- Previous message: peter pilsl: "rehash seems not to work"
- Maybe in reply to: Jose Morelli Neto: "Authentication in LDAP with different UID"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
|
|
|
From: Guus Leeuw jr. (no email)
Date: Wed Jan 10 2007 - 13:39:41 EST
Hello,
OK.
You want user 12345 to log in through IMAP, and not .
Thus, you need a mailbox 12345 in Cyrus, that it will authenticate against
SASL (eventually hitting LDAP).
The problem:
User 12345 cannot receive mail, because postfix doesn't know the guy.
On the other hand, cannot login because LDAP doesn't know
the guy ;)
The solution:
Change you recipient canonical settings to virtual maps.
Your LDAP query filter would then be something to the effect of
(&(|(mail=%s)(mailAlternateAddress=%s))(enableMail=Y))
And get rid of the "result_filter = %s at domain dot com"
What this will allow is:
1) A user called 12345 in LDAP and Cyrus
2) A postfix lookup for *any* email address, as long as enableMail=Y
3) A postfix mapping of the email address to %s (12345).
4) Email addresses of will result in 12345 (=uid)
Problem solved. ;)
Hope this will work for you. It does for me! ( is
an alias and receives mail for ,
, however, since is the
mail attribute, and the other two are kept in mailAlternateAddress, my
sender_canonical_map tells postfix that my mail address is
, *although* I only login to Cyrus/SSH/Whatnot
with leeuwg!!
And I guess, that is what you want ;)
Have fun,
Guus
(Ah, and you could even accept mail for , as
long as postfix knows myotherdomain.com is a mydestination ;)
> -----Original Message-----
> From: [mailto:info-cyrus-
> ] On Behalf Of Jose Morelli Neto
>
> 2007/1/8, Guus Leeuw jr. <>:
> >
> > Hello,
>
> Hi Guus!
>
> >
> > First of all a couple of questions:
> >
> > 1) Are you planning to manage multiple domains' mail, or just the
> domain.com mail?
>
> Yes, I need to manage more two domains, like lists.domain.com and
> domain.org.
>
> >
> > 2) Can you post the contents of the canonical.cf file that postfix
> uses for canonical mapping?
>
> I needed to modify the configurations of canonical, because I wasn't
> send mail. Now it is thus:
> main.cf --------
> recipient_canonical_maps =
> proxy:ldap:/etc/postfix/ldap/recipient_canonical.cf
> sender_canonical_maps = proxy:ldap:/etc/postfix/ldap/sender_canonical.cf
> main.cf --------
>
> recipient_canonical.cf ----------
> server_host = ldap://ldap.domain.com:389
> bind = yes
> bind_dn = cn=admin,dc=domain,dc=com
> bind_pw = password
>
> search_base = ou=users,dc=domain,dc=com
> query_filter = (&(mail=%s)(objectClass=CourierMailAccount)(enableMail=Y))
> result_attribute = uid
> result_filter = %s at domain dot com
> recipient_canonical.cf ----------
>
> sender_canonical.cf --------
> server_host = ldap://ldap.domain.com:389
> bind = yes
> bind_dn = cn=admin,dc=domain,dc=com
> bind_pw = password
>
> search_base = ou=users,dc=domain,dc=com
> query_filter = (&(uid=%s)(objectClass=CourierMailAccount)(enableMail=Y))
> result_attribute = mail
> sender_canonical.cf --------
>
> As you can see in file recipient_canonical.cf, the result_filter have
> @domain.com fixed. This way, it wouldn't work with virtual domains,
> i'll need to add an attribute with code+domain like .
>
> >
> > 3) Why would you want SASL to talk to PAM for PAM to talk to LDAP?
> Why not do the whole thing in 1 go?
>
>
> Yes, the reason is that this server directly effects the
> authentication of ssh in LDAP. I Tried authenticate SASL directly in
> LDAP, with this saslauthd configuration:
> ldap_servers: ldap://ldap.domain.com/
> ldap_version: 3
> ldap_search_base: ou=users,dc=domain,dc=com
> ldap_filter: uid=%u
> ldap_auth_method: bind
>
>
> It's works normally.
>
> >
> > I belief, you told imapd to use the PLAIN mechanism… AFAIK PLAIN is not
> equal to PAM in terms of mechanism… OK, PAM method, I could understand,
> but then again, that raises question 3.
>
> Yes, I understand that using salauthd as method this will autenticate
> on PAM (and this work). I see in imapd.conf manual, that this can
> autenticate (or get an attribute) directly in LDAP, but i don't found
> any example of this.
>
> If I can get the UID from LDAP after postfix deliver via LMTP to
> Cyrus, and before the Cyrus verify that the mailboxes exist (and
> verify using the UID), this will work perfectly. The tests with
> canonical worked, but I will need to convert the mail address
> everytime, and I will have to modify my LDAP Base (~ 150.000
> registers). I belive that there is an "corret way" to make this.
> >
> > Can you bind to the LDAP server with the uid 12345? Can you bind to LDAP
> with ?
>
> yes with uid 12345, and no with .
>
> >
> >
> >
> >
> > Without answers, it would be difficult to help (for me).
> >
> >
>
> I understand, also it's difficult for me to explain :)
>
> >
> > Regards,
> >
> > Guus
> >
>
> Thank's for your interest in this problem!
>
> Neto.
>
>
> >
> > From: [mailto:info-cyrus-
> ] On Behalf Of Jose Morelli Neto
> > Sent: 08 January 2007 12:07
> > To:
> > Subject: Authentication in LDAP with different UID
> >
> >
> >
> >
> > Hello,
> >
> > I am updating the mail server at my work and in this process I decided
> to change the Courier-IMAP for the Cyrus-IMAP, however I still came across
> myself with a problem without solution (at least for me). Here, all users
> have an personal ID who is used to effect the authentication in some
> systems (also in the mail). For example, an user with the personal ID
> 12345 possess the mail
> >
> >
> > If I create the mailbox in cyrus with the personal ID (cm user.12345),
> I can connect through imap/pop3 and cyrus get access to the mailbox
> without problems (using as user 12345), however when sending a message for
> this user, postfix delivery saw LMTP for cyrus, that does not locate
> mailbox (with the error: lmtpunix [5514]: to verify_user (user.12345)
> failed: Mailbox you donate not exist). Then if I create mailbox with the
> user's mail ( cm ), the message is delivery without
> problems from postfix to cyrus (that it finds mailbox), however I can't
> have access to mailbox saw IMAP/POP using as login the person code (12345)
> and only the email ( ).
> >
> > The authentication of cyrus is made by SASL using the mechanism PAM
> (that it validates through LDAP).
> >
> >
> > It follows some configurations to facilitate the understanding:
> > /etc/imapd.conf --------------------------------------
> > configdirectory: /var/lib/imap
> > partition-default: /var/spool/imap
> > admins: cyrus
> > sievedir: /var/lib/imap/sieve
> > sendmail: /usr/sbin/sendmail
> > hashimapspool: true
> > sasl_pwcheck_method: saslauthd
> > sasl_mech_list: PLAIN
> > tls_cert_file: /usr/share/ssl/certs/cyrus-imapd.pem
> > tls_key_file: /usr/share/ssl/certs/cyrus-imapd.pem
> > tls_ca_file: /usr/share/ssl/certs/ca- bundle.crt
> > virtdomains: userid
> > defaultdomain: domain.com
> > /etc/imapd.conf --------------------------------------
> >
> > /etc/postfix/main.cf --------------------------------
> > virtual_transport = lmtp:unix:/var/lib/imap/socket/lmtp
> > canonical_maps = proxy:ldap:/etc/postfix/ldap/canonical.cf
> > /etc/postfix/main.cf --------------------------------
> >
> > usuário.ldif -------------------------
> > dn: uid=12345,ou=users,dc=domain,dc=com
> > uid: 12345
> > cn: Test User
> > sn: test
> > loginShell: /bin/false
> > uidNumber: 90001
> > mail:
> > quota: 20971520
> > gidNumber: 513
> > homeDirectory: /home/user
> > mailbox: /home/user/Maildir/
> > mailHost: siaimail10.domain.com
> > description: description
> > enableMail: S
> > objectClass: top
> > objectClass: person
> > objectClass: posixAccount
> > objectClass: shadowAccount
> > objectClass: CourierMailAccount
> > objectClass: inetLocalMailRecipient
> > usuário.ldif -------------------------
> >
> >
> > I tried through postfix, modify/create/use some macro (those used in
> master.cf: ${user} ${extension}) that it passed to cyrus the personal ID
> (in the place of the address) but I did not have success.
> >
> > I made with the SASL authenticate in LDAP using the UID, but did not
> give very certain, therefore cyrus uses proper login to locate mailbox,
> and thus I don't deliver the message saw lmtp (therefore mailbox was with
> the name of the user).
> >
> >
> > The only thing next than I found of what necessary patch of the Kolab
> was one that allows (theoretically, I did not make tests) to consult the
> virtual domínios through ldap.
> >
> > I used canonical_maps in postfix quering ldap for the mail (
> ) and returning email (), but for virtual
> domains I would have to add a new attribute in LDAP with the personal ID +
> the domain.
> >
> > Someone has experience in this integration and that it can help me?
> >
> >
> > thank's for attention.
> > Neto.
> >
> >
> > --
> > José Morelli Neto
> > http://josemorelli.net
> >
> > --
> > No virus found in this incoming message.
> > Checked by AVG.
> > Version: 7.5.433 / Virus Database: 268.16.7/619 - Release Date:
> 07/01/2007 18:29
> >
> >
> > --
> > No virus found in this outgoing message.
> > Checked by AVG.
> > Version: 7.5.433 / Virus Database: 268.16.7/619 - Release Date:
> 07/01/2007 18:29
> >
>
>
>
> --
> José Morelli Neto
> http://josemorelli.net
> ----
> Cyrus Home Page: http://cyrusimap.web.cmu.edu/
> Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>
>
> --
> No virus found in this incoming message.
> Checked by AVG.
> Version: 7.5.433 / Virus Database: 268.16.8/621 - Release Date: 09/01/2007
> 13:37
>
-- No virus found in this outgoing message. Checked by AVG. Version: 7.5.433 / Virus Database: 268.16.8/621 - Release Date: 09/01/2007 13:37 ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
|
|
|