[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Cyrus IMAPD + virtual domains + SASL + OpenLDAP ldapdb



Forwarding to the list for posterity.

On 02/25/14 15:22 -0700, Nels Lindquist wrote:
On 2/21/2014 1:45 PM, Dan White wrote:
On 02/21/14 13:09 -0700, Nels Lindquist wrote:

<snip>

However, from what I can determine I'm not getting any realm component
in the searches coming through.  The "default" realm configuration works
when I use a bare userid to authenticate, but when using a full e-mail
address, that comes through as
"uid=example@example.com,cn=[authmech],cn=auth".  That said, I haven't
found a LogLevel which includes AuthzRegexp processing; I've tried
various settings, but the closest I've come is logging the resulting
bind requests (eg. BIND dn="uid=example,ou=people,dc=example,dc=com"
mech=DIGEST-MD5 sasl_ssf=128 ssf=128).

I would not depend on realm being delivered in a consistent way from cyrus
imapd/sasl. Different mechanisms will act in different ways. libsasl2 is
responsible for providing the realm (or not). To maintain some consistency,
create two sets of authz-regexp rules, such as:

authz-regexp
  "uid=([^,]+),cn=([^,]+),cn=auth"
  "ldap:///dc=eng,dc=example,dc=com??one?(&(uid=$1)(objectClass=person))"

authz-regexp
  "uid=([^,]+),cn=([^,]+),cn=([^,]+),cn=auth"

"ldap:///dc=eng,dc=example,dc=com??one?(&(uid=$1@$2)(objectClass=person))"

And you may need a third rule which matches cases where both a fully
qualified username AND a realm are provided.

To be more clear, in my LDAP none of the objects have uids incorporating
e-mail addresses, but that's how Cyrus IMAP allows for virtual domain
logins.

My base dn is actually "o=top", and then I have the various domains laid
out like:

dc=example,dc=com,o=top
dc=example2,dc=ca,o=top

... so my plan was to use the virtual domain information to translate
into which subtree I need to search against.  The "fallthrough" default
domain just searches the bare uid against a particular subtree.

It seems to be working using this (we're using LDAPRouting with
Sendmail, so all mailboxes must have inetLocalMailRecipient attributes):

# Match e-mail address; map to correct subtree

authz-regexp
 "uid=([^,]+)@([^,\.]+)\.([^,]+),cn=[^,]*,cn=auth"
 "ldap:///dc=$2,dc=$3,o=top??sub?(&(uid=$1)(mailLocalAddress=*))"


# Default domain

authz-regexp
 "uid=([^,]*),cn=[^,]*,cn=auth"
 "ldap:///dc=example,dc=com,o=top??sub?(&(uid=$1)(mailLocalAddress=*))"

ldapwhoami is highly recommend for testing this setup. Include all of -Y,
-U, and -X.

Thanks very much for putting me on the right track!

--
Dan White