Re: groups, members, LDAP and ptloader
Hi, list. 1. I'm also using ldap-based groups ACL in cyrus. When I add any user to more them 1 group, cyrus can't autorize them. I can't find any documentation about this behavior. Is it normal? 2. How to configure default ldap_realm for connecting to saslauthd? I have two domains -- 'domain.com' and 'team.domain.com' and want to make second my default (users must connect to server as 'user', not '[EMAIL PROTECTED]'). Is it possible? My imapd.conf: ... auth_mech: pts defaultdomain: domain.com ldap_base: ou=users,o=domain ldap_filter: (uid=%U) ldap_group_base: ou=cyrus,ou=mail,o=domain ldap_group_filter: (cn=%U) ldap_group_scope: one ldap_member_attribute: cn ldap_member_base: ou=cyrus,ou=mail,o=domain ldap_member_filter: (uniqueMember=%D) ldap_member_method: filter ldap_sasl: no ldap_scope: one ldap_start_tls: yes ldap_tls_cacert_file: /etc/ssl/cacert.pem ldap_uri: ldap://ldap.domain.com pts_module: ldap sasl_mech_list: plain login sasl_pwcheck_method: saslauthd servername: mail.domain.com tls_ca_file: /etc/ssl/cacert.pem tls_cert_file: /usr/local/etc/ssl/mail.domain.com.crt tls_key_file: /usr/local/etc/ssl/mail.domain.com.key unixhierarchysep: yes virtdomains: yes saslauthd.conf: ldap_servers: ldap://ldap.domain.com ldap_tls_cacert_file: /etc/ssl/cacert.pem ldap_search_base: ou=%3,o=%2 ldap_default_realm: users.domain.com ldap_filter: uid=%U ldap_start_tls: yes Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: groups, members, LDAP and ptloader
Warren Turkal wrote: On Wednesday 30 May 2007 14:30, Milen Dimov wrote: We successfully run cyrus 2.2.12 and 2.3.8 both with LDAP users authentication and authorization utilizing respectively saslauthd and ptloader with LDAP support. I was under the impression that you could avoid saslauthd for authentication. Is this impression true? wt Yes, you can avoid using the saslauthd. In this case you should choose one from the rest of two authentication options - auxprop or pwcheck. Please, read the man for imapd.conf and look for sasl_pwcheck_method: configuration options! ptloader is responsible only for user authorization, not authentication! Milen Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: groups, members, LDAP and ptloader
En/na Warren Turkal ha escrit: On Wednesday 30 May 2007 14:30, Milen Dimov wrote: We successfully run cyrus 2.2.12 and 2.3.8 both with LDAP users authentication and authorization utilizing respectively saslauthd and ptloader with LDAP support. I was under the impression that you could avoid saslauthd for authentication. Is this impression true? Yes you can, but then you need to store passwords in plain-text, and be prepared for a rough series of trial error sessions, trying do decypher obsolete and/or incomplete ldap documentation and its esoteric interactions with sasl and cyrus ;-) : sasl_pwcheck_method: auxprop sasl_auxprop_plugin: ldapdb sasl_ldapdb_uri: ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi sasl_ldapdb_mech: EXTERNAL (accessing ldap through a unix socket avoids the need to store a password in imapd.conf, that's what the sasl_ldapdb_mech: EXTERNAL does). For this to work I have this in my slapd.conf (uid 106 is cyrus): sasl-regexp gidNumber=(.*)\\+uidNumber=106,cn=peercred,cn=external,cn=auth uid=cyrus,ou=System,dc=ventoso,dc=org sasl-regexp gidNumber=0\\+uidNumber=0,cn=peercred,cn=external,cn=auth cn=admin,dc=ventoso,dc=org sasl-regexp uid=(.*),cn=external,cn=auth ldap:///dc=ventoso,dc=org??sub?(uid=$1) sasl-authz-policy to then I have one record in ldap for cyrus (under a different ou, so that it won't mix with normal users for authentication) dn: uid=cyrus,ou=System,dc=ventoso,dc=org uid: cyrus objectClass: person objectClass: posixAccount objectClass: top objectClass: shadowAccount [] authzTo: ldap://ou=People,dc=ventoso,dc=org??sub?(objectclass=person) Don't ask me what all of this means, I don't remember (and I doubt that the folks that designed the system do ;-) And remember: passwords have to be stored in plain text for this to work. Bye -- Luca Olivetti Wetron Automatización S.A. http://www.wetron.es/ Tel. +34 93 5883004 Fax +34 93 5883007 Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
R: groups, members, LDAP and ptloader
Thanks Milen, your answer is VERY useful to me and hopefully to many others! I just added some comments to yours, describing my current vision on those arguments. I'm asking to check if it's correct or not. Last question: what ptloader stands for? What is pts? -Messaggio originale- Da: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] conto di Milen Dimov Inviato: mercoledì 30 maggio 2007 22.31 A: info-cyrus@lists.andrew.cmu.edu Oggetto: Re: groups, members, LDAP and ptloader Warren Turkal wrote: On Wednesday 30 May 2007 09:04, Toschi Pietro wrote: Is there somebody on this list so kind and please try to explain me what I'm missing? You're not the only one lost with all of this. I hope someone can at least post a working configuration that shows using LDAP without saslauthd so that I would at least know what a working config looks like. Hi, We successfully run cyrus 2.2.12 and 2.3.8 both with LDAP users authentication and authorization utilizing respectively saslauthd and ptloader with LDAP support. First: you mean that cyrus uses saslauthd to manage user authentication (basically check password in order to verify who the user is) and then uses ptloader to manage user authorization (get the list of groups the user is a member of, so that we can set per-group ACLs other than per-user ACLs). Right? What other use of groups I can do in cyrus? Second: Saslauthd comes with SASL libs and utils and is not strictly part of cyrus, while ptloader is developed as part of cyrus, and that's why ptloader config options are written in imapd.conf while saslauthd config options are written in saslautd.conf, even if both options appear very similar, maybe because both saslauthd and ptloader internally use SASL? Right? The documentation that comes with Cyrus IMAP contains very good explanation of the terms authentication and authorization and the different authorization mechanisms that Cyrus IMAP provides. Please take a look at cyrus-imapd-2.3.8/doc/text/overview Unfortunately, I read those documents very carefully before bothering the list but I didn't find very useful, maybe because I'm still missing many base concepts and the big picture of how Cyrus works and interacts with external components (SASL first of all). As an example I provide a part of configuration file of our production Cyrus IMAP server with only the settings regarding ptloader LDAP user authorization module: /etc/imapd.conf ... virtdomains: yes # default value of %d for ldap_filter and ldap_base # %% = % # %u = user # %U = user portion of %u (%U = test when %u = [EMAIL PROTECTED]) # %d = domain portion of %u if available (%d = domain.tld when # %u = [EMAIL PROTECTED]), # otherwise same as %r # %r = realm # %D = user dn. (use when ldap_member_method: filter) # %1-9 = domain tokens (%1 = tld, %2 = domain when %d = domain.tld) defaultdomain: systemdomain.tld ldap_uri: ldap://ldaphost ldap_version: 3 ldap_sasl: 0 ldap_bind_dn: uid=sys_user,ou=People,ou=systemdomain.tld,o=ControlPanel ldap_password: somepass ldap_base: ou=People,ou=%d,o=ControlPanel ldap_filter: uid=%U ldap_group_base: ou=Group,ou=%d,o=ControlPanel ldap_group_filter: cn=%U Third: I can't figure out the use of two above ldap_base(s) and filter(s): I guess you have an attribute bizBlueboardMemberOf in every user entry under ldap_base, listing every group the user is a member of, so that ptloader gets the list of groups within this attribute. If so, what are ldap_group_base and ldap_group_filter used for? Maybe you have duplicate user entries, one (uid=%U) under People branch and another (cn=%U) under Group branch? What is that second LDAP search used for? ldap_member_method: attribute ldap_member_attribute: bizBlueboardMemberOf unix_group_enable: no auth_mech: pts pts_module: ldap ... The attribute bizBlueboardMemberOf is defined in BlueBoard propriety LDAP objectClass. It is multi value attribute that contains the names of the groups the user is member of. We have branches of ou entries under o=ControlPanel for every virtual domain we support. o=ControlPanel ou=systemdomain.tld,o=ControlPanel ... ou=domain1.tld,o=ControlPanel ... ou=domain2.tld,o=ControlPanel ... Currently, our LDAP appears very similar to yours, but we actually don't manage a multivalue attribute for user groups. That will be a minor change that we can afford. Hope this example will help you and others to understand how LDAP ptloader works. Cheers, Milen Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing
groups, members, LDAP and ptloader
Hi all I find very difficult to understand relationships between groups, members, LDAP and ptloader. I have a cyrus 2.2.12 successfully authenticating users with saslauthd and my user DB is openLDAP I would like to upgrade to 2.3.8. It's now some days that I try to investigate the differences between the two and I came across those concepts, but I wasn't able to find any useful information in the cyrus tarball documentation. I searched the list I found some old thread, but that increased my confusion. Is there somebody on this list so kind and please try to explain me what I'm missing? Thanx Pietro Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: groups, members, LDAP and ptloader
On Wednesday 30 May 2007 09:04, Toschi Pietro wrote: Is there somebody on this list so kind and please try to explain me what I'm missing? You're not the only one lost with all of this. I hope someone can at least post a working configuration that shows using LDAP without saslauthd so that I would at least know what a working config looks like. Thanks, wt -- Warren Turkal Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: groups, members, LDAP and ptloader
Warren Turkal wrote: On Wednesday 30 May 2007 09:04, Toschi Pietro wrote: Is there somebody on this list so kind and please try to explain me what I'm missing? You're not the only one lost with all of this. I hope someone can at least post a working configuration that shows using LDAP without saslauthd so that I would at least know what a working config looks like. Hi, We successfully run cyrus 2.2.12 and 2.3.8 both with LDAP users authentication and authorization utilizing respectively saslauthd and ptloader with LDAP support. The documentation that comes with Cyrus IMAP contains very good explanation of the terms authentication and authorization and the different authorization mechanisms that Cyrus IMAP provides. Please take a look at cyrus-imapd-2.3.8/doc/text/overview As an example I provide a part of configuration file of our production Cyrus IMAP server with only the settings regarding ptloader LDAP user authorization module: /etc/imapd.conf ... virtdomains: yes # default value of %d for ldap_filter and ldap_base # %% = % # %u = user # %U = user portion of %u (%U = test when %u = [EMAIL PROTECTED]) # %d = domain portion of %u if available (%d = domain.tld when # %u = [EMAIL PROTECTED]), # otherwise same as %r # %r = realm # %D = user dn. (use when ldap_member_method: filter) # %1-9 = domain tokens (%1 = tld, %2 = domain when %d = domain.tld) defaultdomain: systemdomain.tld ldap_uri: ldap://ldaphost ldap_version: 3 ldap_sasl: 0 ldap_bind_dn: uid=sys_user,ou=People,ou=systemdomain.tld,o=ControlPanel ldap_password: somepass ldap_base: ou=People,ou=%d,o=ControlPanel ldap_filter: uid=%U ldap_group_base: ou=Group,ou=%d,o=ControlPanel ldap_group_filter: cn=%U ldap_member_method: attribute ldap_member_attribute: bizBlueboardMemberOf unix_group_enable: no auth_mech: pts pts_module: ldap ... The attribute bizBlueboardMemberOf is defined in BlueBoard propriety LDAP objectClass. It is multi value attribute that contains the names of the groups the user is member of. We have branches of ou entries under o=ControlPanel for every virtual domain we support. o=ControlPanel ou=systemdomain.tld,o=ControlPanel ... ou=domain1.tld,o=ControlPanel ... ou=domain2.tld,o=ControlPanel ... Hope this example will help you and others to understand how LDAP ptloader works. Cheers, Milen Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: groups, members, LDAP and ptloader
On Wednesday 30 May 2007 14:30, Milen Dimov wrote: We successfully run cyrus 2.2.12 and 2.3.8 both with LDAP users authentication and authorization utilizing respectively saslauthd and ptloader with LDAP support. I was under the impression that you could avoid saslauthd for authentication. Is this impression true? wt -- Warren Turkal Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html