On Tue, 21 Dec 2004, Mike O'Rourke wrote:
Hi all,
I have IMAPd 2.2.10, compiled with --with-auth=pts --with-pts=ldap --with-ldap OpenLDAP 2.2.17
my /etc/imapd.conf is:
configdirectory: /var/imap defaultpartition: default partition-default: /var/spool/imap unixhierarchysep: yes allowanonymouslogin: no allowplaintext: yes allowusermoves: yes servername: server12.mydom.com virtdomains: userid defaultdomain: mydom.com autocreatequota: -1 createonpost: 1 autocreateinboxfolders: Sent|Trash autosubscribeinboxfolders: Sent|Trash admins: cyrus lmtpsocket: /var/imap/socket/lmtp sendmail: /usr/sbin/sendmail tls_cert_file: /var/imap/server12_cert.pem tls_key_file: /var/imap/server12_key.pem tls_CA_file: /var/imap/cacerts/cacert.pem tls_CA_path: /var/imap/cacerts tls_require_cert: 0 ldap_sasl: 0 ldap_base: ou=email,o=internet,o=mycom ldap_bind_dn: cn=server12.mydom.com,ou=hosts,o=internet,o=mycom ldap_filter: (&(uid=%u)(MailUserDefHost=server12.mydom.com)) ldap_password: mypass ldap_tls_cacert_file: /var/imap/cacerts/cacert.pem ldap_tls_cert: /var/imap/server12_cert.pem ldap_tls_key: /var/imap/server12_key.pem ldap_uri: ldaps://192.168.7.11 ldaps://ldap1.mydom.com ldaps://ldap2.mydom.com ptloader_sock: /var/imap/socket/ptsock
In the ldap_filter, MailUserDefHost is a private attribute to limit which host the user can login to.
Authorization fails with a generic failure (see the output from imtest below, if you wish). Even though "ldap_sasl" is set to 0 in imapd.conf, it would seem that it is trying to use SASL (proxy) authentication after a successful bind (see the debugging output from the LDAP server below, if you wish).
This is a bug in ptloader/ldap.
Please try this patch:
Index: ldap.c =================================================================== RCS file: /cvs/src/cyrus/ptclient/ldap.c,v retrieving revision 1.7 diff -u -r1.7 ldap.c --- ldap.c 24 Jun 2004 19:28:39 -0000 1.7 +++ ldap.c 21 Dec 2004 05:27:18 -0000 @@ -799,34 +799,38 @@
#if LDAP_VENDOR_VERSION >= 20125
- authzid = xmalloc(size + sizeof("u:"));
- if (authzid == NULL)
- return PTSM_NOMEM;
+ if (ptsm->sasl) {- strcpy(authzid, "u:");
- strcpy(authzid+2, canon_id);
- c.ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ;
- c.ldctl_value.bv_val = authzid;
- c.ldctl_value.bv_len = size + 2;
- c.ldctl_iscritical = 1;
+ authzid = xmalloc(size + sizeof("u:"));
+ if (authzid == NULL)
+ return PTSM_NOMEM;- ctrl[0] = &c;
- ctrl[1] = NULL;
- rc = ldap_whoami_s(ptsm->ld, &dn, ctrl, NULL);
- free(authzid);
- if ( rc != LDAP_SUCCESS || !dn ) {
- if (rc == LDAP_SERVER_DOWN) {
- ldap_unbind(ptsm->ld);
- ptsm->ld = NULL;
- return PTSM_RETRY;
+ strcpy(authzid, "u:");
+ strcpy(authzid+2, canon_id);
+ c.ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ;
+ c.ldctl_value.bv_val = authzid;
+ c.ldctl_value.bv_len = size + 2;
+ c.ldctl_iscritical = 1;
+
+ ctrl[0] = &c;
+ ctrl[1] = NULL;
+ rc = ldap_whoami_s(ptsm->ld, &dn, ctrl, NULL);
+ free(authzid);
+ if ( rc != LDAP_SUCCESS || !dn ) {
+ if (rc == LDAP_SERVER_DOWN) {
+ ldap_unbind(ptsm->ld);
+ ptsm->ld = NULL;
+ return PTSM_RETRY;
+ }
+ return PTSM_FAIL;
}
- return PTSM_FAIL;
- }- if ( dn->bv_val && - !strncmp(dn->bv_val, "dn:", 3) ) - *ret = strdup(dn->bv_val+3); - ber_bvfree(dn); + if ( dn->bv_val && + !strncmp(dn->bv_val, "dn:", 3) ) + *ret = strdup(dn->bv_val+3); + ber_bvfree(dn); + + }
#else
So, am I missing something in the documentation about the setup of my LDAP server or Cyrus? What do I need to do? I am not _too_ concerned about security here since I am communicating on a private and trusted net or via ldaps; hence my setting ldap_sasl to 0.
sasl is not used for security only, but for simplicity as well among other things.
Thanks, Mike.
imtest -u [EMAIL PROTECTED] -a [EMAIL PROTECTED] -m login -t "" localhost S: * OK server12.mydom.com Cyrus IMAP4 v2.2.10 server ready C: C01 CAPABILITY S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE STARTTLS AUTH=OTP AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR LISTEXT LIST-SUBSCRIBED X-NETSCAPE S: C01 OK Completed C: S01 STARTTLS S: S01 OK Begin TLS negotiation now verify error:num=19:self signed certificate in certificate chain TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits) C: C01 CAPABILITY S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=LOGIN AUTH=PLAIN AUTH=OTP AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR LISTEXT LIST-SUBSCRIBED X-NETSCAPE S: C01 OK Completed Please enter your password: C: L01 LOGIN [EMAIL PROTECTED] {9} S: L01 NO Invalid user Authentication failed. generic failure Security strength factor: 256
slapd log output:
------ default slapd debug level:
Dec 20 18:40:01 server11 slapd[9757]: conn=84 fd=24 ACCEPT from IP=192.168.7.12:32809 (IP=0.0.0.0:636) Dec 20 18:40:01 server11 slapd[9757]: conn=84 op=0 BIND dn="cn=server12.mydom.com,ou=hosts,o=internet,o=mycom" method=128 Dec 20 18:40:01 server11 slapd[9757]: conn=84 op=0 BIND dn="cn=server12.mydom.com,ou=hosts,o=internet,o=mycom" mech=SIMPLE ssf=0
Dec 20 18:40:01 server11 slapd[9757]: conn=84 op=0 RESULT tag=97 err=0 text=
------ Begin slapd -d -1 debugging output:
=> get_ctrls: oid="2.16.840.1.113730.3.4.18" (critical) parseProxyAuthz: conn 0 authzid="u:[EMAIL PROTECTED]" slap_sasl_getdn: id=u:[EMAIL PROTECTED] [len=22] slap_sasl_getdn: u:id converted to [EMAIL PROTECTED],cn=SIMPLE,cn=authdnNormalize: <[EMAIL PROTECTED],cn=SIMPLE,cn=auth>=> ldap_bv2dn([EMAIL PROTECTED],cn=SIMPLE,cn=auth,0) ldap_err2string <= ldap_bv2dn([EMAIL PROTECTED],cn=SIMPLE,cn=auth)=0 Success => ldap_dn2bv(272) ldap_err2string <= ldap_dn2bv([EMAIL PROTECTED],cn=simple,cn=auth)=0 Success <<< dnNormalize: <[EMAIL PROTECTED],cn=simple,cn=auth> ==>slap_sasl2dn: converting SASL name [EMAIL PROTECTED],cn=simple,cn=auth to a DN slap_sasl_regexp: converting SASL name [EMAIL PROTECTED],cn=simple,cn=auth <==slap_sasl2dn: Converted SASL name to <nothing> parseProxyAuthz: conn=0 "[EMAIL PROTECTED],cn=simple,cn=auth" ==>slap_sasl_authorized: can cn=server11.mydom.com,ou=hosts,o=internet,o=mycom become [EMAIL PROTECTED],cn=simple,cn=auth? <== slap_sasl_authorized: return 48 <= get_ctrls: n=1 rc=47 err="not authorized to assume identity" send_ldap_result: conn=0 op=1 p=3 send_ldap_result: err=47 matched="" text="not authorized to assume identity" send_ldap_response: msgid=2 tag=120 err=47 conn=0 op=1 RESULT tag=120 err=47 text=not authorized to assume identity do_extended: get_ctrls failed
------End slapd -d -1 debugging output
Dec 20 18:40:01 server11 slapd[9757]: conn=84 op=1 RESULT tag=120 err=47 text=not authorized to assume identity Dec 20 18:40:01 server11 slapd[9757]: do_extended: get_ctrls failed
--- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
-- Igor --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
