On Tue, 5 Jul 2005, Thomas Vogt wrote:
Hi Igor
I've a problem with my new clean, cyrus installation. I can't login with
my cyradm admin account. The account information is stored in my ldap
database. The sasldb2 is empty. I don't use it. Can you give me some
advice?
For cyradm I use this command:
cyradm --user nmeth2vdiysttboz --server localhost --auth plain
Password:
IMAP Password: <i use the ldap password here>
Error message:
Invalid user at /usr/local/lib/perl5/site_perl/5.8.7/mach/Cyrus/
IMAP/Admin.pm line 118
cyradm: cannot authenticate to server with plain as nmeth2vdiysttboz
Logfile:
Jul 4 21:00:36 mail03 imap[58290]: badlogin: localhost [127.0.0.1] PLAIN
[SASL(-16): encryption needed to use mechanism: security flags do not
match
^^^^^^^^^^
This error is self explanatory.
I added this options below to my imapd.conf. But I still get the same error
message. I don't want to use any encryption. The password is stored as md5
hash in the ldap database. As far as I know this limits my ability for secure
authentication anyway.
allowplaintext: yes
This works for the internal imapd login auth mechanism only.
You cannot use plain without transport protection.
sasl_mech_list: PLAIN
do sasl_mech_list: PLAIN LOGIN
and use login mech in your cyradm cmd.
sasl_minimum_layer: 0
I've compiled sasl with
./configure --sysconfdir=/usr/local/etc --with-plugindir=/usr/local/lib/sasl2
--with-dbpath=/usr/local/etc/sasldb2 --includedir=/usr/local/include
--mandir=/usr/local/man --enable-static --enable-auth-sasldb
--with-rc4=openssl --with-ldap --with-saslauthd=/var/state/saslauthd
--with-dblib=ndbm --without-mysql --without-pgsql --without-sqlite
--enable-login --disable-ntlm --disable-gssapi --disable-krb4
--with-openssl=yes --prefix=/usr/local
Jul 4 21:00:39 mail03 perl: No worthy mechs found
Jul 4 21:00:40 mail03 imap[58290]: ptload(): bad response from ptloader
server: identifier not found
pts/ldap configuration problem. Double check ldap_* params in imapd.conf.
Is there a reason you are using pts authorization module?
I thought this is the best way for my enviroment. Every User information is
stored in my ldap server. uid, maildrop, password ....
I don't like pam_ldap. My older servers are using auth_unix but I've modified
this for ldap. Since my patch no longer works, I decided to use a direct ldap
auth version. But I can try other auth mech, if this is possible with ldap.
Jul 4 21:00:40 mail03 imap[58290]: bad userid authenticated
Jul 4 21:00:40 mail03 imap[58290]: badlogin: localhost [127.0.0.1]
plaintext nmeth2vdiysttboz invalid user
testsaslauthd -u nmeth2vdiysttboz -p 1234
0: OK "Success."
imtest -m LOGIN -a nmeth2vdiysttboz localhost
S: * OK mail03.test.ch Cyrus IMAP4 v2.2.12 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY
SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE LISTEXT
LIST-SUBSCRIBED X-NETSCAPE
S: C01 OK Completed
Please enter your password: <type in here>
C: L01 LOGIN nmeth2vdiysttboz {16}
S: L01 NO Invalid user
Authentication failed. generic failure
Security strength factor: 0
ldap entry for admin:
# nmeth2vdiysttboz, people, test, test.ch
dn: uid=nmeth2vdiysttboz,ou=people,ou=test,dc=test,dc=ch
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: nmeth2vdiysttboz
cn: Cyrus Admin
userPassword:: 1234
saslauthd.conf
ldap_servers: ldap://127.0.0.1/
ldap_search_base: ou=people,ou=test,dc=test,dc=ch
imapd.conf:
configdirectory: /m/imap
partition-default: /m/spool/imap
allowplaintext: yes
admins: nmeth2vdiysttboz
quotawarn: 90
timeout: 30
imapidlepoll: 60
poptimeout: 10
logtimestamps: yes
singleinstancestore: yes
sieveusehomedir: false
sievedir: /m/imap/sieve
hashimapspool: true
sasl_pwcheck_method: saslauthd
sasl_mech_list: plain login
ptloader_sock: /var/imap/socket/ptsock
lmtpsocket: /var/imap/socket/lmtp
idlesocket: /var/imap/socket/idle
notifysocket: /var/imap/socket/notify
ldap_base: dc=test,dc=ch
ldap_deref: search
ldap_sasl: 0
ldap_group_scope: sub
ldap_bind_dn: dc=test,dc=ch
ldap_restart: 1
ldap_scope: sub
ldap_start_tls: 0
ldap_time_limit: 10
ldap_timeout: 15
ptscache_timeout: 1
ldap_tls_check_peer: no
ldap_tls_ciphers: TLSv1:SSLv3:!NULL:!EXPORT:!DES:!LOW:@STRENGTH
ldap_uri: ldap://127.0.0.1/
Do you need ldap_password here?
No. There is no password protection.
Can you debug slapd?
I will do that. But first I will fix my "sasl mech problem"
Saslauth runs with -a ldap
slapd runs with -h "ldapi:///var/run/openldap/ldapi/ ldap://127.0.0.1 "
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This will not work, although saslauthd is working fine with you current
configuration. (Use ldapi://%2fvar%2frun%2fopenldap%2fldapi/
Thank you.
Regards,
Thomas
--
Igor
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
