I'm running Cyrus imapd in a Kerberos environment.
When using cyradm, I would like to authenticate with a /admin
instance, rather than giving my primary instance admin privileges or
always connecting as the 'cyrus' user. I haven't had much luck so
far, and I think it's because I'm not clear on how Cyrus/SASL
interacts with Kerberos and LDAP.
I've authenticated to Kerberos as lars/[EMAIL PROTECTED]:
Credentials cache: FILE:/tmp/krb5cc_20000_u20528
Principal: lars/[EMAIL PROTECTED]
Issued Expires Principal
Nov 6 22:50:33 Nov 7 08:50:33 krbtgt/[EMAIL PROTECTED]
I've added lars/admin as an admin user in /etc/imapd.conf (and set
defaultdomain to example.com), like this:
admins: cyrus lars/admin
defaultdomain: example.com
We're running 'saslauthd -a ldap'. There is a matching record in LDAP
(uid: lars/admin) that will be matched by the filter in
saslauthd.conf:
ldap_filter: (|([EMAIL PROTECTED])(&(!(mailLocalAddress=*))(uid=%u)))
If I try to connect with cyradm, I get an error:
$ cyradm mail.example.com
cyradm: cannot authenticate to server with as lars
And the IMAP server says:
badlogin: mail.example.com [192.168.1.20] GSSAPI [SASL(-13):
authentication failure: bad userid authenticated]
I get the same behavior if I try:
$ cyradm --user=lars/admin mail.example.com
I should probably mention that:
(a) authenticating as my primary instance ([EMAIL PROTECTED]) works
just fine (and if I set myself up as an admin user I get admin
privileges), and
(b) If I obtain the '[EMAIL PROTECTED]' principal, everything works as expected.
(c) authenticating to, say, our LDAP server as lars/admin does the
right thing, although that's largely due to the magic of OpenLDAP's
sasl-regexp commands.
What am I missing? Thanks!
-- Lars
----
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
