically

2003-01-01 Thread Kervin L. Pierre
Just a thought,

I am working on some PHP scripts to manage mailboxes and I have to use 
passthough calls to execute cyradm to add mailboxes.

I'd like to avoid opening a shell from the web for security and 
performance reasons.

So what if a valid login to cyrus created a mailbox if one did not 
exist?  Ie. does a 'cm $login' if sasl or saslauthd reports that $login 
and it's password succeeded.

That way all a sysadmin using LDAP would have to do is do an ldap_add() 
to create a mailbox.  This would be true for MySQL users as well.


--

=
Kervin Pierre

[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]




Re: someoone are using saslauthd+ldaps?

2002-12-29 Thread Kervin L. Pierre
Another option is to run a LDAP replica on your email server.  Configure 
replication to use tls.

Configure saslauthd to connect to localhost ( 127.0.0.1 specifically ). 
 With this encryption is not necessary.

You get a substantial speed increase, as you save encryption plus ldap 
lookups over the network.

--Kervin


Oliver Jones wrote:
I've been trying to use saslauthd with pam and ldap+tls (ldaps) but I'm 
having saslauthd core dump on me.  It might be worthwhile avoiding 
pam_ldap altogether and just use saslauthd's native ldap support.

Regards

On Sun, 2002-12-29 at 03:42, Felix Cuello wrote:

/Hello!

 I'm working with saslauthd+pam+ldaps but in theory, saslauthd could
 works with LDAPS without pam authentication.

 Someone are using saslauthd + ldaps?, because my saslauthd works fine
 with LDAP but not with LDAPS...

 Felix
 /


--
*Oliver Jones >* Senior Software Engineer *>* Deeper Design Limited.
[EMAIL PROTECTED]   > www.deeperdesign.com 
 > +64 (21) 41-2238




--

=
Kervin Pierre

[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]





Re: saslatuhd, ldap, login incorrect :(

2002-11-07 Thread Kervin L. Pierre

saslauthd+ldap is very reliable for me.  I had this one issue which seem 
ed to occur when I restarted OpenLDAP, but I think that's been fixed in CVS.

Maybe you should upgrade LDAP to 2.1.x series?

Try running ethereal and listening to the ldap traffic when the bad 
logins occur.  Or running OpenLDAP with extra logging.

--Kervin


Felix Cuello wrote:
Hello!

   I'm actually working with Cyrus 2.1.9 and sasl2.1.9 and sometimes
   (solved the entrophy problem) my POP server sometimes returns
   incrrect username or password. It could be because I'm using ldap
   beta support of saslauthd?. I'm working with LDAP 2.0.23.

   Thanks a lot!

   Felix







Re: How stable is 2.2?

2002-10-25 Thread Kervin L. Pierre
I've been using it for a week or two in production no serious issues yet.

--Kervin

Tarjei Huse wrote:

Hi,

I'm going to upgrade my server in a few weeks, and in that respect, I'm 
considering going all the way to 2.2. How stable is 2.2 now?
Tarjei






Re: LDAP Howto??

2002-10-25 Thread Kervin L. Pierre
you don't need one :)

Since LDAP is only used for authentication ( at least currently ), you 
only need to configure SASL to look to LDAP for auth, and have Cyrus use 
saslauthd feature.  Cyrus is configured as normal.

saslauthd comes with a nice document on configuring for LDAP, it is in 
the saslauthd directory of in the cyrus source.  It's a straight forward 
process, no schema changes are necessary.  Igor did a good job on this.

--Kervin


Gregory Chagnon wrote:
Does anyone have any good resources for integrating Cyrus with 
OpenLDAP?  I could use any help!  Thanks!!
-GC

_
Broadband? Dial-up? Get reliable MSN Internet Access. 
http://resourcecenter.msn.com/access/plans/default.asp






Re: sendmail problem

2002-10-23 Thread Kervin L. Pierre
Look at /var/log/maillog .  It should give you a brief message on why 
the message was deferred.

eg.
 dsn=4.0.0, stat=Deferred: Connection timed out with mail.domain.com

--Kervin


Dan Bishop wrote:
Need some help.  Email began acting up yesterday (or over the weekend). 
We can receive messages OK but we are having problems sending messages. 
Most don't get sent and the few that do take 3-5 minutes (in Messenger) 
to send.

Linux Redhat, Sendmail & Cyrus on the Linux side
Netscape Messenger (some Outlook) & IMP (webmail) on the client side.
Novell 5.0 & BorderManager 3.0 on the network.

Webmail sends messages, but Messenger & Outlook do not.

I tried to flush the mail queue but it does not work.  I type "sendmail 
-v -q" at the terminal and we get the message:

Running /var/spool/mqueue/(a message number) (sequence 1 of 66)
... Connecting to cyrus...
... Deferred

If I use Webmin in a browser, and click on the button "Flush Mail Queue" 
it brings up the following:

Forcing the attempted delivery of mail with the command 
/usr/sbin/sendmail -v -q ..

Running /var/spool/mqueue/g9MINvR03821 (sequence 1 of 67)
<[EMAIL PROTECTED]>... Connecting to cyrus...
<[EMAIL PROTECTED]>... Deferred


What does the "Deferred" message mean?  And why the difference in number 
of messages (66 or 67)?  There are more messages in /var/spool/mqueue. 
Should they not be included in the total number of messages above, in 
the "queue"?

We have restarted sendmail a number of times, and have even gone so far 
as to restart Linux.  But all to no avail.

I am headed home for the night (to see what I can find on the Internet), 
but thought to post this message before I leave.







Re: ldap saslauthd minor issue

2002-10-23 Thread Kervin L. Pierre
ok.

well something else caused saslauthd to lose its connection to start 
searching as anonymous.  I'm sure I did not change the configuration, 
and restarting saslauthd fixed the problem.

 --Kervin

Igor Brezac wrote:
On Wed, 23 Oct 2002, Kervin L. Pierre wrote:



If the ldap server goes offline temporarily, and saslauthd binds with a
special user, when the ldap server gets back online, saslauthd tries to
use anonymous instead of the priviledged user.



No.  "anonymous" in the code means whatever you passed as lak_bind_dn.



Or so it looks like on my machine.

So I guess whenever the ldap server is restarted saslauthd will need to
be restarted as well?




You do not need to restart saslauthd.  saslauthd will reconnect when the
ldap server(s) comes back online.  I tested this quite extensively with
both auth methods.

-Igor







ldap saslauthd minor issue

2002-10-23 Thread Kervin L. Pierre

If the ldap server goes offline temporarily, and saslauthd binds with a 
special user, when the ldap server gets back online, saslauthd tries to 
use anonymous instead of the priviledged user.

Or so it looks like on my machine.

So I guess whenever the ldap server is restarted saslauthd will need to 
be restarted as well?

--Kervin



Re: Sendmail-8.12 + cyrus 2.0.16 question/problem

2002-10-21 Thread Kervin L. Pierre
AFAIK,

The MTA ( sendmail ) knows nothing about the mailbox, that's the MDA's 
job.  Sendmail will use the MDA to figure out if there's a mailbox or 
not using the deliver program requested '/bin/mail' for MAILER(local), 
'deliver' for MAILER(cyrus).

I don't think the MTA has any other way of knowing if a mailbox exist 
other than if the MDA reports that.

Sendmail only routes the mail.  If it figures the mail belongs on the 
local box, it will pass it to the MDA, unless you say otherwise in a 
map, eg. /etc/alias.

I just checked and sendmail sends me a 550 if I send mail to a user that 
does not exist.  But the 550 is returned only *after* sendmail passes 
the mail to cyrus for delivery and cyrus rejects it.

Try checking your imapd.log file to see what cyrus is doing

--Kervin



Jeff Wilde wrote:

I realize that, but shouldn't sendmail not accept the e-mail if the
mailbox doesn't exist before it passes it to lmtp, since this is the
delivery agent.  That is where my confusion lied.  If a mailbox 
doesn't exist I wouldn't want to spool the mail and attempt delivery 
after the
fact if that makes sense.  I mean the account doesn't even exist.

Jeff

-Original Message-
From: [EMAIL PROTECTED]
[mailto:owner-info-cyrus@;lists.andrew.cmu.edu] On Behalf Of Joe Rhett
Sent: Friday, August 09, 2002 4:39 PM
To: Jeff Wilde
Cc: [EMAIL PROTECTED]
Subject: Re: Sendmail-8.12 + cyrus 2.0.16 question/problem


Sendmail will accept it, then forward it on to Cyrus which will reject
it. SMTP != LMTP.  You can test the final delivery using
	/path/to/cyrus/bin/deliver -l

On Fri, Aug 09, 2002 at 10:50:42AM -0500, Jeff Wilde wrote:

>I am having a hard time figuring this one out.  I am not getting 550
>user unknown commands when I introduce cyrus as my mailer program.  I
>should get a 550 without having sendmail accept the mail.  Here is
>what I'm expecting followed by what is happening:
>
>220 coredump.host.com ESMTP server ready at Fri, 9 Aug 2002 10:26:11
>-0500
>
EHLO newton.host.com
>
>250-coredump.host.com Hello newton.host.com [206.145.48.1], pleased to


>meet you 250-ENHANCEDSTATUSCODES
>250-PIPELINING
>250-8BITMIME
>250-SIZE 5242880
>250-DSN
>250-ETRN
>250-DELIVERBY
>250 HELP
>
MAIL From: SIZE=13351
>
>250 2.1.0 ... Sender ok
>
RCPT To:
>
>550 5.1.1 ... User unknown
>
>This is what cyrus introduction gives me:
>
>
EHLO newton.pconline.com
>
>250-web.host.com Hello newton.host.com [206.145.48.1], pleased to meet


>you 250-ENHANCEDSTATUSCODES
>250-PIPELINING
>250-8BITMIME
>250-SIZE 5242880
>250-DSN
>250-ETRN
>250-DELIVERBY
>250 HELP
>
MAIL From: SIZE=13342
>
>250 2.1.0 ... Sender ok
>
RCPT To:
>
>250 2.1.5 ... Recipient ok
>
DATA
>
>354 Enter mail, end with "." on a line by itself
>
.
>
>250 2.0.0 g79FkfQu01 Message accepted for delivery
>
>I would really like the 550 to come out if a user doesn't exist.
>
>A) is this possible
>B) What is limiting this or is it my config?
>
>Sendmail.mc
>
>divert(0)dnl
>VERSIONID(`$Id: generic-linux.mc,v 8.1 1999/09/24 22:48:05 gshapiro
>Exp
>$')
>OSTYPE(linux)dnl
>define(`confBIND_OPTS',`-DNSRCH -DEFNAMES')
>define(`confTO_IDENT',`0')
>dnl setting cyrus as the trusted user will make it easier to pass
>dnl Sendmail's safefile checks.  however, it means that someone with

the

>dnl "cyrus" password could easily become root.
>dnl define(`confTRUSTED_USER', `cyrus')
>
>define(`confLOCAL_MAILER', `cyrus') define(`confSMTP_LOGIN_MSG',`$j
>server ready at $b')dnl define(`confPRIVACY_FLAGS',`goaway')dnl
>define(`confMAX_MESSAGE_SIZE',5242880)dnl
>
>
>FEATURE(`nocanonify')
>FEATURE(`always_add_domain')
>FEATURE(`use_cw_file')
>FEATURE(`virtusertable')
>FEATURE(`access_db') FEATURE(`dnsbl',`rbl-plus.mail-abuse.org',`RBLed,


>See http://www.mail-abuse.org/')dnl
>FEATURE(`delay_checks')dnl
>
>DOMAIN(generic)dnl
>MAILER(local)dnl
>MAILER(smtp)dnl
>MAILER(cyrus)dnl
>
>LOCAL_CONFIG
>CPprocmail
>
>MAILER_DEFINITIONS
>Mcyrus, P=[IPC], F=lsDFMnqA@/:|SmXz, E=\r\n,
>S=EnvFromL, R=EnvToL/HdrToL, T=DNS/RFC822/X-Unix,
>A=FILE /usr/local/mail/socket/lmtp
>
>Mprocmail,  P=/usr/bin/procmail, F=DFMmShun, S=11/31, R=21/31,
>T=DNS/RFC822/X-Unix,
>A=procmail -m $h $g $u
>
>LOCAL_RULE_0
>Rbb + $+ < @ $=w . >$#cyrus $: + $1
>
>Where should I be looking?
>
>Thanx in advance
>
>
>Jeff
>







Re: sasl 2.1.9 + LDAPS problem

2002-10-19 Thread Kervin L. Pierre
Did you say ldapsearch worked on the commandline?

'-d -1' if you want all the debug info.

You can also use the openssl commands s_server and s_client for 
debugging ldaps.  That's probably more helpful then ethereal.  'man 
s_server' and 'man s_client' for more info.

PS. For speed, if you have a busy mail server or you're paying for the 
bandwidth ldap uses, how about running a replica on your mail server and 
have saslauthd use '-H ldap://127.0.0.1/' or 'ldapi://' to connect to 
it.  You can use ldaps for replication.  This should speed-up your 
config considerably.

--Kervin


Igor Brezac wrote:
On Wed, 16 Oct 2002, Felix Cuello wrote:



Here are the stdout of slapd. What do you think?




Hmmm, unfortunately this is not telling me much.  It indicates that a
connection came in, but it is not an ldaps session.  Did you run a
saslauthd/ldaps session?  You should see a lot more debug info including
TLS trace.

I just tested saslauthd/ldaps on sasl-2.1.9 and it works fine.  I used
openldap 2.1.6 (server and API) which should be more difficult to setup
because openldap 2.1 API verifies the server ceritifcate and 2.0 does not.
Someone please correct me if I am wrong. ;)

-Igor




thanks for your time and patience!

Felix



@(#) $OpenLDAP: slapd 2.0.23-Release (Thu Feb 21 12:43:53 EST 2002) $
   [EMAIL PROTECTED]:/usr/src/build/73902-i386/BUILD/openldap-2.0.23/build-krb5/servers/slapd
daemon_init: listen on ldap:///
daemon_init: listen on ldaps:///
daemon_init: 2 listeners to open...
ldap_url_parse_ext(ldap:///)
daemon: socket() failed errno=97 (Address family not supported by protocol)
daemon: initialized ldap:///
ldap_url_parse_ext(ldaps:///)
daemon: socket() failed errno=97 (Address family not supported by protocol)
daemon: initialized ldaps:///
daemon_init: 2 listeners opened
slapd init: initiated server.
slap_sasl_init: initialized!
slapd startup: initiated.
slapd starting
ldap_pvt_gethostbyname_a: host=upsoluciones, r=0
daemon: conn=0 fd=10 connection from IP=200.69.213.9:1478
(IP=0.0.0.0:31746) accepted.




---
Felix Cuello <[EMAIL PROTECTED]>
Qodiga/its   

/"\  ASCII Ribbon Campaign
\ /  No HTML in mail or news!
X
/ \
---













Re: passing envelope recipient with sendmail

2002-10-17 Thread Kervin L. Pierre
Christian, thanks for the tip.  I tried it, but it did not work by itself.

I had to edit the generated cf file and under the 'Parse1' part of 'Rule 
0', change...

R$+ < @ $=w . > $#cyrusv2 $: $1 regular local name

To...

R$+ < @ $=w . > $#cyrusv2 $:  $1 < @ $2 . > regular 
local name

I have no idea what this change breaks :) but it seems to be the only 
way I can get sendmail to pass the full address to cyrus.

--Kervin


Christian Schulte wrote:

Kervin L. Pierre wrote:

> Hi,
>
> The virtual server doc says...
>
> Delivering mail
>
> To deliver mail to your virtual domains, configure your MTA so that
> the envelope recipient (RCPT TO) passed to lmtpd is fully qualified
> with the correct domain.
>
> What does this equate to in terms of sendmail configuration?  Sendmail
> passes the recipients address without the domain part for me, and thus
> the mail bounces.
>
> thanks,
> --Kervin
>
You have to change your cyrusv2.mc file:


S=EnvFromSMTP/HdrFromL, R=EnvToSMTP/HdrToSMTP, E=\r\n,


Change the rules and it will work!








passing envelope recipient with sendmail

2002-10-16 Thread Kervin L. Pierre

Hi,

The virtual server doc says...

Delivering mail

To deliver mail to your virtual domains, configure your MTA so that the 
envelope recipient (RCPT TO) passed to lmtpd is fully qualified with the 
correct domain.

What does this equate to in terms of sendmail configuration?  Sendmail 
passes the recipients address without the domain part for me, and thus 
the mail bounces.

thanks,
--Kervin




Re: [patch] search domain from %u

2002-10-15 Thread Kervin L. Pierre

Hi,

I have a newer version at http://my.fit.edu/~kpierre/lak.c.3.patch

I added the ability to have a default domain context, for the case a 
user logs into the default domain and you are using the domain context 
macro.

PS.  things for adding ldap support to saslauthd in the first place. 
This is the second time I'm using your code ( first with the solaris 
openldap conf site ), so I feel like I owe you a check or something :)

--Kervin


Igor Brezac wrote:

> On Mon, 14 Oct 2002, Kervin L. Pierre wrote:
>
>
> >I modified the patch to take the search domain from the username %u, for
> >virtual server environments.
> >
> >http://my.fit.edu/~kpierre/lak.c.2.patch
> >
> >PS.  I am not having luck with the global search ( ie. the current
> >method, -b "" ), I keep getting object not found although a search under
> >a specific domain context works ( ie. -b "ou=..." ).
> >
>
>
> You are telling openldap to search a wrong backend (among other things,
> -b"" is used to search rootDSE).
>
>
> >Let me know what you think
> >
>
>
> I'll integrate the patch and submit it to Rob.
>
> -Igor
>
>
> >--Kervin
> >
> >
> >Igor Brezac wrote:
> >
> >
> >>On Mon, 14 Oct 2002, Kervin L. Pierre wrote:
> >>
> >>
> >>>Hi,
> >>>
> >>>attached is a patch to cyrus/saslauthd/lak.c to allow it to expand '%d'
> >>>macro in ldap_search_base option to the domain context derived from the
> >>>realm '%r'.
> >>>
> >>>eg.
> >>>
> >>>ldap_search_base: ou=people, %d
> >>>in saslauthd.conf
> >>>
> >>>if realm is 'domain.tld', the ldap search base will expand to
> >>>'ou=people,dc=domain,dc=tld'
> >>>
> >>>Does imapd always provide the realm in a virtual server environment 
> when
> >>>authenticating users?  Is it safe to assume that the realm is
> >>>'domain.tld' or more specifically the domain given to mkimap script?
> >>>
> >>>Is this correct/incorrect/unnecessary?
> >>>
> >>
> >>In most cases an organization will have one realm.  Realms should not be
> >>confused with domains. In virtual domain setup, %u will look like
> >>[EMAIL PROTECTED] and unless you setup a realm, %r will be blank.  So,
> >>%d is not necessary in this case.
> >>
> >
> >
> >
>





Re: [patch] search domain from %u

2002-10-14 Thread Kervin L. Pierre


I modified the patch to take the search domain from the username %u, for 
virtual server environments.

http://my.fit.edu/~kpierre/lak.c.2.patch

PS.  I am not having luck with the global search ( ie. the current 
method, -b "" ), I keep getting object not found although a search under 
a specific domain context works ( ie. -b "ou=..." ).

Let me know what you think

--Kervin


Igor Brezac wrote:

>
> On Mon, 14 Oct 2002, Kervin L. Pierre wrote:
>
> >
> > Hi,
> >
> > attached is a patch to cyrus/saslauthd/lak.c to allow it to expand '%d'
> > macro in ldap_search_base option to the domain context derived from the
> > realm '%r'.
> >
> > eg.
> >
> > ldap_search_base: ou=people, %d
> > in saslauthd.conf
> >
> > if realm is 'domain.tld', the ldap search base will expand to
> > 'ou=people,dc=domain,dc=tld'
> >
> > Does imapd always provide the realm in a virtual server environment when
> > authenticating users?  Is it safe to assume that the realm is
> > 'domain.tld' or more specifically the domain given to mkimap script?
> >
> > Is this correct/incorrect/unnecessary?
> >
>
> In most cases an organization will have one realm.  Realms should not be
> confused with domains. In virtual domain setup, %u will look like
> [EMAIL PROTECTED] and unless you setup a realm, %r will be blank.  So,
> %d is not necessary in this case.
>





Re: [patch]saslauthd+ldap+virtual_domains

2002-10-14 Thread Kervin L. Pierre

Thanks for the clarification,

How about an option to extract the domain context from %u for the search 
base? ie. The option derive %d from %u instead of %r

I think there's an opportunity to greatly improve the search times.  The 
global search may have to go through hundreds of thousands of records, 
while a more directed search may just be single scope search with a few 
hundred records to look at.

Thanks,
--Kervin


Igor Brezac wrote:

>
> On Mon, 14 Oct 2002, Kervin L. Pierre wrote:
>
> >
> > Hi,
> >
> > attached is a patch to cyrus/saslauthd/lak.c to allow it to expand '%d'
> > macro in ldap_search_base option to the domain context derived from the
> > realm '%r'.
> >
> > eg.
> >
> > ldap_search_base: ou=people, %d
> > in saslauthd.conf
> >
> > if realm is 'domain.tld', the ldap search base will expand to
> > 'ou=people,dc=domain,dc=tld'
> >
> > Does imapd always provide the realm in a virtual server environment when
> > authenticating users?  Is it safe to assume that the realm is
> > 'domain.tld' or more specifically the domain given to mkimap script?
> >
> > Is this correct/incorrect/unnecessary?
> >
>
> In most cases an organization will have one realm.  Realms should not be
> confused with domains. In virtual domain setup, %u will look like
> [EMAIL PROTECTED] and unless you setup a realm, %r will be blank.  So,
> %d is not necessary in this case.
>





[patch]saslauthd+ldap+virtual_domains

2002-10-14 Thread Kervin L. Pierre


Hi,

http://my.fit.edu/~kpierre/lak.c.1.patch
patch to cyrus/saslauthd/lak.c to allow it to expand '%d'
macro in ldap_search_base option to the domain context derived from the
realm '%r'.

eg.

ldap_search_base: ou=people, %d
in saslauthd.conf

if realm is 'domain.tld', the ldap search base will expand to
'ou=people,dc=domain,dc=tld'

Does imapd always provide the realm in a virtual server environment when
authenticating users?  Is it safe to assume that the realm is
'domain.tld' or more specifically the domain given to mkimap script?

Is this correct/incorrect/unnecessary?

--Kervin







[patch]saslauthd+ldap+virtual_domains

2002-10-14 Thread Kervin L. Pierre


Hi,

attached is a patch to cyrus/saslauthd/lak.c to allow it to expand '%d' 
macro in ldap_search_base option to the domain context derived from the 
realm '%r'.

eg.

ldap_search_base: ou=people, %d
in saslauthd.conf

if realm is 'domain.tld', the ldap search base will expand to 
'ou=people,dc=domain,dc=tld'

Does imapd always provide the realm in a virtual server environment when 
authenticating users?  Is it safe to assume that the realm is 
'domain.tld' or more specifically the domain given to mkimap script?

Is this correct/incorrect/unnecessary?

--Kervin




--- lak.c.orig  Mon Oct 14 01:15:25 2002
+++ lak.c   Mon Oct 14 14:37:23 2002
@@ -68,11 +68,11 @@
 static int lak_config_getswitch(const char *, int );
 static int lak_config(const char *, LAK_CONF **);
 static int lak_escape(const char *, char **);
-static int lak_filter(LAK *, const char *, const char *, char **);
+static int lak_filter(LAK *, const char *, const char *, const char *, char **);
 static int lak_connect(LAK *);
 static int lak_bind(LAK *, char, const char *, const char *);
 static int lak_init(const char *, LAK **);
-static int lak_search(LAK *, const char *, const char **, LDAPMessage **);
+static int lak_search(LAK *, const char *, const char *, const char **, LDAPMessage 
+**);
 static int lak_retrieve(LAK *, const char *, const char *, const char **, LAK_RESULT 
**);
 static int lak_auth_custom(LAK *, const char *, const char *, const char *);
 static int lak_auth_bind(LAK *, const char *, const char *, const char *);
@@ -327,45 +327,77 @@
  *   %% = %
  *   %u = user
  *   %r = realm
+ *   %d = realm as a domain context
  * Note: calling function must free memory.
  */
-static int lak_filter(LAK *lak, const char *username, const char *realm, char 
**result) 
+static int lak_filter(LAK *lak, const char *filter, const char *username, const char 
+*realm, char **result) 
 {
-   char *buf; 
-   char *end, *ptr, *temp;
+   char *buf, *domain_str = NULL; 
+   char *temp;
+   const char *ptr, *end;
char *ebuf;
-   int rc;
+   int rc, i,j;
 
/* to permit multiple occurences of username and/or realm in filter */
/* and avoid memory overflow in filter build [eg: (|(uid=%u)(userid=%u)) ] */
-   int percents, realm_len, user_len, maxparamlength;
+   int percents, realm_len, user_len, domain_len, maxparamlength;

-   if (lak->conf->filter == NULL) {
+   if (filter == NULL) {
syslog(LOG_WARNING|LOG_AUTH, "filter not setup");
return LAK_FAIL;
}
 
-   /* find the longest param of username and realm */
+   /* expand domain only if we have a realm */
+   if( realm!=NULL && strlen(realm)>3)
+   {
+   /* find the size of the domain string */
+   domain_len = 0;
+   for(i=0;iconf->filter;
+   ptr=filter;
end = ptr + strlen(ptr);
 
while ((temp=strchr(ptr,'%'))!=NULL ) {
@@ -404,6 +436,18 @@
syslog(LOG_WARNING|LOG_AUTH, "Realm not 
available.");
}
break;
+   case 'd':
+   if (domain_str!=NULL) {
+   rc = lak_escape(domain_str, &ebuf);
+   if (rc == LAK_OK) {
+   strcat(buf,ebuf);
+   free(ebuf);
+   }
+   } else if (realm) {
+   /* complain only if we have a realm and no 
+domain */
+   syslog(LOG_WARNING|LOG_AUTH, "Domain not 
+available.");
+   }
+   break;
default:
break;
}
@@ -413,6 +457,8 @@
strcat(buf, ptr);
 
*result = buf;
+   if(domain_str)
+   free(domain_str);
 
return LAK_OK;
 }
@@ -610,7 +656,7 @@
 }
 
 
-static int lak_search(LAK *lak, const char *filter, const char **attrs, LDAPMessage 
**res)
+static int lak_search(LAK *lak, const char *search_base, const char *filter, const 
+char **attrs, LDAPMessage **res)
 {
int rc = 0;
int retry = 1;
@@ -624,7 +670,7 @@
return LAK_FAIL;
}
 
-   rc = ldap_search_st(lak->ld, lak->conf->search_base, lak->conf->scope, filter, 
(char **) attrs, 0, &(lak->conf->timeout), res);
+   rc = ldap_search_st(lak->ld, search_base, lak->conf->scope, filter, (char **) 
+attrs, 0, &(lak->conf->timeout), res);
switch (rc) {
case LDAP_SUCCESS:
case LDAP_SIZELIMIT_EXCEEDED:
@@ -661,6 +707,7 @@
 {
int rc = 0;
char *filter = NULL;
+   char *search_base = NULL;
LDAPMessage *res;
LDAPMessage

saslauthd,ldap,virtual_domains

2002-10-13 Thread Kervin L. Pierre


Is there are way to dynamically modify ldap_search_base attribute of 
saslauthd so that it searches are particular DIT of the LDAP server?

eg. a way to split the realm ( %r ) macro, then building a search base 
off that. ie.

ldap_search_base: ou=people,%d

Where %d explodes to "dc=domain,dc=tld", derived from the realm, %r.

I say this because I think it's a fairly common setup to have domains as...
ou=people,dc=domain1,dc=tld
ou=people,dc=domain2,dc=tld
...
Or maybe I'm just weird :)

Has this been done?  Is it somehow necessary?

Thanks,
--Kervin




CVS questions

2002-10-12 Thread Kervin L. Pierre
Hi,

I'm about to build/configure CVS imapd 2.2 branch for virtual domain 
support with a single IP.  I have a few questions before I start.

What are the CVS branches, tags available for download?  Which do I use 
if I want 2.2 branch? http://asg.web.cmu.edu/cyrus/download/anoncvs.html 
gives a CVS checkout command without a branch tag, is that the 2.2 source?

What sasl do I use for 2.2 imapd?  If CVS, again which branch should I 
checkout?

Thanks,
--Kervin



Re: hierarchical grouping of users

2002-10-12 Thread Kervin L. Pierre
Another interesting package is ispman 
http://sourceforge.net/projects/ispman/

It uses LDAP for its datastore.

--Kervin

Mike O'Rourke wrote:

There is a package called web-cyradm that uses a mysql or pgsql (a recent
addition) database for user management and authentication. With it you can
group your users and you can set and change quotas for all users in a
group.

The project's home page is here:
http://www.delouw.ch/linux/web-cyradm/index.php

I have played with it, but want to migrate to an LDAP solution, so I did
not
invest much time in it.

> Jules Agee said:
> Some of what you suggest is possible if you set up an LDAP directory.
> Specifically, the maildap program that is distributed with OpenLDAP
> allows you do deliver mail to a hierarchy of groups. The difference is
> that the group expansion is done in the area of the MTA (where it
> belongs). I am using it right now in production and it works great.
>
> If I remember correctly, someone submitted a few patches to the list a
> while back for using LDAP to manage quotas, but I don't recall whether
> it was hooked into the group mechanism or just single-user quota info
> stored in the directory.
>
> -Jules
>
>
> Mark Keasling wrote:
> > Hi,
> >
> > I have a question about user management.  (Well not me in particular
> > but it was raised here and I've been tasked with finding out.)
> >
> > Currently user management seems to be done on a one by one basis.
> Won't
> > management become difficult when users number in the thousands or tens
> > of thousands?
> >
> > Has there been or is there being done any work on groups in particular
> > hierarchical groups?  The groups could be used as a target for
> > management tasks such as setting quotas, access restrictions and what
> > not.  A change made to the group would be propagated to all of the
> > members.  The functionality could also be extended to mail delivery
> > so that mail sent to the group could optionally be delivered to the
> > members.
> >
> > Any thoughts?
> >
> > Regards,
> > Mark Keasling
> >
>
>
>
> --
> Jules Agee
> System Administrator
> Pacific Coast Feather Co.
> [EMAIL PROTECTED]  x284









Re: running purify on cyrus imapd

2002-10-04 Thread Kervin L. Pierre

Might want to find out if Cyrus research qualifies for the rational's 
SEED program.
http://rational.com/corpinfo/college_relations/seed/index.jsp

If it does you get the use of the Purify Suite for free.

--Kervin

Walter C Wong wrote:
> purify works for us using gcc. At least it did before our license ran
> out and then they wanted to charge us an unaffordable sum to
> renew. We're still working out the details
> 
> As for your specific problem, you may want to verify that you are
> using the same compiler with libdb as you are with Cyrus. We've had
> issues where mixing things compiled gcc and Sun's CC annoyed purify. 
> 
> Walter
> 
>