Re: cyrus-pop3 and saslauthd. username check in mailbox.db?

Thu, 16 Dec 2004 08:37:41 -0800 


On Thu, 16 Dec 2004, Thomas Vogt wrote:

Hello

I've use cyrus-imapd 2.2.10 and saslauthd.

saslauthd works fine:
testsaslauthd -u pc322 -p testpw
0: OK "Success."

testsaslauthd -u [EMAIL PROTECTED] -p testpw
0: OK "Success."

(same user in the ldap database. pc322 is uid, [EMAIL PROTECTED] is
mailacceptinggeneralid)

Thats why I've defined ldap filter. The idea is to check mailboxes with
uid as username or with the ldap entry in mailacceptinggeneralid as
username.


imapd.conf:
configdirectory: /var/imap
partition-default: /var/spool/imap
servername: testserver.lan
hashimapspool: true
poptimeout: 10
allowplaintext: yes
sasl_pwcheck_method: saslauthd
ldap_filter: (|(uid=%u)(mailacceptinggeneralid=%u))


saslauthd.conf:
ldap_servers: ldap://home.lan
ldap_search_base: ou=people,ou=lan,dc=lan,dc=ch
ldap_filter: (|(uid=%u)(mailacceptinggeneralid=%u))


First of all. Do I've to definied the ldap_filter in imapd.conf and in
saslauthd.conf? I thought sasl_pwcheck_method: saslauthd for imapd.conf
is enough.


Correct.  You can only define ldap_filter in saslauthd.conf.


Login with the uid/mailbox name in ldap (username: pc322) works fine.

Escape character is '^]'.
+OK mail.lan Cyrus POP3 v2.2.10 server ready
<[EMAIL PROTECTED]
user pc322
+OK Name is a valid mailbox
pass testpw
...


Now I tried to login with the username from mailacceptinggeneralid in
ldap (username: [EMAIL PROTECTED]).

Escape character is '^]'.
+OK mail.lan Cyrus POP3 v2.2.10 server ready
<[EMAIL PROTECTED]
user [EMAIL PROTECTED]
-ERR [AUTH] Invalid user


This error message returned immediately. There was no check from cyrus
imapd to saslauthd => ldap.


This is because you do not have [EMAIL PROTECTED] mailbox.

Is it not possible to authenticate a user in cyrus-imapd with other
names than the default uid/mailbox name even if I've set ldap_filter? Is
the username check limited to the mailbox.db?
I mean cyrus can always get the uid if a user authenticate itself as
with another entry in den ldap server.


This is not how it works.  saslauthd verifies passwords only.

There are several ways to implement user rewriting functionality. I would write a custom sasl canon plugin.

--
Igor
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Reply via email to