Hi,
Does Cyrus IMAPd 2.3.1 supports ldap authorization trought ptloader? The
configuration parameters " " used in the
2.2.x versions are not displayed in 2.3.1 with ./configure We
use Cyrus IMAPd with ldap authorization for about 2 years and it works
just great. I hope ldap ptloader support will be continued with the
latest Cyrus IMAPd versions!
Season's greetings,
Milen
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ:
List Archives/Info:

>
Mon, 26 Dec 2005, Milen Dimov wrote:
>
>Hi,
>>
>Does Cyrus IMAPd 2.3.1 supports ldap authorization trought ptloader? The
>configuration parameters " " used in the
>2.2.x versions are not displayed in 2.3.1 with ./configure We
>use Cyrus IMAPd with ldap authorization for about 2 years and it works
>just great. I hope ldap ptloader support will be continued with the
>latest Cyrus IMAPd versions!
>
Authorization mechanism and pts module are runtime options. See
imapd.conf man pages (auth_mech and pts_module) ldap pts module is
available if configure script finds openldap libs ()

A related question:
If openldap is built against SASLv1, will the ldap pts module work?

My question is because when packaging postfix, I had the problem that one
could not build postfix with SASLv2 _and_ LDAP support if the installed
openldap has been built for SASLv1. This has just resulted in segfaults.

Without understanding what exactly the problem was, I fear the same could
be the case with cyrus-imapd as well?

BTW: I know that openldap built against SASLv1 is old, but I still want
the rpm to be suitable for older platforms. If it's a problem I simply
disable ldap pts support for those using openldap/SASLv1.

Thanks for any insights,
Simon

Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ:
List Archives/Info:

>
Tue, 3 Jan 2006, Simon Matter wrote:

Mon, 26 Dec 2005, Milen Dimov wrote:

Hi,

Does Cyrus IMAPd 2.3.1 supports ldap authorization trought ptloader?
The
configuration parameters " " used in the
2.2.x versions are not displayed in 2.3.1 with ./configure We
use Cyrus IMAPd with ldap authorization for about 2 years and it works
just great. I hope ldap ptloader support will be continued with the
latest Cyrus IMAPd versions!

Authorization mechanism and pts module are runtime options. See
imapd.conf man pages (auth_mech and pts_module) ldap pts module is
available if configure script finds openldap libs ()
>>
>A related question:
>If openldap is built against SASLv1, will the ldap pts module work?
>>
>My question is because when packaging postfix, I had the problem that
>one
>could not build postfix with SASLv2 _and_ LDAP support if the installed
>openldap has been built for SASLv1. This has just resulted in segfaults.
>>
>Without understanding what exactly the problem was, I fear the same
>could
>be the case with cyrus-imapd as well?
>>
>BTW: I know that openldap built against SASLv1 is old, but I still want
>the rpm to be suitable for older platforms. If it's a problem I simply
>disable ldap pts support for those using openldap/SASLv1.
>
cyrus imapd configure checks for openldap version and I believe the
supported openldap versions uses saslv2 only.

This seems not to work in my case. However, I'll add the needed logic to
the rpm build process.

Thanks,
Simon

Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ:
List Archives/Info:

Tue, 03 Jan 2006, Simon Matter wrote:
>could not build postfix with SASLv2 _and_ LDAP support if the installed
>openldap has been built for SASLv1. This has just resulted in segfaults.
>
You are experienced what I call the "missing versioned symbols hell". We
have that fixed in Debian by force. If you're interested in the patches to
fully version SASLv2 (Debian dropped SASLv1), just drop me a note and I
will
send them to you. I *think* they were sent to CMU as well, but I am not
sure, I will revisit this if the Cyrus maintainer team in Debian takes
over
Cyrus SASL as well.

Thank you for the detailed explanation. In my case I don't want to touch
anything SASL related.

NTE: I assume the old problem with SASL using global state that prevented
it from being used at the same time in client and server mode has been
fixed. , it could be the cause as well, it depends on what has
the
chance to break the app first.
>
>Without understanding what exactly the problem was, I fear the same
>could
>be the case with cyrus-imapd as well?
>
It depends. Without symbol versioning, if you somehow manage to link both
saslv1 and saslv2 to the same library or application, it goes kaboom.
This
can happen if you link to libs linked to different versions of sasl, or if
glibc nsswitch modules link to sasl (guess what happens if you use LDAP
passwd maps?).

So, if cyrus-imap is linked to saslv2 (HIGHLY recomended), and *anything*
else it uses is linked to saslv1 (e.g. openldap libs), and symbols are
unversioned bad things _will_ happen. Note that the same crap happens
if
anything SASL links to (or dlopen()s, it is the same problem) manages to
link to other SASL lib (again old openldap libs).

, so it _will_ break in my case and I'll design the rpm so it detects
whether openldap is linked against SASLv1, and if it's true, it will build
without ldap support.

>
>BTW: I know that openldap built against SASLv1 is old, but I still want
>the rpm to be suitable for older platforms. If it's a problem I simply
>disable ldap pts support for those using openldap/SASLv1.
>
You cannot fix this, I am afraid. The old libs won't be versioned, thus
they will still require that the *entire* system use either saslv1 or
saslv2
for maximum stability. You need to have at least one of the clashing libs
with symbols versioned AND you absolutely *must* have built everything
using that library against the library with versioned symbols.

, and the symbol version must be the same, too. In Debian, we are using
"SASL2".

As you said I can't fix this and I don't want. I will just make sure that
on systems with openldap/SASLv1, the cyrus-imapd packages are built
without ldap support.

Thanks for clearing this up,
Simon

Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ:
List Archives/Info:

>
Wed, 4 Jan 2006, Simon Matter wrote:

BTW: I know that openldap built against SASLv1 is old, but I still
want
the rpm to be suitable for older platforms. If it's a problem I simply
disable ldap pts support for those using openldap/SASLv1.

cyrus imapd configure checks for openldap version and I believe the
supported openldap versions uses saslv2 only.
>>
>This seems not to work in my case. However, I'll add the needed logic to
>the rpm build process.
>>
>
You are correct. cyrus-sasl checks for the openldap version and
cyrus-imapd does not. You should not be able to compile cyrus-imapd with
such old version of openldap anyway.

It builds fine but then an "ldd ptloader" shows that it's linked against
both sasl1 and sasl2, which I'm sure won't work.

Simon

Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ:
List Archives/Info:

>
Wed, 4 Jan 2006, Simon Matter wrote:

Wed, 4 Jan 2006, Simon Matter wrote:

BTW: I know that openldap built against SASLv1 is old, but I still
want
the rpm to be suitable for older platforms. If it's a problem I
simply
disable ldap pts support for those using openldap/SASLv1.

cyrus imapd configure checks for openldap version and I believe the
supported openldap versions uses saslv2 only.

This seems not to work in my case. However, I'll add the needed logic
to
the rpm build process.

You are correct. cyrus-sasl checks for the openldap version and
cyrus-imapd does not. You should not be able to compile cyrus-imapd
with
such old version of openldap anyway.
>>
>It builds fine but then an "ldd ptloader" shows that it's linked against
>both sasl1 and sasl2, which I'm sure won't work.
>
Just curious, what version of openldap do you use?

It's openldap 2.0.27.

Simon

Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ:
List Archives/Info: