On 2/21/2014 1:45 PM, Dan White wrote:
On 02/21/14 13:09 -0700, Nels Lindquist wrote:
<snip>
However, from what I can determine I'm not getting any realm component
in the searches coming through. The "default" realm configuration works
when I use a bare userid to authenticate, but when using a full e-mail
address, that comes through as
"uid=example@example.com,cn=[authmech],cn=auth". That said, I haven't
found a LogLevel which includes AuthzRegexp processing; I've tried
various settings, but the closest I've come is logging the resulting
bind requests (eg. BIND dn="uid=example,ou=people,dc=example,dc=com"
mech=DIGEST-MD5 sasl_ssf=128 ssf=128).
I would not depend on realm being delivered in a consistent way from cyrus
imapd/sasl. Different mechanisms will act in different ways. libsasl2 is
responsible for providing the realm (or not). To maintain some consistency,
create two sets of authz-regexp rules, such as:
authz-regexp
"uid=([^,]+),cn=([^,]+),cn=auth"
"ldap:///dc=eng,dc=example,dc=com??one?(&(uid=$1)(objectClass=person))"
authz-regexp
"uid=([^,]+),cn=([^,]+),cn=([^,]+),cn=auth"
"ldap:///dc=eng,dc=example,dc=com??one?(&(uid=$1@$2)(objectClass=person))"
And you may need a third rule which matches cases where both a fully
qualified username AND a realm are provided.
To be more clear, in my LDAP none of the objects have uids incorporating
e-mail addresses, but that's how Cyrus IMAP allows for virtual domain
logins.
My base dn is actually "o=top", and then I have the various domains laid
out like:
dc=example,dc=com,o=top
dc=example2,dc=ca,o=top
... so my plan was to use the virtual domain information to translate
into which subtree I need to search against. The "fallthrough" default
domain just searches the bare uid against a particular subtree.
It seems to be working using this (we're using LDAPRouting with
Sendmail, so all mailboxes must have inetLocalMailRecipient attributes):
# Match e-mail address; map to correct subtree
authz-regexp
"uid=([^,]+)@([^,\.]+)\.([^,]+),cn=[^,]*,cn=auth"
"ldap:///dc=$2,dc=$3,o=top??sub?(&(uid=$1)(mailLocalAddress=*))"
# Default domain
authz-regexp
"uid=([^,]*),cn=[^,]*,cn=auth"
"ldap:///dc=example,dc=com,o=top??sub?(&(uid=$1)(mailLocalAddress=*))"
ldapwhoami is highly recommend for testing this setup. Include all of -Y,
-U, and -X.
Thanks very much for putting me on the right track!