|
I've been able to reproduce this behavior locally, and it looks like a quirk with Cyrus SASL. Because LDAP authentication is an enterprise feature, the relevant code isn't in the Sasl PLAIN conversation linked in the description. In the Enterprise module, the user name is provided to saslauthd, which seems to be treating everything after an '@' as the authenticating user's realm, which isn't used while substituting the user name into '%u' tokens in the saslauthd.conf.
This appears to be expected behavior per this comment in Cyrus SASL's sasl.h:
*************************************************
|
* IMPORTANT NOTE: server realms / username syntax
|
*
|
* If a user name contains a "@", then the rightmost "@" in the user name
|
* separates the account name from the realm in which this account is
|
* located. A single server may support multiple realms. If the
|
* server knows the realm at connection creation time (e.g., a server
|
* with multiple IP addresses tightly binds one address to a specific
|
* realm) then that realm must be passed in the user_realm field of
|
* the sasl_server_new call. If user_realm is non-empty and an
|
* unqualified user name is supplied, then the canon_user facility is
|
* expected to append "@" and user_realm to the user name. The canon_user
|
* facility may treat other characters such as "%" as equivalent to "@".
|
*
|
* If the server forbids the use of "@" in user names for other
|
* purposes, this simplifies security validation.
|
It seems that users who need '@' symbols should run saslauthd with '-r'. This option causes saslauthd to, per the man pages,
Combine the realm with the login (with an ’@’ sign in between). e.g. login: "foo" realm: "bar" will get passed as login: "foo@bar".
This should be the desired behavior, and I can confirm this works for me locally.
|