Forwarding to the list for posterity.
On 02/25/14 15:22 -0700, Nels Lindquist wrote:
On 2/21/2014 1:45 PM, Dan White wrote:
On 02/21/14 13:09 -0700, Nels Lindquist wrote:
<snip>
However, from what I can determine I'm not getting any realm component in the searches coming through. The "default" realm configuration works when I use a bare userid to authenticate, but when using a full e-mail address, that comes through as "uid=example@example.com,cn=[authmech],cn=auth". That said, I haven't found a LogLevel which includes AuthzRegexp processing; I've tried various settings, but the closest I've come is logging the resulting bind requests (eg. BIND dn="uid=example,ou=people,dc=example,dc=com" mech=DIGEST-MD5 sasl_ssf=128 ssf=128).
I would not depend on realm being delivered in a consistent way from cyrus imapd/sasl. Different mechanisms will act in different ways. libsasl2 is responsible for providing the realm (or not). To maintain some consistency, create two sets of authz-regexp rules, such as:
authz-regexp "uid=([^,]+),cn=([^,]+),cn=auth" "ldap:///dc=eng,dc=example,dc=com??one?(&(uid=$1)(objectClass=person))"
authz-regexp "uid=([^,]+),cn=([^,]+),cn=([^,]+),cn=auth"
"ldap:///dc=eng,dc=example,dc=com??one?(&(uid=$1@$2)(objectClass=person))"
And you may need a third rule which matches cases where both a fully qualified username AND a realm are provided.
To be more clear, in my LDAP none of the objects have uids incorporating e-mail addresses, but that's how Cyrus IMAP allows for virtual domain logins.
My base dn is actually "o=top", and then I have the various domains laid out like:
dc=example,dc=com,o=top dc=example2,dc=ca,o=top
... so my plan was to use the virtual domain information to translate into which subtree I need to search against. The "fallthrough" default domain just searches the bare uid against a particular subtree.
It seems to be working using this (we're using LDAPRouting with Sendmail, so all mailboxes must have inetLocalMailRecipient attributes):
# Match e-mail address; map to correct subtree
authz-regexp "uid=([^,]+)@([^,.]+).([^,]+),cn=[^,]*,cn=auth" "ldap:///dc=$2,dc=$3,o=top??sub?(&(uid=$1)(mailLocalAddress=*))"
# Default domain
authz-regexp "uid=([^,]*),cn=[^,]*,cn=auth" "ldap:///dc=example,dc=com,o=top??sub?(&(uid=$1)(mailLocalAddress=*))"
ldapwhoami is highly recommend for testing this setup. Include all of -Y, -U, and -X.
Thanks very much for putting me on the right track!
openldap-technical@openldap.org
-
Dan White