[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Cyrus IMAPD + virtual domains + SASL + OpenLDAP ldapdb
Am Fri, 21 Feb 2014 13:09:13 -0700
schrieb Nels Lindquist <nlindq@maei.ca>:
> I'm attempting to configure Cyrus IMAPD with ldapdb for SASL
> authentication. As I'm using virtual domains, I need users to be able
> to authenticate using their e-mail addresses, or just a bare userid
> for the default domain. I'm having some trouble getting everything
> working[1].
>
> Based on this documentation extract from Cyrus SASL, I've been
> primarily focussing on the OpenLDAP configuration:
>
> "Unlike other LDAP-enabled plugins for other services that are common
> on the web, this plugin does not require you to configure DN search
> patterns to map usernames to LDAP DNs. This plugin requires SASL name
> mapping to be configured on the target slapd. This approach keeps the
> LDAP-specific configuration details in one place, the slapd.conf, and
> makes the configuration of remote services much simpler."
>
> I've set up a number of olcAuthzRegexp entries similar to (from the
> OpenLDAP 2.4 admin guide):
>
> "A more complex site might have several realms in use, each mapping
> to a different subtree in the directory. These can be handled with
> statements of the form:
>
> # Match Engineering realm
> authz-regexp
> uid=([^,]*),cn=engineering.example.com,cn=digest-md5,cn=auth
>
> ldap:///dc=eng,dc=example,dc=com??one?(&(uid=$1)(objectClass=person))
>
> # Match Accounting realm
> authz-regexp
> uid=([^,].*),cn=accounting.example.com,cn=digest-md5,cn=auth
>
> ldap:///dc=accounting,dc=example,dc=com??one?(&(uid=$1)(objectClass=person))
>
> # Default realm is customers.example.com
> authz-regexp
> uid=([^,]*),cn=digest-md5,cn=auth
>
> ldap:///dc=customers,dc=example,dc=com??one?(&(uid=$1)(objectClass=person))"
>
> However, from what I can determine I'm not getting any realm component
> in the searches coming through. The "default" realm configuration
> works when I use a bare userid to authenticate, but when using a full
> e-mail address, that comes through as
> "uid=example@example.com,cn=[authmech],cn=auth". That said, I haven't
> found a LogLevel which includes AuthzRegexp processing; I've tried
> various settings, but the closest I've come is logging the resulting
> bind requests (eg. BIND dn="uid=example,ou=people,dc=example,dc=com"
> mech=DIGEST-MD5 sasl_ssf=128 ssf=128).
>
> So my question is, how is the realm determined in such a scenario?
> Do I need to design olcAuththzRegexp entries to determine the realm
> based on the e-mail address supplied? If so, how does that
> information get passed back to Cyrus IMAPD so that the correct
> virtual domain is selected? Is there an appropriate olcLogLevel to
> see detailed olcAuthzRegexp processing?
>
> I'd be grateful for any suggestions or references to documentation,
> etc. I've done some searching of the mailing list archives to little
> avail.
>
> In case it matters, this is on CentOS 6.5 (x86_64) with stock OpenLDAP
> 2.4.23 and Cyrus SASL 2.1.23 packages, plus Cyrus IMAPD 2.4.17 built
> from Simon Matter's SRPM.
>
> [1] I *am* able to get authentication + virtual domains working with
> saslauthd, but I'd like to be able to support non-plaintext auth
> mechanisms.
First, you should enable proxy authentication by authz-policy, and
create and define a proxy user as part of ldapdb configuration. In order
to pass mail attribute values instead uid values, you may define
authz-regexp uid=(.*),cn=.*,cn=auth
ldap:///dc=example,dc=com??sub?mail=$1
for this mail attribute must be indexed.
-Dieter
--
Dieter KlÃnter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53Â37'09,95"N
10Â08'02,42"E