Forwarding to the list for posterity.
On 02/25/14 15:22 -0700, Nels Lindquist wrote:
On 2/21/2014 1:45 PM, Dan White wrote:
> On 02/21/14 13:09 -0700, Nels Lindquist wrote:
>> However, from what I can determine I'm not getting any realm component
>> in the searches coming through. The "default" realm configuration
>> when I use a bare userid to authenticate, but when using a full e-mail
>> address, that comes through as
>> "uid=example(a)example.com,cn=[authmech],cn=auth". That said, I
>> found a LogLevel which includes AuthzRegexp processing; I've tried
>> various settings, but the closest I've come is logging the resulting
>> bind requests (eg. BIND dn="uid=example,ou=people,dc=example,dc=com"
>> mech=DIGEST-MD5 sasl_ssf=128 ssf=128).
> I would not depend on realm being delivered in a consistent way from cyrus
> imapd/sasl. Different mechanisms will act in different ways. libsasl2 is
> responsible for providing the realm (or not). To maintain some consistency,
> create two sets of authz-regexp rules, such as:
> And you may need a third rule which matches cases where both a fully
> qualified username AND a realm are provided.
To be more clear, in my LDAP none of the objects have uids incorporating
e-mail addresses, but that's how Cyrus IMAP allows for virtual domain
My base dn is actually "o=top", and then I have the various domains laid
... so my plan was to use the virtual domain information to translate
into which subtree I need to search against. The "fallthrough" default
domain just searches the bare uid against a particular subtree.
It seems to be working using this (we're using LDAPRouting with
Sendmail, so all mailboxes must have inetLocalMailRecipient attributes):
# Match e-mail address; map to correct subtree
# Default domain
> ldapwhoami is highly recommend for testing this setup. Include all of -Y,
> -U, and -X.
Thanks very much for putting me on the right track!