Re: SASL 2.1.18 saslauthd LDAP and groups

From: Igor Brezac (igor at ipass dot net)
Date: Mon Mar 29 2004 - 08:56:33 EST

  • Next message: Sven Schiwek: "SASL 2.1.18 saslauthd LDAP and groups"

    On Mon, 29 Mar 2004, Sven Schiwek wrote:

    > Hello,
    >
    > I want to configure a Cyrus-IMAP Server. Everything works fine except
    > the group authentification with SASL an LDAP. I need this to
    > administrate Shared Folders.
    >
    > OK, here are some more information.
    > The Cyrus Imap-Server comes from SuSE 9.0 in Version 2.1.15
    > The Cyrus SASL is original and in Version 2.1.18
    >
    > Members of a group are stored with there UID in memberUid attributes
    > like this:
    >
    > ----8<----
    > dn: cn=sysop,ou=group,dc=example,dc=com
    > gidNumber: 123
    > memberUid: user1
    > memberUid: user2
    > memberUid: user3
    > ---->8----
    >
    > The Users are stored in Directory: ou=people,dc=example,dc=com
    >
    > ----8<----
    > dn: uid=user1,ou=people,dc=example,dc=com
    > mail: user1 at example dot com
    > uidNumber: 1000
    > gidNumber: 1000
    > ---->8----
    >
    > I have configured saslauthd.conf with group filter:
    >
    > ----8<----
    > ldap_servers: ldap://localhost
    > ldap_search_base: dc=example,dc=com
    > ldap_scope: sub
    >
    > ldap_group_attr: memberUid
    > ldap_group_match_method: filter
    > ldap_group_filter: (memberUid=%u)
    > ldap_group_search_base: ou=group,dc=example,dc=com
    > ---->8----

    add
    ldap_size_limit: 0

    > If I want to login with an email client, saslauthd write to syslog:
    >
    > ----8<----
    > Mar 29 13:26:47 hermes saslauthd[21344]: group ldap_search_st() failed:
    > Size limit exceeded
    > Mar 29 13:26:47 hermes saslauthd[21344]: Retrying authentication
    > Mar 29 13:26:47 hermes saslauthd[21344]: group ldap_search_st() failed:
    > Size limit exceeded
    > ---->8----
    >
    > OK, the saslauthd documentation write:
    > ...The user has to be part of the group in order to authenticate...
    >
    > For testing I changed the memberUid in LDAP to:
    > memberUid: uid=user1,ou=people,dc=example,dc=com
    >
    > and in saslauthd.conf
    > ldap_group_filter: (memberUid=%D)
    >
    > Now I can login. If I select a Shared Folder with group rights
    > Cyrus-Imap returns: "Mailbox does not exist". That 's a lie ;-)
    > If I add a user to the Shared Folder, it works fine. But that is not
    > that, what I want...
    >
    > What can I do, that I can use Shared Folder group rights with normal
    > memberUid Attributes and the System: cyrus-imap + saslauthd + ldap

    saslauthd is used for authentication only.

    For LDAP based authorization you need to use ptloader. I also recommend
    that you get cyrus imapd from CVS; it has a lot of ptloader/ldap fixes.
    You will also need to recompile cyrus, I forgot what the configure options
    are (I use a modified version of cyrus which allows me to specify
    authorization and ptloader modules at runtime)

    -- 
    Igor
    

  • Next message: Sven Schiwek: "SASL 2.1.18 saslauthd LDAP and groups"





    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs



    Powered By FreeBSD   Powered By FreeBSD