On 2022/06/21 12:42 p.m., Nels Lindquist wrote:
Hi, all.
I'm in the process of setting up a new Cyrus IMAPD 3.4.3 murder on RHEL
8 family.
I'm trying to replicate the functionality I currently have with 2.5.x,
which is configured to use autocreate/virtual domains with SASL ldapdb
authentication against OpenLDAP. AuthzRegexp directives in the slapd
configuration successfully map e-mail address domains to the correct OU
for account lookup/authentication; everything works beautifully. (MTA
also routes based on LDAP, so autocreate works on either first-post or
first-login as long as the LDAP account exists).
However, I'm running into difficulties trying to set up a similar
configuration with 3.4.3. I keep getting "SASL(-13): user not found:
unable to canonify user and get auxprops" errors when I attempt to
authenticate.
I'm using the openldap-ltb-2.5.x packages for the LDAP server, and have
successfully adapted my previous configuration so that ldap
authentication (to itself) works as expected, either with simple binds
or SASL mechanisms. TLS is configured with a proper certificate, and
I've verified that slapd is providing the intermediate certificate in
addition to the server cert.
The configuration directives in 3.4.x for imapd.conf appear to have
changed substantially, and I haven't found a lot of detail in the man
pages relating to each option or how they're meant to interoperate.
I've tried replacing all the legacy sasl_ldapdb_* directives with ldap_*
directives. The sasl_auxprop_plugin option appears to no longer be
present, so I'm not sure which way to go.
I'm confused about whether PTS/ptloader is required for any/all LDAP
authentication now; I don't need group membership stuff and it seems to
be pretty complex to set up; from what I can glean it doesn't rely on
the SASL/ldapdb realm mapping but requires its own configuration (and
I'm not sure I can replicate the userid mapping currently provided by
slapd for virtual domains).
I've also tried setting auth_mech: unix and moving all the SASL-related
configuration into /etc/sasl2/imapd.conf, but with no change in behaviour.
So, can anyone point me in the right direction? Any advice will be
gratefully received!
For future reference, I did eventually figure this out.
The answer is to ignore the shiny new ldap_* directives--all of which
appear to be related to the ptloader module--and note that the
sasl_option section of the man page indicates I needed to keep my prior
SASL configuration.
This is enough:
auth_mech: unix
sasl_pwcheck_method: auxprop
sasl_mech_list: DIGEST-MD5 CRAM-MD5 PLAIN LOGIN
sasl_auxprop_plugin: ldapdb
sasl_ldapdb_uri: ldaps://ldap.example.com
sasl_ldapdb_id: root
sasl_ldapdb_pw: <password>
sasl_ldapdb_mech: DIGEST-MD5
Nels Lindquist
----
<nlindq@xxxxxxx>
------------------------------------------
Cyrus: Info
Permalink: https://cyrus.topicbox.com/groups/info/T6b5aad68765fe943-M17a5e75bf94a634b226c0b0c
Delivery options: https://cyrus.topicbox.com/groups/info/subscription
