[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Trying to get the ldapdb plugin working.

To: Igor Brezac <igor@ipass.net>
Subject: RE: Trying to get the ldapdb plugin working.
From: Edward Rudd <eddie@omegaware.com>
Date: Thu, 9 Oct 2003 21:21:36 -0500
Cc: Howard Chu <hyc@symas.com>, "'OpenLDAP'" <openldap-software@OpenLDAP.org>
In-reply-to: <Pine.GSO.4.58.0310091652350.22637@pula.ypass.net>
References: <009301c38ea3$9de882a0$8601a8c0@CELLO> <Pine.GSO.4.58.0310091652350.22637@pula.ypass.net>
User-agent: Internet Messaging Program (IMP) 3.2.1

I have been using Cyrus IMAP 2.1.13-2.1.15 for a few months with the ldapdb
auxprop plugin using user@realm (full e-mail address) style usernames to log
into the mail server.  And I have not had cyrus strip the realm on me.
the user authenticates with user@domain.com, which gets to ldapdb plugin and
passed to openldap 2.1.22 (also tested 2.1.19) as a sasl DN of
uid=user,cn=domain.com,cn=digest-md5,cn=auth.   which I remap and join those via
a sasl-regex line to map to my UID dn in my tree.   the users in cyrus (unix
heir sep is on) are the full e-mail address (mapped to user@domain^com
internally to cyrus.).  The only patch I had to apply(create) was one to disable
the cross-realm check so I could use digest-md5 authentication for cyrus and
authenticate to sieve with the e-mail address username.. 

I will *try* to write up a howto on my setup this weekend, and I've been helping
Tarjei with this as well..

Howard Chu,
I am also looking at patching ldapdb to allow a "filter" per authentication
service, so as to limit users to smtp or imap via a ldap attribute.. (ie.
ldap_filter: (allowed_services=imap).  I have the openldap 2.1.22 release of
ldapdb and the CVS rev 1.6 release (which won't work correctly in my above
setup, but that's another issue I'll track down later)..  Do you have any
suggestions where I should best add this "check" in the ldapdb plugin? 

Edward Rudd

Quoting Igor Brezac <igor@ipass.net>:

> 
> On Thu, 9 Oct 2003, Howard Chu wrote:
> 
> > > -----Original Message-----
> > > From: owner-openldap-software@OpenLDAP.org
> > > [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Igor Brezac
> >
> > > The domain part may be
> > > passed to the auxprop as a realm, however Howard's auxprop
> > > does not do anything with realms.
> >
> > If you supply a username of the form "user@realm" then that information is
> > sent to the LDAP server.
> 
> Note that I believe cyrus-imapd drops "@realm", at least this is the case
> with the version of cyrus-imapd Tarjei uses. I use cyrus-imapd 2.2 which
> passes "fully qualified" usernames.
> 
> > Otherwise you get the server's default realm.
> 
> You are referring to the slapd realm?  I was referring to the realm
> received from cyrus-imapd (sparams->user_realm).  Although, this should be
> the same as "@realm".
> 
> >
> >   -- Howard Chu
> >   Chief Architect, Symas Corp.       Director, Highland Sun
> >   http://www.symas.com               http://highlandsun.com/hyc
> >   Symas: Premier OpenSource Development and Support
> >
> >
> 
> -- 
> Igor
> 
> 
>

Follow-Ups:
- RE: Trying to get the ldapdb plugin working.
  - From: "Howard Chu" <hyc@symas.com>

References:
- RE: Trying to get the ldapdb plugin working.
  - From: "Howard Chu" <hyc@symas.com>
- RE: Trying to get the ldapdb plugin working.
  - From: Igor Brezac <igor@ipass.net>

Prev by Date: Re: LDAP sshd problem... Did you ever fix?
Next by Date: RE: Trying to get the ldapdb plugin working.
Index(es):
- Chronological
- Thread