[prev in list] [next in list] [prev in thread] [next in thread] 

List:       info-cyrus
Subject:    Re: domain mode mailbox aliasing
From:       Dan White <dwhite () olp ! net>
Date:       2013-02-18 15:05:51
Message-ID: 20130218150551.GB5326 () dan ! olp ! net
[Download RAW message or body]

On 02/18/13 15:35 +0100, Gabriele Bulfon wrote:
>Hi,
>I recently reimplemented cyrus+postfix+ldap in multi domain mode, and everything works fine.
>I found my self needing to convert a situation where a dom1.com is same as dom2.com,
>and every user in 1st domain are actually the same users of 2nd domain.
>On postfix, I can manage this with virtual aliases.
>On ldap, I could manage common authentication through relay / rwm, so that user@dom1.com
>can still authenticate as user@dom2.com, with same password (and this works for any service
>trying to authenticate on ldap).
>Being cyrus authentication routed through saslauthd+ldap, I can authenticate on imap both
>as user@dom1.com and user@dom2.com, but then cyrus look for a different mailbox as it doesn't
>actually know the two domains are the same one.
>Is there any way to instruct cyrus to treat dom2.com as dom1.com?
>Thanx for any help.
>Gabriele.

You can use the ldapdb canonicalization plugin to transform the
authentication identity (user@dom2.com) into user@dom1.com.

To configure (in /etc/imapd.conf):

sasl_ldapdb_uri: ldap://ldap.example.com
sasl_ldapdb_mech: DIGEST-MD5
sasl_ldapdb_id: searcher
sasl_ldapdb_pw: searcher_secret
sasl_ldapdb_canon_attr: maildrop
sasl_canon_user_plugin: ladpdb

The logic is basically:

ldapwhoami -Y DIGEST-MD5 -U searcher -X u:user@dom2.com
<provide password of searcher_secret>
uid=user@dom2.com,ou=people,dc=example,dc=com

ldapsearch -Y DIGEST-MD5 -U searcher -b \
     "uid=user@dom2.com,ou=people,dc=example,dc=com" maildrop
<provide password of searcher_secret>
maildrop: user@dom1.com

You will need to configure your 'searcher' identity with an authzTo capable
of authorizing as any of your user@dom2.com identities. And you will need
to configure appropriate authz-regexp rules in your slapd config to map
sasl identities (searcher, and user@dom2.com) into DNs. Getting all the
ACLs correct can take a little trial and error.

-- 
Dan White
----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic