On FreeBSD, I've installed these ports:
cyrus-imapd-2.2.12_1
cyrus-sasl-2.1.21
cyrus-sasl-saslauthd-2.1.21
imapd.conf includes:
virtdomains: userid
defaultdomain: riboflavin.net
sasl_pwcheck_method: saslauthd
sasl_auto_transition: no
sasl_mech_list: plain login
unixhierarchysep: yes
The rest of the settings I would think aren't related; paths, etc.
The ldap filter in saslauthd is set for:
ldap_search_base: ou=%d,<base org>
ldap_scope: sub
ldap_auth_method: custom
ldap_filter: (mailRoutingAddress=%u)
Though I tried without to make sure that wasn't the problem, I run
saslauthd with the -r flag, so realm should be appended to the userid
if passed.
When I run testsaslauthd -u [EMAIL PROTECTED] -p <password> I get:
0: OK "Success."
When I run imtest -s -a [EMAIL PROTECTED] localhost, first it
pauses for about 20 seconds, which I can't explain; happens with a
standard imap client as well. When I enter the password I get:
S: A01 NO authentication failure
Authentication failed. generic failure
Security strength factor: 256
If I look in the auth log, it shows:
Oct 5 15:30:10 testsrv saslauthd[85649]: do_auth : auth
failure: [user=marcus] [service=imap] [realm=] [mech=ldap]
[reason=Unknown]
which I'm assuming means it was passed marcus in %u and no realm
instead of [EMAIL PROTECTED] in %u and/or marcus in %u and
riboflavin.net in %r/%d.
--
Marcus I. Ryan, [EMAIL PROTECTED]
--------------------------------------------------------------------
Hanlon's Razor: Never attribute to malice that which is adequately
explained by stupidity.
--------------------------------------------------------------------
Quoting Edward Rudd <[EMAIL PROTECTED]>:
On Wed, 2005-10-05 at 01:31 -0500, Marcus I. Ryan wrote:
I've set up SASL with an LDAP backend that checks for a user in either
the ou of the SASL realm, or the ou matching their domain (so
[EMAIL PROTECTED] as the username or user with domain.tld as the realm).
I got it working using testsaslauthd, but when I try it through IMAP it
appears IMAP strips the domain from the userid before it passes it to
SASL, and doesn't pass it as a realm. I can handle it either way
(passing a username of [EMAIL PROTECTED] or having it passed in as a
userid and a realm), but it doesn't seem to do either. Am I missing a
setting/configuration option, or does this require some kind of code
patch?
[snip]
Any thoughts are appreciated. Thanks.
What version of SASL are you using? What version of Cyrus IMAP?
Are you using %u and %f in the ldap_filter configuration in
saslauthd,.conf? The userid is sent in %u and the realm (domain) in %r.
(this is in cyrus sasl version 2.1.20, cyrus imapd 2.2.12)
Also try setting the virtdomains: userid in /etc/imapd.conf (if using
cyrus 2.2.x) That will ensure that cyrus sends the whole userid to
sasl.
--
Edward Rudd <[EMAIL PROTECTED]>
----
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
