On Thu, 4 Nov 2004, Ralph Roessner wrote:
Hi!
On Wed, Nov 03, 2004 at 05:49:01PM +0000, Jon Wilson wrote:Hi,
I'm trying to migrate all our services to LDAP.
I can get cyrus-imapd to do user authentication against an OpenLDAP server working OK, using "sasl_pwcheck_method: saslauthd", and relevant saslauthd.conf.
I'm a bit stuck with getting imapd to get group membership out of the LDAP server, to use for authorization and access control.
I can build an imap server with LDAP support in "ptloader" but as soon as I start using it, imapd seems to stop using saslauthd for authentication. In addition I get lines like the following in my ldap logs. The BIND looks OK, but I don't understand the rest.
Cyrus IMAP with LDAP ptloader still uses saslauthd for authentication. But before it does authentication, it uses LDAP to canonify the user name. That is what you are seeing here:
First it binds with admin rights:
Nov 3 16:15:41 <20.7> green slapd[18408]: conn=96 fd=19 ACCEPT from IP=127.0.0.1:1749 (IP=0.0.0.0:389) Nov 3 16:15:41 <20.7> green slapd[18408]: conn=96 op=0 BIND dn="cn=Manager,dc=mydomain,dc=com" method=128 Nov 3 16:15:41 <20.7> green slapd[18408]: conn=96 op=0 BIND dn="cn=Manager,dc=mydomain,dc=com" mech=SIMPLE ssf=0 Nov 3 16:15:41 <20.7> green slapd[18408]: conn=96 op=0 RESULT tag=97 err=0 text=
Then it changes uid to the user that is being canonified and asks for its own user name. The assumption is that the LDAP server will return the canonical user name. (In LDAPish this reads: execute a "who am i" extended operation with "proxyauthz" control in place).
Nov 3 16:15:41 <20.7> green slapd[18408]: conn=96 op=1 PROXYAUTHZ dn="uid=jon,cn=simple,cn=auth" Nov 3 16:15:41 <20.7> green slapd[18408]: conn=96 op=2 SRCH base="uid=jon,cn=simple,cn=auth" scope=0 deref=0 filter="(objectClass=*)" Nov 3 16:15:41 <20.7> green slapd[18408]: conn=96 op=2 SEARCH RESULT tag=101 err=32 nentries=0 text= Nov 3 16:23:59 <20.7> green slapd[18408]: conn=96 fd=19 closed
Note the error 32. This is called LDAP_NO_SUCH_OBJECT and means in this case that the search base ("uid=jon,cn=simple,cn=auth") does not exist. You probably need to adjust the SASL -> uid mapping in the LDAP configuration so that "The user with authcid 'jon' authenticated by the simple mechanism" gets translated to "uid=jon,cn=people,dc=mydomain,dc=com" or whatever your user subtree is called. See the slapd.conf man page, keyword "sasl-regexp".
To summarize: The Cyrus IMAP ptloader does not find your users in the LDAP tree. Neither authentication nor group lookup is even tried.
Could someone give a working example, which I think will probably help a lot. There is a lack of documentation on how group information is looked up - it's not even immediately clear to me that "ptloader" is actually for that.
Sorry, I cannot provide an example. Our efforts have not progressed far enough for that. But the LDAP ptloader is definitely used for group lookup, and you will need to configure forward lookups, i.e. find the members of a given group (see man imap.conf, options ldap_group_*) and reverse lookups, i.e. find the groups a given user is a member of (see man imap.conf, options ldap_member_*).
Show us your config and I can help you from there. There are quite a few ways you can configure ptloader.
Notes: I plan to use simple binds (with TLS) between the ldap server and any of its clients (including the imap server), so I don't require any SASL configuration at that stage. I have a free hand about schemas and(...)
Then try turning SASL off: option "ldap_sasl: 0". This may save you the trouble of finding a working "sasl-regexp".
-- Igor --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
