Hi, I have cyrus-imapd-2.3.16 with virtualdomain and a total administrator in default domain (username without '@%d'). I use saslauthd for authentication and ptloader for authorization, all with LDAP. My problem stays on ptloader conf. To optimize query I would like to restrict searches using '%d' metacharacter. But if I set ldap_base: o=%d,ou=People,o=MainOrg,c=it ldap_member_base: o=%d,ou=People,o=MainOrg,c=it then admin has no authorization, because ptload fails basedn filter, resulting "o=,ou=People,o=MainOrg,c=it" Is there a way to restrict base search without loose admin authorization? I wouldn't add a prefix to my LDAP Org, like o=cyr-%d,ou=People,o=MainOrg,c=it This is my working conf: on LDAP Server I have (also) these dn: dn: uid=oxcyrus,o=admin.invalid,ou=People,o=MainOrg,c=it dn: o=%d,ou=People,o=MainOrg,c=it dn: ou=MailGroups,o=%d,ou=People,o=MainOrg,c=it where %d is the domain part of username. on Cyrus Server: saslauthd.conf ldap_servers: ldap://ldap.example.net:489 ldap_version: 3 ldap_timeout: 10 ldap_time_limit: 10 ldap_search_base: ou=People,o=MainOrg,c=IT ldap_bind_dn: uid=sasladmin,o=admin.invalid,ou=People,o=MainOrg,c=it ldap_password: **** ldap_scope: sub ldap_uidattr: uid ldap_filter_mode: yes ldap_filter: (&(uid=%u)(objectClass=mailRecipient)) ldap_restart: yes ldap_cache_ttl: 30 ldap_cache_mem: 32768 imapd.conf [...] admins: oxcyrus sasl_pwcheck_method: saslauthd sasl_mech_list: PLAIN quotawarn: 80 normalizeuid: 1 unixhierarchysep: 1 autocreatequota: 0 createonpost: 0 autosubscribe_all_sharedfolders: yes singleinstancestore: 1 defaultdomain: admin.invalid improved_mboxlist_sort: 1 virtdomains: userid [...] # PTS Section auth_mech: pts pts_module: ldap ptloader_sock: /var/lib/imap/socket/ptsock ldap_uri: ldap://ldap.example.net:489 ldap_version: 3 ldap_bind_dn: uid=oxcyrus,o=admin.invalid,ou=People,o=MainOrg,c=it ldap_password: **** ldap_sasl: 0 ldap_size_limit: 20000 ldap_filter: (&(objectclass=mailrecipient)(uid=%u)) ldap_group_filter: (&(objectclass=groupofuniquenames)(mail=%u)) ldap_member_method: filter ldap_member_filter: (uniquemember=%D) ldap_member_attribute: mail ldap_base: ou=People,o=MainOrg,c=it ldap_group_base: ou=MailGroups,o=%d,ou=People,o=MainOrg,c=it ldap_member_base: ou=People,o=MainOrg,c=it unix_group_enable: no If I set ldap_base: o=%d,ou=People,o=MainOrg,c=it ldap_member_base: o=%d,ou=People,o=MainOrg,c=it cyrus works for all users except the admin oxcyrus. Thank you very much for every hints... Regards marco ---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
