SASL 2.1.18 saslauthd LDAP and groups

From: Sven Schiwek (sven dot schiwek at ais-ag dot de)
Date: Mon Mar 29 2004 - 07:35:44 EST

  • Next message: Kurt D. Zeilenga: "Re: authcid v. realm in DIGEST-MD5 and elsewhere (Was: saslauthd + pam_mysql broken)"

    Hello,

    I want to configure a Cyrus-IMAP Server. Everything works fine except
    the group authentification with SASL an LDAP. I need this to
    administrate Shared Folders.

    OK, here are some more information.
    The Cyrus Imap-Server comes from SuSE 9.0 in Version 2.1.15
    The Cyrus SASL is original and in Version 2.1.18

    Members of a group are stored with there UID in memberUid attributes
    like this:

    ----8<----
    dn: cn=sysop,ou=group,dc=example,dc=com
    gidNumber: 123
    memberUid: user1
    memberUid: user2
    memberUid: user3
    ---->8----

    The Users are stored in Directory: ou=people,dc=example,dc=com

    ----8<----
    dn: uid=user1,ou=people,dc=example,dc=com
    mail: user1 at example dot com
    uidNumber: 1000
    gidNumber: 1000
    ---->8----

    I have configured saslauthd.conf with group filter:

    ----8<----
    ldap_servers: ldap://localhost
    ldap_search_base: dc=example,dc=com
    ldap_scope: sub

    ldap_group_attr: memberUid
    ldap_group_match_method: filter
    ldap_group_filter: (memberUid=%u)
    ldap_group_search_base: ou=group,dc=example,dc=com
    ---->8----

    If I want to login with an email client, saslauthd write to syslog:

    ----8<----
    Mar 29 13:26:47 hermes saslauthd[21344]: group ldap_search_st() failed:
    Size limit exceeded
    Mar 29 13:26:47 hermes saslauthd[21344]: Retrying authentication
    Mar 29 13:26:47 hermes saslauthd[21344]: group ldap_search_st() failed:
    Size limit exceeded
    ---->8----

    OK, the saslauthd documentation write:
    ...The user has to be part of the group in order to authenticate...

    For testing I changed the memberUid in LDAP to:
       memberUid: uid=user1,ou=people,dc=example,dc=com

    and in saslauthd.conf
       ldap_group_filter: (memberUid=%D)

    Now I can login. If I select a Shared Folder with group rights
    Cyrus-Imap returns: "Mailbox does not exist". That 's a lie ;-)
    If I add a user to the Shared Folder, it works fine. But that is not
    that, what I want...

    What can I do, that I can use Shared Folder group rights with normal
    memberUid Attributes and the System: cyrus-imap + saslauthd + ldap

    Thanks
    Sven

    PS: I hope my english is readable :-)


  • Next message: Kurt D. Zeilenga: "Re: authcid v. realm in DIGEST-MD5 and elsewhere (Was: saslauthd + pam_mysql broken)"





    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs



    Powered By FreeBSD   Powered By FreeBSD