[Kolab-devel] Questions and thoughts about canonification for multiple separate domains

Timotheus Pokorra timotheus at kolab.org
Sat Mar 12 08:23:59 CET 2016 

Hello,

We have had this discussion in the past [1]. There seem to be issues
with authentication if you are following the HOWTO: Multi-Domain
Support in Kolab [2].

Previously I just said that my users should only authenticate with
their email address, which meant I could disable canonification and it
worked fine for me. But now we want users to authenticate with just
their userid which they are used to from a previous system.

So I had a look at the Howto for multi-domain support.
It mentions a patch for Cyrus IMAP 2.5 "created by Kolab Systems, and
submitted and accepted upstream, that allows the parent domain DIT
root dn to be discovered".
This patch was first mentioned and published on the cyrus devel
mailing list [3].
It has been committed to Cyrus: [4].
And you can see it [5] as part of the current Cyrus 2.5.7 which is
shipped with Kolab 16 and Winterfell. (Yay for a not-ahead-of-upstream
release!!!)

The next step is to understand how the canonification is supposed to work.

Following the HowTo, the ldap_domain_base_dn "" is misleading. I get
an error "LDAP search for domain failed: Invalid DN syntax". Jeroen
suggested to leave it completely empty.

When I login on domain that is not the primary domain,
test.test at test1.de, I see this error with journalctl -f -u
cyrus-imapd:
Mär 12 07:54:36 55-centos7master.kolab.pokorra.de ptloader[5213]: No
entries found
Mär 12 07:54:36 55-centos7master.kolab.pokorra.de imaps[4988]:
ptload(): bad response from ptloader server: identifier not found
Mär 12 07:54:36 55-centos7master.kolab.pokorra.de imaps[4988]: ptload
completely failed: unable to canonify identifier: test.test at test1.de
Mär 12 07:54:36 55-centos7master.kolab.pokorra.de imaps[4988]: SASL
bad userid authenticated

I came across this bug [6] and commit [7] with the comment "Set
inetdomainbasedn attribute value for root dns that are not the same as
the standard dn for the configured domain name."
In Kolab Webadmin, there is the setting for a domain: "Custom Root
DN". This will set the inetDomainBaseDN attribute. So I edit my domain
test1.de, and set the Custom Root DN to dc=kolab,dc=pokorra,dc=de
which is the primary domain.
I can verify this with ldapsearch:
export pwd=secret
ldapsearch -D "cn=Directory Manager" -w $pwd -b cn=kolab,cn=config
and I see:
# test1.de, kolab, config
dn: associateddomain=test1.de,cn=kolab,cn=config
associatedDomain: test1.de
objectClass: top
objectClass: domainrelatedobject
objectClass: inetdomain
inetDomainBaseDN: dc=kolab,dc=pokorra,dc=de

It seems, my test user has now disappeared, and now I create a new
user in that domain test1.de:
it shows primary address test2.test2 at test1.de before saving.
After saving, it has the primary email address
test2.test2 at kolab.pokorra.de, and secondary addresses:
test2 at test1.de
test2 at kolab.pokorra.de
t.test2 at test1.de
t.test2 at kolab.pokorra.de

In Roundcube, I can login now with these users:
test2 at kolab.pokorra.de
test2 at test1.de
test2

When I want to change the password of the user, I get the message:
"Email address 'test2.test2 at kolab.pokorra.de' not in local domain"
When I check the users of my primary domain, I can see the test2 user there.
Changing the password there also does not work: "Email address
'test2 at test1.de' not in local domain", even though it displays primary
email address test2.test2 at kolab.pokorra.de
So I guess that is not how it is supposed to work.

I also saw this open pull request from Daniel, from February 2015 [8]:
"When using ldap_domain_* domain discovery the ldap_base variable gets
replaced by the one found in the ldap result, but the variables
ldap_member_base and ldap_group_base are not getting replaced or
adjusted"
Is this in anyway related to canonification?

Does canonification work for anyone with Kolab 16 or Winterfell for
multiple domains with separate LDAP trees? Or did someone get it to
work for Kolab 3.4?

I am thinking of an alternative, to have a method in our LDAP auth php
code, that would take the userid, and check all domain trees for this
userid, and return the domain name to be used as realm. I would call
this method for Roundcube auth in [9]. For IMAP auth, I would call it
in pykolab saslauthd [10] through the wap_client.
Any opinions on this solution?

Is there an easy way that is just not documented properly?

Thanks for any help or suggestions,
  Timotheus

[1]: http://lists.kolab.org/pipermail/users/2015-August/019750.html
[2]: https://docs.kolab.org/howtos/multi-domain.html
[3]: https://lists.andrew.cmu.edu/pipermail/cyrus-devel/2013-June/002840.html
[4]: https://git.cyrus.foundation/rI8bdaeae3f891ba2a748ba91a4c324ee11346e292
[5]: https://git.cyrus.foundation/diffusion/I/browse/master/ptclient/ldap.c;cyrus-imapd-2.5.7$559
[6]: https://issues.kolab.org/show_bug.cgi?id=819
[7]: https://cgit.kolab.org/pykolab/commit/?id=d8665844e86329e4f0db2fdb4fafe4335328bcfd
[8]: https://git.cyrus.foundation/D1
[9]: https://cgit.kolab.org/roundcubemail-plugins-kolab/tree/plugins/kolab_auth/kolab_auth_ldap.php#n402
[10]: https://cgit.kolab.org/pykolab/tree/saslauthd/__init__.py#n243

More information about the devel mailing list