Re: 3.4.3 LDAP authentication HOWTO?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2022/06/21 12:42 p.m., Nels Lindquist wrote:
Hi, all.

I'm in the process of setting up a new Cyrus IMAPD 3.4.3 murder on RHEL 8 family.

I'm trying to replicate the functionality I currently have with 2.5.x, which is configured to use autocreate/virtual domains with SASL ldapdb authentication against OpenLDAP. AuthzRegexp directives in the slapd configuration successfully map e-mail address domains to the correct OU for account lookup/authentication; everything works beautifully. (MTA also routes based on LDAP, so autocreate works on either first-post or first-login as long as the LDAP account exists).

However, I'm running into difficulties trying to set up a similar configuration with 3.4.3. I keep getting "SASL(-13): user not found: unable to canonify user and get auxprops" errors when I attempt to authenticate.

I'm using the openldap-ltb-2.5.x packages for the LDAP server, and have successfully adapted my previous configuration so that ldap authentication (to itself) works as expected, either with simple binds or SASL mechanisms. TLS is configured with a proper certificate, and I've verified that slapd is providing the intermediate certificate in addition to the server cert.

The configuration directives in 3.4.x for imapd.conf appear to have changed substantially, and I haven't found a lot of detail in the man pages relating to each option or how they're meant to interoperate.

I've tried replacing all the legacy sasl_ldapdb_* directives with ldap_* directives.  The sasl_auxprop_plugin option appears to no longer be present, so I'm not sure which way to go.

I'm confused about whether PTS/ptloader is required for any/all LDAP authentication now; I don't need group membership stuff and it seems to be pretty complex to set up; from what I can glean it doesn't rely on the SASL/ldapdb realm mapping but requires its own configuration (and I'm not sure I can replicate the userid mapping currently provided by slapd for virtual domains).

I've also tried setting auth_mech: unix and moving all the SASL-related configuration into /etc/sasl2/imapd.conf, but with no change in behaviour.

So, can anyone point me in the right direction? Any advice will be gratefully received!

For future reference, I did eventually figure this out.

The answer is to ignore the shiny new ldap_* directives--all of which appear to be related to the ptloader module--and note that the sasl_option section of the man page indicates I needed to keep my prior SASL configuration.

This is enough:

auth_mech: unix
sasl_pwcheck_method: auxprop
sasl_mech_list: DIGEST-MD5 CRAM-MD5 PLAIN LOGIN
sasl_auxprop_plugin: ldapdb
sasl_ldapdb_uri: ldaps://ldap.example.com
sasl_ldapdb_id: root
sasl_ldapdb_pw: <password>
sasl_ldapdb_mech: DIGEST-MD5

Nels Lindquist
----
<nlindq@xxxxxxx>

------------------------------------------
Cyrus: Info
Permalink: https://cyrus.topicbox.com/groups/info/T6b5aad68765fe943-M17a5e75bf94a634b226c0b0c
Delivery options: https://cyrus.topicbox.com/groups/info/subscription




[Index of Archives]     [Cyrus SASL]     [Squirrel Mail]     [Asterisk PBX]     [Video For Linux]     [Photo]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux