Bug#347659: [Pkg-Cyrus-imapd-Debian-devel] Bug#347659: please discuss patch for ldap authentification (Kolab)

Thu Jan 12 23:17:26 UTC 2006

[snip]
> Well, I don't really see how to map LDAP uids (which are normally also
> login names for servers/workstations) to email addresses (on which cyrus
> operates. The only alternative would be to not use vdomains in cyrus and
> use the MTA to deliver mails to any of the mail addresses of a user to
> <uid>.
> However, I would definately like to see some solution for this.
[snip]

My 2 cents.

Cyrus 2.2 Supporta Virtual domains and SASL has or at least can be properly
patched for LDAP authentication.  It always seemed to me like SASL was the
cyrus way to do authentication.  That is currently what I use for imap.
Maybe something else is needed.

Here's a snippet of my config (I use a custom schema).

sasl_pwcheck_method: auxprop
sasl_auxprop_plugin: LDAPDB
sasl_ldap_user: <server_dn>
sasl_ldap_passwd: <server_pass>
sasl_ldap_hostnames: ldap://127.0.0.1
sasl_ldap_filter: 
(&(iqEmail=%u@%r)(objectclass=iqMailAccount)(IqEnabled=TRUE))
sasl_ldap_basedn: <base_dn>

I store email explicitly because the account may not correspond to a login.

The downsides:

* Patching SASL if the upstream stream isn't ready (i'm using a patched 
package
myself).

* Getting SASL working in the first place.  saslauthd wasn't too bad, it
took a while to figure out auxprop.

* unless you store password in plain-text  in the directory, you can't use 
MD5-CRAM/MD5-DIGEST, IIRC.  So you have to make sure the LDAP server
is well locked download.

Philip Thiem
Isn't it obvious lumberjacks love traffic lights?
GPG Pub Key Archived at wwwkeys.us.pgp.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-cyrus-imapd-debian-devel/attachments/20060112/15ef17b0/attachment.pgp