[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Cyrus IMAPD + virtual domains + SASL + OpenLDAP ldapdb
- To: openldap-technical@openldap.org
- Subject: Cyrus IMAPD + virtual domains + SASL + OpenLDAP ldapdb
- From: Nels Lindquist <nlindq@maei.ca>
- Date: Fri, 21 Feb 2014 13:09:13 -0700
- User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
I'm attempting to configure Cyrus IMAPD with ldapdb for SASL
authentication. As I'm using virtual domains, I need users to be able
to authenticate using their e-mail addresses, or just a bare userid for
the default domain. I'm having some trouble getting everything working[1].
Based on this documentation extract from Cyrus SASL, I've been primarily
focussing on the OpenLDAP configuration:
"Unlike other LDAP-enabled plugins for other services that are common on
the web, this plugin does not require you to configure DN search
patterns to map usernames to LDAP DNs. This plugin requires SASL name
mapping to be configured on the target slapd. This approach keeps the
LDAP-specific configuration details in one place, the slapd.conf, and
makes the configuration of remote services much simpler."
I've set up a number of olcAuthzRegexp entries similar to (from the
OpenLDAP 2.4 admin guide):
"A more complex site might have several realms in use, each mapping to a
different subtree in the directory. These can be handled with statements
of the form:
# Match Engineering realm
authz-regexp
uid=([^,]*),cn=engineering.example.com,cn=digest-md5,cn=auth
ldap:///dc=eng,dc=example,dc=com??one?(&(uid=$1)(objectClass=person))
# Match Accounting realm
authz-regexp
uid=([^,].*),cn=accounting.example.com,cn=digest-md5,cn=auth
ldap:///dc=accounting,dc=example,dc=com??one?(&(uid=$1)(objectClass=person))
# Default realm is customers.example.com
authz-regexp
uid=([^,]*),cn=digest-md5,cn=auth
ldap:///dc=customers,dc=example,dc=com??one?(&(uid=$1)(objectClass=person))"
However, from what I can determine I'm not getting any realm component
in the searches coming through. The "default" realm configuration works
when I use a bare userid to authenticate, but when using a full e-mail
address, that comes through as
"uid=example@example.com,cn=[authmech],cn=auth". That said, I haven't
found a LogLevel which includes AuthzRegexp processing; I've tried
various settings, but the closest I've come is logging the resulting
bind requests (eg. BIND dn="uid=example,ou=people,dc=example,dc=com"
mech=DIGEST-MD5 sasl_ssf=128 ssf=128).
So my question is, how is the realm determined in such a scenario? Do I
need to design olcAuththzRegexp entries to determine the realm based on
the e-mail address supplied? If so, how does that information get
passed back to Cyrus IMAPD so that the correct virtual domain is
selected? Is there an appropriate olcLogLevel to see detailed
olcAuthzRegexp processing?
I'd be grateful for any suggestions or references to documentation, etc.
I've done some searching of the mailing list archives to little avail.
In case it matters, this is on CentOS 6.5 (x86_64) with stock OpenLDAP
2.4.23 and Cyrus SASL 2.1.23 packages, plus Cyrus IMAPD 2.4.17 built
from Simon Matter's SRPM.
[1] I *am* able to get authentication + virtual domains working with
saslauthd, but I'd like to be able to support non-plaintext auth mechanisms.
----
Nels Lindquist