On Tue, 21 Dec 2004, Igor Brezac wrote:
On Tue, 21 Dec 2004, Mike O'Rourke wrote:
Hi all,
I have IMAPd 2.2.10, compiled with --with-auth=pts --with-pts=ldap --with-ldap OpenLDAP 2.2.17
my /etc/imapd.conf is:
configdirectory: /var/imap defaultpartition: default partition-default: /var/spool/imap unixhierarchysep: yes allowanonymouslogin: no allowplaintext: yes allowusermoves: yes servername: server12.mydom.com virtdomains: userid defaultdomain: mydom.com autocreatequota: -1 createonpost: 1 autocreateinboxfolders: Sent|Trash autosubscribeinboxfolders: Sent|Trash admins: cyrus lmtpsocket: /var/imap/socket/lmtp sendmail: /usr/sbin/sendmail tls_cert_file: /var/imap/server12_cert.pem tls_key_file: /var/imap/server12_key.pem tls_CA_file: /var/imap/cacerts/cacert.pem tls_CA_path: /var/imap/cacerts tls_require_cert: 0 ldap_sasl: 0 ldap_base: ou=email,o=internet,o=mycom ldap_bind_dn: cn=server12.mydom.com,ou=hosts,o=internet,o=mycom ldap_filter: (&(uid=%u)(MailUserDefHost=server12.mydom.com)) ldap_password: mypass ldap_tls_cacert_file: /var/imap/cacerts/cacert.pem ldap_tls_cert: /var/imap/server12_cert.pem ldap_tls_key: /var/imap/server12_key.pem ldap_uri: ldaps://192.168.7.11 ldaps://ldap1.mydom.com ldaps://ldap2.mydom.com ptloader_sock: /var/imap/socket/ptsock
In the ldap_filter, MailUserDefHost is a private attribute to limit which host the user can login to.
Authorization fails with a generic failure (see the output from imtest below, if you wish). Even though "ldap_sasl" is set to 0 in imapd.conf, it would seem that it is trying to use SASL (proxy) authentication after a successful bind (see the debugging output from the LDAP server below, if you wish).
This is a bug in ptloader/ldap.
Please try this patch:
Index: ldap.c =================================================================== RCS file: /cvs/src/cyrus/ptclient/ldap.c,v retrieving revision 1.7 diff -u -r1.7 ldap.c --- ldap.c 24 Jun 2004 19:28:39 -0000 1.7 +++ ldap.c 21 Dec 2004 05:27:18 -0000
This patch will not work when ldap_sasl is enabled. Here is an updated patch:
Index: ldap.c =================================================================== RCS file: /cvs/src/cyrus/ptclient/ldap.c,v retrieving revision 1.7 diff -u -r1.7 ldap.c --- ldap.c 24 Jun 2004 19:28:39 -0000 1.7 +++ ldap.c 21 Dec 2004 15:38:49 -0000 @@ -799,64 +799,66 @@
#if LDAP_VENDOR_VERSION >= 20125
- authzid = xmalloc(size + sizeof("u:"));
- if (authzid == NULL)
- return PTSM_NOMEM;
-
- strcpy(authzid, "u:");
- strcpy(authzid+2, canon_id);
- c.ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ;
- c.ldctl_value.bv_val = authzid;
- c.ldctl_value.bv_len = size + 2;
- c.ldctl_iscritical = 1;
-
- ctrl[0] = &c;
- ctrl[1] = NULL;
- rc = ldap_whoami_s(ptsm->ld, &dn, ctrl, NULL);
- free(authzid);
- if ( rc != LDAP_SUCCESS || !dn ) {
- if (rc == LDAP_SERVER_DOWN) {
- ldap_unbind(ptsm->ld);
- ptsm->ld = NULL;
- return PTSM_RETRY;
+ if (ptsm->sasl) {
+ authzid = xmalloc(size + sizeof("u:"));
+ if (authzid == NULL)
+ return PTSM_NOMEM;
+
+ strcpy(authzid, "u:");
+ strcpy(authzid+2, canon_id);
+ c.ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ;
+ c.ldctl_value.bv_val = authzid;
+ c.ldctl_value.bv_len = size + 2;
+ c.ldctl_iscritical = 1;
+
+ ctrl[0] = &c;
+ ctrl[1] = NULL;
+ rc = ldap_whoami_s(ptsm->ld, &dn, ctrl, NULL);
+ free(authzid);
+ if ( rc != LDAP_SUCCESS || !dn ) {
+ if (rc == LDAP_SERVER_DOWN) {
+ ldap_unbind(ptsm->ld);
+ ptsm->ld = NULL;
+ return PTSM_RETRY;
+ }
+ return PTSM_FAIL;
}
- return PTSM_FAIL;
- }- if ( dn->bv_val &&
- !strncmp(dn->bv_val, "dn:", 3) )
- *ret = strdup(dn->bv_val+3);
- ber_bvfree(dn);
-
-#else
-
- rc = ptsmodule_expand_tokens(ptsm->filter, canon_id, NULL, &filter);
- if (rc != PTSM_OK)
- return rc;
-
- rc = ptsmodule_expand_tokens(ptsm->base, canon_id, NULL, &base);
- if (rc != PTSM_OK)
- return rc;
-
- rc = ldap_search_st(ptsm->ld, base, ptsm->scope, filter, attrs, 0,
&(ptsm->timeout), &res);
- free(filter);
- free(base);
- if (rc != LDAP_SUCCESS) {
- if (rc == LDAP_SERVER_DOWN) {
- ldap_unbind(ptsm->ld);
- ptsm->ld = NULL;
- return PTSM_RETRY;
- }
- return PTSM_FAIL;
- }
+ if ( dn->bv_val &&
+ !strncmp(dn->bv_val, "dn:", 3) )
+ *ret = strdup(dn->bv_val+3);
+ ber_bvfree(dn);
+ } else
+
+#endif- if ( (entry = ldap_first_entry(ptsm->ld, res)) != NULL )
- *ret = ldap_get_dn(ptsm->ld, entry);
+ {
+ rc = ptsmodule_expand_tokens(ptsm->filter, canon_id, NULL, &filter);
+ if (rc != PTSM_OK)
+ return rc;
+
+ rc = ptsmodule_expand_tokens(ptsm->base, canon_id, NULL, &base);
+ if (rc != PTSM_OK)
+ return rc;
+
+ rc = ldap_search_st(ptsm->ld, base, ptsm->scope, filter, attrs, 0,
&(ptsm->timeout), &res);
+ free(filter);
+ free(base);
+ if (rc != LDAP_SUCCESS) {
+ if (rc == LDAP_SERVER_DOWN) {
+ ldap_unbind(ptsm->ld);
+ ptsm->ld = NULL;
+ return PTSM_RETRY;
+ }
+ return PTSM_FAIL;
+ }- ldap_msgfree(res); - res = NULL; + if ( (entry = ldap_first_entry(ptsm->ld, res)) != NULL ) + *ret = ldap_get_dn(ptsm->ld, entry);
-#endif + ldap_msgfree(res); + res = NULL; + }
return (*ret ? PTSM_OK : PTSM_FAIL); }
-- Igor --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
