2007/1/8, Guus Leeuw jr. <[EMAIL PROTECTED]>:
Hello,
Hi Guus!
First of all a couple of questions: 1) Are you planning to manage multiple domains' mail, or just the domain.com mail?
Yes, I need to manage more two domains, like lists.domain.com and domain.org.
2) Can you post the contents of the canonical.cf file that postfix uses for canonical mapping?
I needed to modify the configurations of canonical, because I wasn't send mail. Now it is thus: main.cf -------- recipient_canonical_maps = proxy:ldap:/etc/postfix/ldap/recipient_canonical.cf sender_canonical_maps = proxy:ldap:/etc/postfix/ldap/sender_canonical.cf main.cf -------- recipient_canonical.cf ---------- server_host = ldap://ldap.domain.com:389 bind = yes bind_dn = cn=admin,dc=domain,dc=com bind_pw = password search_base = ou=users,dc=domain,dc=com query_filter = (&(mail=%s)(objectClass=CourierMailAccount)(enableMail=Y)) result_attribute = uid result_filter = [EMAIL PROTECTED] recipient_canonical.cf ---------- sender_canonical.cf -------- server_host = ldap://ldap.domain.com:389 bind = yes bind_dn = cn=admin,dc=domain,dc=com bind_pw = password search_base = ou=users,dc=domain,dc=com query_filter = (&(uid=%s)(objectClass=CourierMailAccount)(enableMail=Y)) result_attribute = mail sender_canonical.cf -------- As you can see in file recipient_canonical.cf, the result_filter have @domain.com fixed. This way, it wouldn't work with virtual domains, i'll need to add an attribute with code+domain like [EMAIL PROTECTED]
3) Why would you want SASL to talk to PAM for PAM to talk to LDAP? Why not do the whole thing in 1 go?
Yes, the reason is that this server directly effects the authentication of ssh in LDAP. I Tried authenticate SASL directly in LDAP, with this saslauthd configuration: ldap_servers: ldap://ldap.domain.com/ ldap_version: 3 ldap_search_base: ou=users,dc=domain,dc=com ldap_filter: uid=%u ldap_auth_method: bind It's works normally.
I belief, you told imapd to use the PLAIN mechanism… AFAIK PLAIN is not equal to PAM in terms of mechanism… OK, PAM method, I could understand, but then again, that raises question 3.
Yes, I understand that using salauthd as method this will autenticate on PAM (and this work). I see in imapd.conf manual, that this can autenticate (or get an attribute) directly in LDAP, but i don't found any example of this. If I can get the UID from LDAP after postfix deliver via LMTP to Cyrus, and before the Cyrus verify that the mailboxes exist (and verify using the UID), this will work perfectly. The tests with canonical worked, but I will need to convert the mail address everytime, and I will have to modify my LDAP Base (~ 150.000 registers). I belive that there is an "corret way" to make this.
Can you bind to the LDAP server with the uid 12345? Can you bind to LDAP with [EMAIL PROTECTED]
yes with uid 12345, and no with [EMAIL PROTECTED]
Without answers, it would be difficult to help (for me).
I understand, also it's difficult for me to explain :)
Regards, Guus
Thank's for your interest in this problem! Neto.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jose Morelli Neto Sent: 08 January 2007 12:07 To: info-cyrus@lists.andrew.cmu.edu Subject: Authentication in LDAP with different UID Hello, I am updating the mail server at my work and in this process I decided to change the Courier-IMAP for the Cyrus-IMAP, however I still came across myself with a problem without solution (at least for me). Here, all users have an personal ID who is used to effect the authentication in some systems (also in the mail). For example, an user with the personal ID 12345 possess the mail [EMAIL PROTECTED] If I create the mailbox in cyrus with the personal ID (cm user.12345), I can connect through imap/pop3 and cyrus get access to the mailbox without problems (using as user 12345), however when sending a message for this user, postfix delivery saw LMTP for cyrus, that does not locate mailbox (with the error: lmtpunix [5514]: to verify_user (user.12345) failed: Mailbox you donate not exist). Then if I create mailbox with the user's mail ( cm [EMAIL PROTECTED]), the message is delivery without problems from postfix to cyrus (that it finds mailbox), however I can't have access to mailbox saw IMAP/POP using as login the person code (12345) and only the email ( [EMAIL PROTECTED]). The authentication of cyrus is made by SASL using the mechanism PAM (that it validates through LDAP). It follows some configurations to facilitate the understanding: /etc/imapd.conf -------------------------------------- configdirectory: /var/lib/imap partition-default: /var/spool/imap admins: cyrus sievedir: /var/lib/imap/sieve sendmail: /usr/sbin/sendmail hashimapspool: true sasl_pwcheck_method: saslauthd sasl_mech_list: PLAIN tls_cert_file: /usr/share/ssl/certs/cyrus-imapd.pem tls_key_file: /usr/share/ssl/certs/cyrus-imapd.pem tls_ca_file: /usr/share/ssl/certs/ca- bundle.crt virtdomains: userid defaultdomain: domain.com /etc/imapd.conf -------------------------------------- /etc/postfix/main.cf -------------------------------- virtual_transport = lmtp:unix:/var/lib/imap/socket/lmtp canonical_maps = proxy:ldap:/etc/postfix/ldap/canonical.cf /etc/postfix/main.cf -------------------------------- usuário.ldif ------------------------- dn: uid=12345,ou=users,dc=domain,dc=com uid: 12345 cn: Test User sn: test loginShell: /bin/false uidNumber: 90001 mail: [EMAIL PROTECTED] quota: 20971520 gidNumber: 513 homeDirectory: /home/user mailbox: /home/user/Maildir/ mailHost: siaimail10.domain.com description: description enableMail: S objectClass: top objectClass: person objectClass: posixAccount objectClass: shadowAccount objectClass: CourierMailAccount objectClass: inetLocalMailRecipient usuário.ldif ------------------------- I tried through postfix, modify/create/use some macro (those used in master.cf: ${user} ${extension}) that it passed to cyrus the personal ID (in the place of the address) but I did not have success. I made with the SASL authenticate in LDAP using the UID, but did not give very certain, therefore cyrus uses proper login to locate mailbox, and thus I don't deliver the message saw lmtp (therefore mailbox was with the name of the user). The only thing next than I found of what necessary patch of the Kolab was one that allows (theoretically, I did not make tests) to consult the virtual domínios through ldap. I used canonical_maps in postfix quering ldap for the mail ( [EMAIL PROTECTED]) and returning email ([EMAIL PROTECTED]), but for virtual domains I would have to add a new attribute in LDAP with the personal ID + the domain. Someone has experience in this integration and that it can help me? thank's for attention. Neto. -- José Morelli Neto http://josemorelli.net -- No virus found in this incoming message. Checked by AVG. Version: 7.5.433 / Virus Database: 268.16.7/619 - Release Date: 07/01/2007 18:29 -- No virus found in this outgoing message. Checked by AVG. Version: 7.5.433 / Virus Database: 268.16.7/619 - Release Date: 07/01/2007 18:29
-- José Morelli Neto http://josemorelli.net ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
