Re: Cyrus IMAPD + virtual domains + SASL + OpenLDAP ldapdb

[Dan White <dwhite@olp.net>]

On 02/21/14 13:09 -0700, Nels Lindquist wrote:
> I'm attempting to configure Cyrus IMAPD with ldapdb for SASL
> authentication.  As I'm using virtual domains, I need users to be able
> to authenticate using their e-mail addresses, or just a bare userid for
> the default domain.  I'm having some trouble getting everything working[1].
>
>        # Match Engineering realm
>        authz-regexp
>           uid=([^,]*),cn=engineering.example.com,cn=digest-md5,cn=auth
>
> ldap:///dc=eng,dc=example,dc=com??one?(&(uid=$1)(objectClass=person))
>
>        # Match Accounting realm
>        authz-regexp
>           uid=([^,].*),cn=accounting.example.com,cn=digest-md5,cn=auth
>
> ldap:///dc=accounting,dc=example,dc=com??one?(&(uid=$1)(objectClass=person))
>
>        # Default realm is customers.example.com
>        authz-regexp
>           uid=([^,]*),cn=digest-md5,cn=auth
>
> ldap:///dc=customers,dc=example,dc=com??one?(&(uid=$1)(objectClass=person))"
>
> However, from what I can determine I'm not getting any realm component
> in the searches coming through.  The "default" realm configuration works
> when I use a bare userid to authenticate, but when using a full e-mail
> address, that comes through as
> "uid=example@example.com,cn=[authmech],cn=auth".  That said, I haven't
> found a LogLevel which includes AuthzRegexp processing; I've tried
> various settings, but the closest I've come is logging the resulting
> bind requests (eg. BIND dn="uid=example,ou=people,dc=example,dc=com"
> mech=DIGEST-MD5 sasl_ssf=128 ssf=128).

I would not depend on realm being delivered in a consistent way from cyrus
imapd/sasl. Different mechanisms will act in different ways. libsasl2 is
responsible for providing the realm (or not). To maintain some consistency,
create two sets of authz-regexp rules, such as:

authz-regexp
  "uid=([^,]+),cn=([^,]+),cn=auth"
  "ldap:///dc=eng,dc=example,dc=com??one?(&(uid=$1)(objectClass=person))"

authz-regexp
  "uid=([^,]+),cn=([^,]+),cn=([^,]+),cn=auth"
  "ldap:///dc=eng,dc=example,dc=com??one?(&(uid=$1@$2)(objectClass=person))"

And you may need a third rule which matches cases where both a fully
qualified username AND a realm are provided.

> So my question is, how is the realm determined in such a scenario?  Do I
> need to design olcAuththzRegexp entries to determine the realm based on
> the e-mail address supplied?  If so, how does that information get
> passed back to Cyrus IMAPD so that the correct virtual domain is
> selected?  Is there an appropriate olcLogLevel to see detailed
> olcAuthzRegexp processing?

Essentially, the only thing Cyrus IMAPD cares about from ldapdb (libsasl2),
is authenticating the user and canonicalizing the user (optional).

The correct virtual domain will simply need to match the fully qualified
username provided by the user, or the canonicalized username if you're
using ldapdb as a canonicalization function. That is, Cyrus IMAPD is
responsible for finding the user's mailbox based on the submitted
username@domain from the user. libsasl2, by way of ldapdb, authenticates
the user.

> I'd be grateful for any suggestions or references to documentation, etc.
> I've done some searching of the mailing list archives to little avail.
>
> In case it matters, this is on CentOS 6.5 (x86_64) with stock OpenLDAP
> 2.4.23 and Cyrus SASL 2.1.23 packages, plus Cyrus IMAPD 2.4.17 built
> from Simon Matter's SRPM.

ldapdb canonicalization is not available in 2.1.23 (unpatched), but that's
not necessarily a problem in your scenario.

> [1] I *am* able to get authentication + virtual domains working with
> saslauthd, but I'd like to be able to support non-plaintext auth mechanisms.

ldapwhoami is highly recommend for testing this setup. Include all of -Y,
-U, and -X.

--
Dan White