[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Cyrus IMAPD + virtual domains + SASL + OpenLDAP ldapdb

To: openldap-technical@openldap.org
Subject: Re: Cyrus IMAPD + virtual domains + SASL + OpenLDAP ldapdb
From: Dan White <dwhite@olp.net>
Date: Tue, 25 Feb 2014 17:02:40 -0600
Cc: Nels Lindquist <nlindq@maei.ca>
Content-disposition: inline
In-reply-to: <530D17B4.1060002@maei.ca>
References: <5307B269.8060703@maei.ca> <20140221204508.GG5986@dan.olp.net> <530D17B4.1060002@maei.ca>
User-agent: Mutt/1.5.21 (2010-09-15)

Forwarding to the list for posterity.

On 02/25/14 15:22 -0700, Nels Lindquist wrote:

On 2/21/2014 1:45 PM, Dan White wrote:

On 02/21/14 13:09 -0700, Nels Lindquist wrote:


<snip>

However, from what I can determine I'm not getting any realm component
in the searches coming through.  The "default" realm configuration works
when I use a bare userid to authenticate, but when using a full e-mail
address, that comes through as
"uid=example@example.com,cn=[authmech],cn=auth".  That said, I haven't
found a LogLevel which includes AuthzRegexp processing; I've tried
various settings, but the closest I've come is logging the resulting
bind requests (eg. BIND dn="uid=example,ou=people,dc=example,dc=com"
mech=DIGEST-MD5 sasl_ssf=128 ssf=128).


I would not depend on realm being delivered in a consistent way from cyrus
imapd/sasl. Different mechanisms will act in different ways. libsasl2 is
responsible for providing the realm (or not). To maintain some consistency,
create two sets of authz-regexp rules, such as:

authz-regexp
  "uid=([^,]+),cn=([^,]+),cn=auth"
  "ldap:///dc=eng,dc=example,dc=com??one?(&(uid=$1)(objectClass=person))"

authz-regexp
  "uid=([^,]+),cn=([^,]+),cn=([^,]+),cn=auth"

"ldap:///dc=eng,dc=example,dc=com??one?(&(uid=$1@$2)(objectClass=person))"

And you may need a third rule which matches cases where both a fully
qualified username AND a realm are provided.


To be more clear, in my LDAP none of the objects have uids incorporating
e-mail addresses, but that's how Cyrus IMAP allows for virtual domain
logins.

My base dn is actually "o=top", and then I have the various domains laid
out like:

dc=example,dc=com,o=top
dc=example2,dc=ca,o=top

... so my plan was to use the virtual domain information to translate
into which subtree I need to search against.  The "fallthrough" default
domain just searches the bare uid against a particular subtree.

It seems to be working using this (we're using LDAPRouting with
Sendmail, so all mailboxes must have inetLocalMailRecipient attributes):

# Match e-mail address; map to correct subtree

authz-regexp
 "uid=([^,]+)@([^,\.]+)\.([^,]+),cn=[^,]*,cn=auth"
 "ldap:///dc=$2,dc=$3,o=top??sub?(&(uid=$1)(mailLocalAddress=*))"


# Default domain

authz-regexp
 "uid=([^,]*),cn=[^,]*,cn=auth"
 "ldap:///dc=example,dc=com,o=top??sub?(&(uid=$1)(mailLocalAddress=*))"

ldapwhoami is highly recommend for testing this setup. Include all of -Y,
-U, and -X.


Thanks very much for putting me on the right track!


--
Dan White

References:
- Cyrus IMAPD + virtual domains + SASL + OpenLDAP ldapdb
  - From: Nels Lindquist <nlindq@maei.ca>
- Re: Cyrus IMAPD + virtual domains + SASL + OpenLDAP ldapdb
  - From: Dan White <dwhite@olp.net>

Prev by Date: Re: Replication from OpenLDAP to Fedora 389 DS
Next by Date: Re: strategy for getting groupOfNames (AD) and posixAccount (Unix) to coexist?
Index(es):
- Chronological
- Thread