Cyrus SASL ldapdb man page

Cyrus SASL ldapdb man page


This document describes configuration options for the Cyrus SASL auxiliary property plugin ldapdb.

This plugin reads all user data from an LDAP server. It requires configuration of the ldapdb plugin and of the LDAP server. The ldapdb plugin must name a proxy user. The proxy user must (also) SASL authenticate to the LDAP server. The LDAP server must authorize the ldapdb proxy user to access the authenticating users userPassword.


The following configuration parameters are applicable in the context of the ldapdb plugin:

ldapdb_uri (default: empty)
Specifies a whitespace-separated list of LDAP servers (authentication backends). Use ldapi://..., ldap://... or ldaps://... to specify how the servers should be contacted.
A canon_user plugin allows the username that a client sends to be remapped to some other, canonical form. The ldapdb_canon_attr attribute's value provides the canonical name that should be used.
ldapdb_id (default: empty)
Specifies the proxy user name (authentication id) who logs into the LDAP server in order to retrieve the authenticating users userPassword.
ldapdb_mech (default: empty)
Sets the SASL mechanism the ldapdb plugin (client) should use when it SASL connects to the LDAP server.
ldapdb_pw (default: empty)
Specifies the password used by ldapdb_id. The password must be written in cleartext.
ldapdb_rc (default: empty)

Specifies a path to a file that contains configuration options to override system-wide defaults when running LDAP clients.

The main purpose behind this option is to drop transmission of ldapdb_pw in favor of a client TLS certificate specified in ldapdb_rc, so that SASL/EXTERNAL may be used between the ldapdb plugin and the LDAP server.


This is the most optimal way to use the ldapdb plugin when the servers are on separate machines - the connection is encrypted and password transmission is not necessary because the client is identified by its TLS client certificate.

ldapdb_starttls (default: disabled)

Enable encrypted communication using StartTLS. Valid options are:

StartTLS encrypted communication is attempted. If it fails the client communicates unencrypted.
StartTLS encrypted communication is required. If it fails the client aborts the connection.


The following example shows a typical ldapdb configuration.

# GENERIC options
pwcheck_method: auxprop
auxprop_plugin: ldapdb
mech_list: plain login cram-md5 digest-md5 ntlm

# LDAPDB settings
ldapdb_uri: ldap://localhost ldaps://
ldapdb_id: proxyuser
ldapdb_pw: proxypass
ldapdb_mech: DIGEST-MD5
Patrick Koetter, 07 Jan 2015