Re: Cyrus IMAPd -> SASL auxprop-plugin: ldapdb -> OpenLDAP

[Torsten Schlabach <tschlabach@xxxxxxx>]

> And did you enable sasl-Authorization in slapd.conf and in the
> LDAP-Objects?

What exactly are you referring to?

a) sasl-Authorization in slapd.conf

I have some sasl-regexp statements in slapd.conf

b) and in the LDAP-Objects

What would I have to do to the objects? authzTo / authzFrom ?

Regards,
Torsten


Andreas Winkelmann schrieb:
> Am Tuesday 26 September 2006 08:09 schrieb Torsten Schlabach:
>
>
> > Let me start with the same sentence which seems to belong to this
> > subject: I have read the archives and docs for days, ...
> >
> > Let me try to keep my question as simple as possible:
> >
> > My /etc/imapd.conf:
> >
> > sasl_pwcheck_method: auxprop
> >
> > sasl_auxprop_plugin: ldapdb
> > sasl_ldapdb_uri: ldap://127.0.0.1
> > sasl_ldapdb_id: cn=admin,dc=xxxxx,dc=yy
>
>
> Hmm, I havn't seen a DN here yet. I would guess, this is wrong.
> Use a normal Username.
>
>
> > sasl_ldapdb_pw: *****
> >
> > Alternatively I tried
> >
> > sasl_ldapdb_id: admin
>
>
> Looks better.
>
> Hmm, you should specify a Mechanism which is able to do Authorization, 
> something like DIGEST-MD5 or PLAIN.
>
> sasl_ldapdb_mech: DIGEST-MD5
>
> And did you enable sasl-Authorization in slapd.conf and in the LDAP-Objects?
>
>
> > What I would expect to see happening is:
> >
> > 1. User logs on to IMAPd and supplies a username and a password. (I am
> > trying this using cyradm.)
>
>
> No, first ldapdb_id and ldapdb_pw is used.
>
>
> > 2. Username and password are passed on to the SASL layer.
>
>
> Then the User of cyradm is being searched for and the userPassword is fetched 
> > from LDAP.
>
> This is compared to that what comes from cyradm.
>
>
> > 3. The SASL layer finds out that I am using ldapdb, so it passes the
> > username / password onto an LDAP bind.
> >
> > 4. OpenLDAP is supposed to do the sasl-regexp mapping, locate the object
> > to authenticate agains and just do it.
> >
> > Step #4 seems to be ok, as I can test that with
> >
> > ldapwhoami -U admin
> >
> > I get an authentication success.
> >
> > But trying through cyradm I don't even see any activity on the LDAP log.
> >  So it appears as if IMAPd completely ignores any of the auxprop_plugin
> > settings and goes straight to sasldb, which I guess is the default.
> >
> > How can I debug that?
> >
> > How can I make sure the settings I have made in /etc/imapd.conf have an
> > effect at all?
> >
> > As SASL is a library and not a process in itself, I would probably have
> > to tell IMAPd to do some more logging, don't I?