Hi again,
Perhaps I've to give more information inkl. debug output
I'm running cyrus imapd 2.2.12
imap.conf:
configdirectory: /m/imap
partition-default: /m/spool/imap
logtimestamps: yes
sieveusehomedir: false
sievedir: /m/imap/sieve
hashimapspool: true
sasl_pwcheck_method: saslauthd
ptloader_sock: /var/imap/socket/ptsock
lmtpsocket: /var/imap/socket/lmtp
idlesocket: /var/imap/socket/idle
notifysocket: /var/imap/socket/notify
ldap_base: dc=freeweb,dc=ch
ldap_deref: search
ldap_filter: ([EMAIL PROTECTED]) #hardcoded, since I just want to
test alias login
ldap_sasl: 0
ldap_group_scope: sub
ldap_bind_dn: dc=freeweb,dc=ch
ldap_restart: 1
ldap_scope: sub
ldap_start_tls: 0
ldap_time_limit: 10
ldap_timeout: 15
ptscache_timeout: 0
ldap_tls_check_peer: no
ldap_uri: ldap://localhost/
saslautd.conf
ldap_servers: ldap://localhost/
ldap_search_base: ou=people,ou=freeweb,dc=freeweb,dc=ch
ldap test user entry:
# usermail04, people, freeweb, freeweb, ch
dn: uid=usermail04, ou=people,ou=freeweb,dc=freeweb,dc=ch
uid: usermail04
sn: none
uidNumber: -1
gidNumber: -1
homeDirectory: /nonexistent
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: xMail
cn: Testuser
userPassword:: e01EaEgMEUs4gaUmRZSU9xSll0Y1FnPT0K
maildrop: [EMAIL PROTECTED]
alias: [EMAIL PROTECTED]
alias: [EMAIL PROTECTED]
With the uid I can login as expected:
[EMAIL PROTECTED]:~# telnet 0 110
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
+OK mail04.freeweb.ch Cyrus POP3 v2.2.12 server ready
<[EMAIL PROTECTED]>
user usermail04
+OK Name is a valid mailbox
pass test
+OK Mailbox locked and ready
list
+OK scan listing follows
1 2908
2 1939
3 2922
4 1430
If i try to login with the alias value from the ldap (alias:
[EMAIL PROTECTED]) I get an error message
[EMAIL PROTECTED]:~# telnet 0 110
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
+OK mail04.freeweb.ch Cyrus POP3 v2.2.12 server ready
<[EMAIL PROTECTED]>
user smail04
+OK Name is a valid mailbox
pass test
-ERR [AUTH] Invalid login
slapd -d 256 shows:
User login with smail04 (alias user):
daemon: conn=0 fd=8 connection from IP=127.0.0.1:53965
(IP=127.0.0.1:389) accepted.
conn=0 op=0 BIND dn="DC=FREEWEB,DC=CH" method=128
ber_flush: 14 bytes to sd 8
conn=0 op=0 RESULT tag=97 err=0 text=
conn=0 op=1 SRCH base="dc=freeweb,dc=ch" scope=2
filter="([EMAIL PROTECTED])"
ber_flush: 396 bytes to sd 8
ber_flush: 14 bytes to sd 8
conn=0 op=1 SEARCH RESULT tag=101 err=0 text=
conn=0 op=2 SRCH base="uid=usermail04,
ou=people,ou=freeweb,dc=solnet,dc=ch" scope=0 filter="(objectClass=*)"
ber_flush: 396 bytes to sd 8
ber_flush: 14 bytes to sd 8
conn=0 op=2 SEARCH RESULT tag=101 err=0 text=
password auth:
daemon: conn=3 fd=17 connection from IP=127.0.0.1:54593
(IP=127.0.0.1:389) accepted.
conn=3 op=0 BIND dn="" method=128
ber_flush: 14 bytes to sd 17
conn=3 op=0 RESULT tag=97 err=0 text=
conn=3 op=1 SRCH base="ou=people,ou=freeweb,dc=freeweb,dc=ch" scope=2
filter="(uid=smail04)"
ber_flush: 14 bytes to sd 17
conn=3 op=1 SEARCH RESULT tag=101 err=0 text=
I see that sasl uses the uid which of course will never be true with
"smail04" as username. So I added ldap_filter: ([EMAIL PROTECTED])
in saslauthd.conf
Now if i try to login with the alias name I get another error
+OK mail04.freeweb.ch Cyrus POP3 v2.2.12 server ready
<[EMAIL PROTECTED]>
user smail04
+OK Name is a valid mailbox
pass test
-ERR [SYS/PERM] Unable to locate maildrop: Mailbox does not exist
slapd output for the password auth:
conn=1 op=0 BIND dn="" method=128
ber_flush: 14 bytes to sd 14
conn=1 op=0 RESULT tag=97 err=0 text=
conn=1 op=1 SRCH base="ou=people,ou=freeweb,dc=freeweb,dc=ch" scope=2
filter="([EMAIL PROTECTED])"
ber_flush: 62 bytes to sd 14
ber_flush: 14 bytes to sd 14
conn=1 op=1 SEARCH RESULT tag=101 err=0 text=
conn=1 op=2 BIND
dn="UID=USERMAIL04,OU=PEOPLE,OU=FREEWEB,DC=FREEWEB,DC=CH" method=128
ber_flush: 14 bytes to sd 14
conn=1 op=2 RESULT tag=97 err=0 text=
conn=0 op=3 SRCH base="dc=freeweb,dc=ch" scope=2
filter="([EMAIL PROTECTED])"
ber_flush: 396 bytes to sd 8
ber_flush: 14 bytes to sd 8
conn=0 op=3 SEARCH RESULT tag=101 err=0 text=
conn=0 op=4 SRCH base="uid=usermail04,
ou=people,ou=freeweb,dc=freeweb,dc=ch" scope=0 filter="(objectClass=*)"
ber_flush: 396 bytes to sd 8
ber_flush: 14 bytes to sd 8
conn=0 op=4 SEARCH RESULT tag=101 err=0 text=
syslog message:
un 9 06:27:34 mail04 pop3[5180]: login: localhost.freeweb.ch
[127.0.0.1] smail04 plaintext User logged in
Jun 9 06:27:37 mail04 pop3[5180]: Unable to locate maildrop for
smail04: Mailbox does not exist
But as you can see in the ldap entry my maildrop exists.
If I understand it correctly, then ptloader checks if the mailbox is
available with an ldap search when I enter the login name. Thats why
I get an "OK" after that. Ptloader can find the alias value in the
ldap database. For the password check sasl turns in. It also finds an
entry for the alias user in my ldap database. But then somethings
goes wrong. I really have no clue.
Can someone please explain me what happen?
Regards,
Thomas
Am 08.06.2005 um 23:56 schrieb Thomas Vogt:
Hi all
With ptload we've a nice tool to connect to an ldap backend. And
with ldap_filter in imapd.conf the user has the ability to do nice
things.This works very well. But as I understand this is only the
authorization mechanism. I always have problems with the
authentication (sasl).
An example. Lets say we have this user information in the ldap
backend.
# usermail04, people, freeweb, freeweb, ch
dn: uid=usermail04, ou=people,ou=freeweb,dc=freeweb,dc=ch
uid: usermail04
sn: none
uidNumber: -1
gidNumber: -1
homeDirectory: /nonexistent
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: xMail
cn: Testuser
userPassword:: e01EaEgMEUs4gaUmRZSU9xSll0Y1FnPT0K
maildrop: [EMAIL PROTECTED]
alias: [EMAIL PROTECTED]
alias: [EMAIL PROTECTED]
I can login without problem if I use the uid as username and the
correct password (auth=pts). But is it not possible to use the
alias value too with the same password for the login procedure?
My problem is, that I've an application which is generating random
uid as username. Only the alias value is human readable. Which mean
I'll give the user the ability to use his alias name for the pop3/
imap authentication. Of course it should work with the uid too. Is
there no configuration magic which can do that?
A few months ago Igor Brezac send me an example patch. But I never
figured out how it works.
Regards,
Thomas
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
