From: Marcus I. Ryan (no email)
Date: Wed Oct 05 2005 - 11:40:30 EDT
On FreeBSD, I've installed these ports:
cyrus-imapd-2.2.12_1
cyrus-sasl-2.1.21
cyrus-sasl-saslauthd-2.1.21
imapd.conf includes:
virtdomains: userid
defaultdomain: riboflavin.net
sasl_pwcheck_method: saslauthd
sasl_auto_transition: no
sasl_mech_list: plain login
unixhierarchysep: yes
The rest of the settings I would think aren't related; paths, etc.
The ldap filter in saslauthd is set for:
ldap_search_base: ou=%d,<base org>
ldap_scope: sub
ldap_auth_method: custom
ldap_filter: (mailRoutingAddress=%u)
Though I tried without to make sure that wasn't the problem, I run
saslauthd with the -r flag, so realm should be appended to the userid
if passed.
When I run testsaslauthd -u -p <password> I get:
0: OK "Success."
When I run imtest -s -a localhost, first it
pauses for about 20 seconds, which I can't explain; happens with a
standard imap client as well. When I enter the password I get:
S: A01 NO authentication failure
Authentication failed. generic failure
Security strength factor: 256
If I look in the auth log, it shows:
Oct 5 15:30:10 testsrv saslauthd[85649]: do_auth : auth
failure: [user=marcus] [service=imap] [realm=] [mech=ldap]
[reason=Unknown]
which I'm assuming means it was passed marcus in %u and no realm
instead of in %u and/or marcus in %u and
riboflavin.net in %r/%d.
-- Marcus I. Ryan, -------------------------------------------------------------------- Hanlon's Razor: Never attribute to malice that which is adequately explained by stupidity. -------------------------------------------------------------------- Quoting Edward Rudd <>: > On Wed, 2005-10-05 at 01:31 -0500, Marcus I. Ryan wrote: >> I've set up SASL with an LDAP backend that checks for a user in either >> the ou of the SASL realm, or the ou matching their domain (so >> as the username or user with domain.tld as the realm). >> >> I got it working using testsaslauthd, but when I try it through IMAP it >> appears IMAP strips the domain from the userid before it passes it to >> SASL, and doesn't pass it as a realm. I can handle it either way >> (passing a username of or having it passed in as a >> userid and a realm), but it doesn't seem to do either. Am I missing a >> setting/configuration option, or does this require some kind of code >> patch? > > [snip] > >> >> Any thoughts are appreciated. Thanks. > > > What version of SASL are you using? What version of Cyrus IMAP? > > Are you using %u and %f in the ldap_filter configuration in > saslauthd,.conf? The userid is sent in %u and the realm (domain) in %r. > (this is in cyrus sasl version 2.1.20, cyrus imapd 2.2.12) > > Also try setting the virtdomains: userid in /etc/imapd.conf (if using > cyrus 2.2.x) That will ensure that cyrus sends the whole userid to > sasl. > > -- > Edward Rudd <> > > > ---- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
|
|
|