I'm attempting to configure Cyrus IMAPD with ldapdb for SASL authentication. As I'm using virtual domains, I need users to be able to authenticate using their e-mail addresses, or just a bare userid for the default domain. I'm having some trouble getting everything working[1].
Based on this documentation extract from Cyrus SASL, I've been primarily focussing on the OpenLDAP configuration:
"Unlike other LDAP-enabled plugins for other services that are common on the web, this plugin does not require you to configure DN search patterns to map usernames to LDAP DNs. This plugin requires SASL name mapping to be configured on the target slapd. This approach keeps the LDAP-specific configuration details in one place, the slapd.conf, and makes the configuration of remote services much simpler."
I've set up a number of olcAuthzRegexp entries similar to (from the OpenLDAP 2.4 admin guide):
"A more complex site might have several realms in use, each mapping to a different subtree in the directory. These can be handled with statements of the form:
# Match Engineering realm authz-regexp uid=([^,]*),cn=engineering.example.com,cn=digest-md5,cn=auth
ldap:///dc=eng,dc=example,dc=com??one?(&(uid=$1)(objectClass=person))
# Match Accounting realm authz-regexp uid=([^,].*),cn=accounting.example.com,cn=digest-md5,cn=auth
ldap:///dc=accounting,dc=example,dc=com??one?(&(uid=$1)(objectClass=person))
# Default realm is customers.example.com authz-regexp uid=([^,]*),cn=digest-md5,cn=auth
ldap:///dc=customers,dc=example,dc=com??one?(&(uid=$1)(objectClass=person))"
However, from what I can determine I'm not getting any realm component in the searches coming through. The "default" realm configuration works when I use a bare userid to authenticate, but when using a full e-mail address, that comes through as "uid=example@example.com,cn=[authmech],cn=auth". That said, I haven't found a LogLevel which includes AuthzRegexp processing; I've tried various settings, but the closest I've come is logging the resulting bind requests (eg. BIND dn="uid=example,ou=people,dc=example,dc=com" mech=DIGEST-MD5 sasl_ssf=128 ssf=128).
So my question is, how is the realm determined in such a scenario? Do I need to design olcAuththzRegexp entries to determine the realm based on the e-mail address supplied? If so, how does that information get passed back to Cyrus IMAPD so that the correct virtual domain is selected? Is there an appropriate olcLogLevel to see detailed olcAuthzRegexp processing?
I'd be grateful for any suggestions or references to documentation, etc. I've done some searching of the mailing list archives to little avail.
In case it matters, this is on CentOS 6.5 (x86_64) with stock OpenLDAP 2.4.23 and Cyrus SASL 2.1.23 packages, plus Cyrus IMAPD 2.4.17 built from Simon Matter's SRPM.
[1] I *am* able to get authentication + virtual domains working with saslauthd, but I'd like to be able to support non-plaintext auth mechanisms.
---- Nels Lindquist
On 02/21/14 13:09 -0700, Nels Lindquist wrote:
I'm attempting to configure Cyrus IMAPD with ldapdb for SASL authentication. As I'm using virtual domains, I need users to be able to authenticate using their e-mail addresses, or just a bare userid for the default domain. I'm having some trouble getting everything working[1].
# Match Engineering realm authz-regexp uid=([^,]*),cn=engineering.example.com,cn=digest-md5,cn=authldap:///dc=eng,dc=example,dc=com??one?(&(uid=$1)(objectClass=person))
# Match Accounting realm authz-regexp uid=([^,].*),cn=accounting.example.com,cn=digest-md5,cn=authldap:///dc=accounting,dc=example,dc=com??one?(&(uid=$1)(objectClass=person))
# Default realm is customers.example.com authz-regexp uid=([^,]*),cn=digest-md5,cn=authldap:///dc=customers,dc=example,dc=com??one?(&(uid=$1)(objectClass=person))"
However, from what I can determine I'm not getting any realm component in the searches coming through. The "default" realm configuration works when I use a bare userid to authenticate, but when using a full e-mail address, that comes through as "uid=example@example.com,cn=[authmech],cn=auth". That said, I haven't found a LogLevel which includes AuthzRegexp processing; I've tried various settings, but the closest I've come is logging the resulting bind requests (eg. BIND dn="uid=example,ou=people,dc=example,dc=com" mech=DIGEST-MD5 sasl_ssf=128 ssf=128).
I would not depend on realm being delivered in a consistent way from cyrus imapd/sasl. Different mechanisms will act in different ways. libsasl2 is responsible for providing the realm (or not). To maintain some consistency, create two sets of authz-regexp rules, such as:
authz-regexp "uid=([^,]+),cn=([^,]+),cn=auth" "ldap:///dc=eng,dc=example,dc=com??one?(&(uid=$1)(objectClass=person))"
authz-regexp "uid=([^,]+),cn=([^,]+),cn=([^,]+),cn=auth" "ldap:///dc=eng,dc=example,dc=com??one?(&(uid=$1@$2)(objectClass=person))"
And you may need a third rule which matches cases where both a fully qualified username AND a realm are provided.
So my question is, how is the realm determined in such a scenario? Do I need to design olcAuththzRegexp entries to determine the realm based on the e-mail address supplied? If so, how does that information get passed back to Cyrus IMAPD so that the correct virtual domain is selected? Is there an appropriate olcLogLevel to see detailed olcAuthzRegexp processing?
Essentially, the only thing Cyrus IMAPD cares about from ldapdb (libsasl2), is authenticating the user and canonicalizing the user (optional).
The correct virtual domain will simply need to match the fully qualified username provided by the user, or the canonicalized username if you're using ldapdb as a canonicalization function. That is, Cyrus IMAPD is responsible for finding the user's mailbox based on the submitted username@domain from the user. libsasl2, by way of ldapdb, authenticates the user.
I'd be grateful for any suggestions or references to documentation, etc. I've done some searching of the mailing list archives to little avail.
In case it matters, this is on CentOS 6.5 (x86_64) with stock OpenLDAP 2.4.23 and Cyrus SASL 2.1.23 packages, plus Cyrus IMAPD 2.4.17 built from Simon Matter's SRPM.
ldapdb canonicalization is not available in 2.1.23 (unpatched), but that's not necessarily a problem in your scenario.
[1] I *am* able to get authentication + virtual domains working with saslauthd, but I'd like to be able to support non-plaintext auth mechanisms.
ldapwhoami is highly recommend for testing this setup. Include all of -Y, -U, and -X.
Am Fri, 21 Feb 2014 13:09:13 -0700 schrieb Nels Lindquist nlindq@maei.ca:
I'm attempting to configure Cyrus IMAPD with ldapdb for SASL authentication. As I'm using virtual domains, I need users to be able to authenticate using their e-mail addresses, or just a bare userid for the default domain. I'm having some trouble getting everything working[1].
Based on this documentation extract from Cyrus SASL, I've been primarily focussing on the OpenLDAP configuration:
"Unlike other LDAP-enabled plugins for other services that are common on the web, this plugin does not require you to configure DN search patterns to map usernames to LDAP DNs. This plugin requires SASL name mapping to be configured on the target slapd. This approach keeps the LDAP-specific configuration details in one place, the slapd.conf, and makes the configuration of remote services much simpler."
I've set up a number of olcAuthzRegexp entries similar to (from the OpenLDAP 2.4 admin guide):
"A more complex site might have several realms in use, each mapping to a different subtree in the directory. These can be handled with statements of the form:
# Match Engineering realm authz-regexp uid=([^,]*),cn=engineering.example.com,cn=digest-md5,cn=authldap:///dc=eng,dc=example,dc=com??one?(&(uid=$1)(objectClass=person))
# Match Accounting realm authz-regexp uid=([^,].*),cn=accounting.example.com,cn=digest-md5,cn=authldap:///dc=accounting,dc=example,dc=com??one?(&(uid=$1)(objectClass=person))
# Default realm is customers.example.com authz-regexp uid=([^,]*),cn=digest-md5,cn=authldap:///dc=customers,dc=example,dc=com??one?(&(uid=$1)(objectClass=person))"
However, from what I can determine I'm not getting any realm component in the searches coming through. The "default" realm configuration works when I use a bare userid to authenticate, but when using a full e-mail address, that comes through as "uid=example@example.com,cn=[authmech],cn=auth". That said, I haven't found a LogLevel which includes AuthzRegexp processing; I've tried various settings, but the closest I've come is logging the resulting bind requests (eg. BIND dn="uid=example,ou=people,dc=example,dc=com" mech=DIGEST-MD5 sasl_ssf=128 ssf=128).
So my question is, how is the realm determined in such a scenario? Do I need to design olcAuththzRegexp entries to determine the realm based on the e-mail address supplied? If so, how does that information get passed back to Cyrus IMAPD so that the correct virtual domain is selected? Is there an appropriate olcLogLevel to see detailed olcAuthzRegexp processing?
I'd be grateful for any suggestions or references to documentation, etc. I've done some searching of the mailing list archives to little avail.
In case it matters, this is on CentOS 6.5 (x86_64) with stock OpenLDAP 2.4.23 and Cyrus SASL 2.1.23 packages, plus Cyrus IMAPD 2.4.17 built from Simon Matter's SRPM.
[1] I *am* able to get authentication + virtual domains working with saslauthd, but I'd like to be able to support non-plaintext auth mechanisms.
First, you should enable proxy authentication by authz-policy, and create and define a proxy user as part of ldapdb configuration. In order to pass mail attribute values instead uid values, you may define
authz-regexp uid=(.*),cn=.*,cn=auth ldap:///dc=example,dc=com??sub?mail=$1
for this mail attribute must be indexed.
-Dieter
openldap-technical@openldap.org
-
Dan White -
Dieter Klünter -
Nels Lindquist