On Thu, 9 Jun 2005, Thomas Vogt wrote:
Hi again,
Perhaps I've to give more information inkl. debug output
I'm running cyrus imapd 2.2.12
imap.conf:
configdirectory: /m/imap
partition-default: /m/spool/imap
logtimestamps: yes
sieveusehomedir: false
sievedir: /m/imap/sieve
hashimapspool: true
sasl_pwcheck_method: saslauthd
ptloader_sock: /var/imap/socket/ptsock
lmtpsocket: /var/imap/socket/lmtp
idlesocket: /var/imap/socket/idle
notifysocket: /var/imap/socket/notify
ldap_base: dc=freeweb,dc=ch
ldap_deref: search
ldap_filter: ([EMAIL PROTECTED]) #hardcoded, since I just want to test
alias login
ldap_sasl: 0
ldap_group_scope: sub
ldap_bind_dn: dc=freeweb,dc=ch
ldap_restart: 1
ldap_scope: sub
ldap_start_tls: 0
ldap_time_limit: 10
ldap_timeout: 15
ptscache_timeout: 0
ldap_tls_check_peer: no
ldap_uri: ldap://localhost/
saslautd.conf
ldap_servers: ldap://localhost/
ldap_search_base: ou=people,ou=freeweb,dc=freeweb,dc=ch
ldap test user entry:
# usermail04, people, freeweb, freeweb, ch
dn: uid=usermail04, ou=people,ou=freeweb,dc=freeweb,dc=ch
uid: usermail04
sn: none
uidNumber: -1
gidNumber: -1
homeDirectory: /nonexistent
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: xMail
cn: Testuser
userPassword:: e01EaEgMEUs4gaUmRZSU9xSll0Y1FnPT0K
maildrop: [EMAIL PROTECTED]
alias: [EMAIL PROTECTED]
alias: [EMAIL PROTECTED]
With the uid I can login as expected:
[EMAIL PROTECTED]:~# telnet 0 110
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
+OK mail04.freeweb.ch Cyrus POP3 v2.2.12 server ready
<[EMAIL PROTECTED]>
user usermail04
+OK Name is a valid mailbox
pass test
+OK Mailbox locked and ready
list
+OK scan listing follows
1 2908
2 1939
3 2922
4 1430
If i try to login with the alias value from the ldap (alias:
[EMAIL PROTECTED]) I get an error message
[EMAIL PROTECTED]:~# telnet 0 110
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
+OK mail04.freeweb.ch Cyrus POP3 v2.2.12 server ready
<[EMAIL PROTECTED]>
user smail04
+OK Name is a valid mailbox
pass test
-ERR [AUTH] Invalid login
slapd -d 256 shows:
User login with smail04 (alias user):
daemon: conn=0 fd=8 connection from IP=127.0.0.1:53965 (IP=127.0.0.1:389)
accepted.
conn=0 op=0 BIND dn="DC=FREEWEB,DC=CH" method=128
ber_flush: 14 bytes to sd 8
conn=0 op=0 RESULT tag=97 err=0 text=
conn=0 op=1 SRCH base="dc=freeweb,dc=ch" scope=2
filter="([EMAIL PROTECTED])"
ber_flush: 396 bytes to sd 8
ber_flush: 14 bytes to sd 8
conn=0 op=1 SEARCH RESULT tag=101 err=0 text=
conn=0 op=2 SRCH base="uid=usermail04, ou=people,ou=freeweb,dc=solnet,dc=ch"
scope=0 filter="(objectClass=*)"
ber_flush: 396 bytes to sd 8
ber_flush: 14 bytes to sd 8
conn=0 op=2 SEARCH RESULT tag=101 err=0 text=
password auth:
daemon: conn=3 fd=17 connection from IP=127.0.0.1:54593 (IP=127.0.0.1:389)
accepted.
conn=3 op=0 BIND dn="" method=128
ber_flush: 14 bytes to sd 17
conn=3 op=0 RESULT tag=97 err=0 text=
conn=3 op=1 SRCH base="ou=people,ou=freeweb,dc=freeweb,dc=ch" scope=2
filter="(uid=smail04)"
ber_flush: 14 bytes to sd 17
conn=3 op=1 SEARCH RESULT tag=101 err=0 text=
I see that sasl uses the uid which of course will never be true with
"smail04" as username. So I added ldap_filter: ([EMAIL PROTECTED]) in
saslauthd.conf
Now if i try to login with the alias name I get another error
+OK mail04.freeweb.ch Cyrus POP3 v2.2.12 server ready
<[EMAIL PROTECTED]>
user smail04
+OK Name is a valid mailbox
pass test
-ERR [SYS/PERM] Unable to locate maildrop: Mailbox does not exist
slapd output for the password auth:
conn=1 op=0 BIND dn="" method=128
ber_flush: 14 bytes to sd 14
conn=1 op=0 RESULT tag=97 err=0 text=
conn=1 op=1 SRCH base="ou=people,ou=freeweb,dc=freeweb,dc=ch" scope=2
filter="([EMAIL PROTECTED])"
ber_flush: 62 bytes to sd 14
ber_flush: 14 bytes to sd 14
conn=1 op=1 SEARCH RESULT tag=101 err=0 text=
conn=1 op=2 BIND dn="UID=USERMAIL04,OU=PEOPLE,OU=FREEWEB,DC=FREEWEB,DC=CH"
method=128
ber_flush: 14 bytes to sd 14
conn=1 op=2 RESULT tag=97 err=0 text=
conn=0 op=3 SRCH base="dc=freeweb,dc=ch" scope=2
filter="([EMAIL PROTECTED])"
ber_flush: 396 bytes to sd 8
ber_flush: 14 bytes to sd 8
conn=0 op=3 SEARCH RESULT tag=101 err=0 text=
conn=0 op=4 SRCH base="uid=usermail04, ou=people,ou=freeweb,dc=freeweb,dc=ch"
scope=0 filter="(objectClass=*)"
ber_flush: 396 bytes to sd 8
ber_flush: 14 bytes to sd 8
conn=0 op=4 SEARCH RESULT tag=101 err=0 text=
saslauthd worked fine.
syslog message:
un 9 06:27:34 mail04 pop3[5180]: login: localhost.freeweb.ch [127.0.0.1]
smail04 plaintext User logged in
Jun 9 06:27:37 mail04 pop3[5180]: Unable to locate maildrop for smail04:
Mailbox does not exist
But as you can see in the ldap entry my maildrop exists.
This is saying that mailbox in the mailstore does not exist which is
true. The server is looking for the 'smail04' mailbox.
If I understand it correctly, then ptloader checks if the mailbox is
available with an ldap search when I enter the login name. Thats why I get an
"OK" after that. Ptloader can find the alias value in the ldap database. For
the password check sasl turns in. It also finds an entry for the alias user
in my ldap database. But then somethings goes wrong. I really have no clue.
Can someone please explain me what happen?
You cannot make this work with the current stock code, you need to write
custom code. You have various options, write a new pts module (or hack
the ldap one to fit your need), a new authorization module or a custom
sasl canon plugin.
-Igor
Regards,
Thomas
Am 08.06.2005 um 23:56 schrieb Thomas Vogt:
Hi all
With ptload we've a nice tool to connect to an ldap backend. And with
ldap_filter in imapd.conf the user has the ability to do nice things.This
works very well. But as I understand this is only the authorization
mechanism. I always have problems with the authentication (sasl).
An example. Lets say we have this user information in the ldap backend.
# usermail04, people, freeweb, freeweb, ch
dn: uid=usermail04, ou=people,ou=freeweb,dc=freeweb,dc=ch
uid: usermail04
sn: none
uidNumber: -1
gidNumber: -1
homeDirectory: /nonexistent
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: xMail
cn: Testuser
userPassword:: e01EaEgMEUs4gaUmRZSU9xSll0Y1FnPT0K
maildrop: [EMAIL PROTECTED]
alias: [EMAIL PROTECTED]
alias: [EMAIL PROTECTED]
I can login without problem if I use the uid as username and the correct
password (auth=pts). But is it not possible to use the alias value too with
the same password for the login procedure?
My problem is, that I've an application which is generating random uid as
username. Only the alias value is human readable. Which mean I'll give the
user the ability to use his alias name for the pop3/imap authentication. Of
course it should work with the uid too. Is there no configuration magic
which can do that?
A few months ago Igor Brezac send me an example patch. But I never figured
out how it works.
Regards,
Thomas
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
--
Igor
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
