Hmmm. This seemed to fail to get to the list last time (so I'm posting again). ---------
I've been beating my head against this for two days now. First with 2.1 and now with 2.2. I'm desperate for a solution. I'm trying to setup Cyrus 2.2 to do virtual domain logins authenticating off LDAP. What is happening ----------------- Cyrus IMAPd doesn't seem to be passing a full [EMAIL PROTECTED] login id to SASLAUTHD. When I use cyradm to login as the cyrus user to do some config this is what SASLAUTHD sends to my LDAP repository: conn=28 op=3 BIND dn="UID=CYRUS,OU=PEOPLE,DC=OU-FQDN,DC=TLD" method=128 conn=28 op=3 RESULT tag=97 err=0 text= conn=29 op=2 SRCH base="dc=our-fqdn,dc=tld" scope=2 filter="(uid=cyrus)" conn=29 op=2 SEARCH RESULT tag=101 err=0 text= This is all good. I can login as the cyrus admin user and create virtual domain mailboxes and Cyrus correctly creates the mailboxes. However when I use "imtest -m login -a '[EMAIL PROTECTED]' localhost" (or an IMAP client) to try and login as one of our [EMAIL PROTECTED] accounts it sends this: conn=26 op=3 BIND dn="UID=CYRUS,OU=PEOPLE,DC=OUR-FQDN,DC=TLD" method=128 conn=26 op=3 RESULT tag=97 err=0 text= conn=27 op=2 SRCH base="dc=our-fqdn,dc=tld" scope=2 filter="(uid=user)" conn=27 op=2 SEARCH RESULT tag=101 err=0 text= Note that it is *not* searching for [EMAIL PROTECTED] Therefore does not match my customers LDAP entry (see how we have setup the LDAP dir below). >From the SASLAUTHD docs it suggests that the ldap_filter defaults to "uid=%u". %u is supposed to expand to [EMAIL PROTECTED] But it is not doing this. If I explicitly set SASLAUTHD's ldap_filter to "[EMAIL PROTECTED]" the lookup succeeds however when you don't specify a domain when logging in it searches for "uid=user@". This breaks searches for "normal" non-virtdomain users like the "cyrus" admin user. Now I'm thinking that this behaviour has something to do with the way SASL deals with "realms". I really don't understand SASL that well. So I don't even know what a "realm" is supposed to be. I don't care about realms I just want the users UID to be their fully qualified email address. How can I get this to work correctly??? Please help. I'm desperate here!! Help would be highly appreciated. Below is how we have things configured. OpenLDAP Config --------------- I'm creating IMAP email users auth details in my LDAP hierarchy like this: [EMAIL PROTECTED],ou=People,ou=CustomersCompany,ou=Customers,dc=our-fqdn,dc=tld I've also got a LDAP tree branch with entries like this: uid=cyrus,ou=People,dc=our-fqdn,dc=tld This is for users with login accounts to the server and for the default "cyrus" admin login. I also have entries like this: cn=cyrus,ou=Servers,dc=our-fqdn,dc=tld We use this entry as a simpleSecurityObject for saslauthd bind to the LDAP dir. We have a number of these entries for other services that use LDAP. This is just to allow us to do funky things with LDAP acls etc. SASLAUTHD Config ---------------- I've configured SASLAUTHD like this: ldap_servers: ldap://localhost/ ldap_search_base: dc=our-fqdn,dc=tld ldap_bind_dn: cn=cyrus,ou=Servers,dc=our-fqdn,dc=tld ldap_bind_pw: password Cyrus IMAPd 2.2.2 Config ------------------------ I have Cyrus configured as follows: configdirectory: /usr/local/cyrus/var/lib/imap partition-default: /usr/local/cyrus/var/spool/imap defaultdomain: our-fqdn.tld loginrealms: example.tld virtdomains: yes unixhierarchysep: yes servername: mail.our-fqdn.tld admins: cyrus sievedir: /usr/local/cyrus/var/lib/imap/sieve sendmail: /usr/sbin/sendmail hashimapspool: true sasl_pwcheck_method: saslauthd sasl_mech_list: PLAIN
