Re: cyradm auth mechanism

Tue, 05 Jul 2005 15:07:31 -0700 

Hi

Thank you all. I changed to auth_unix and everything works fine now.

Regards,
Thomas
Am 05.07.2005 um 09:30 schrieb carole gimenez:


Hi,
I use cyrus-imapd with ldap authentication but i don't use pts for that and it works well. 

My config is the following:

* /etc/saslauthd.conf
ldap_servers: ldaps://pc-systeme.cict.fr:636/
ldap_auth_method: custom
ldap_bind_dn: uid=cyrus,ou=appli,dc=ups-tlse,dc=fr
ldap_password: xxxxxx
ldap_search_base: dc=ups-tlse,dc=fr
ldap_tls_check_peer: yes
ldap_tls_cacert_file: /usr/share/ssl/mon_AC/private/mon_AC.crt

* /etc/cyrus.conf
SERVICES {
 # add or remove based on preferences
 #imap         cmd="imapd" listen="imap" prefork=0
imaplocal cmd="imapd -C /etc/imapd-local.conf" listen="127.0.0.1:imap" prefork=0 imaps cmd="imapd -s -U 30" listen="x.x.x.x:imaps" prefork=0 maxchild=100 
#  pop3         cmd="pop3d" listen="pop3" prefork=0
#  pop3s                cmd="pop3d -s" listen="pop3s" prefork=0
 sieve         cmd="timsieved" listen="sieve" prefork=0

 # these are only necessary if receiving/exporting usenet via NNTP
 #  nntp               cmd="nntpd" listen="nntp" prefork=0
 #  nntps              cmd="nntpd -s" listen="nntps" prefork=0

 # at least one LMTP is required for delivery
 #  lmtp               cmd="lmtpd" listen="lmtp" prefork=0
lmtpunix cmd="lmtpd" listen="/var/imap/socket/lmtp" prefork=0 maxchild=20 

 # this is only necessary if using notifications
notify cmd="notifyd" listen="/var/imap/socket/notify" proto="udp" prefork=1 
}

* /etc/imapd-local.conf
configdirectory: /var/imap
partition-default: /var/spool/imap
admins: cyrus
sievedir: /var/imap/sieve
sendmail: /usr/sbin/sendmail
hashimapspool: true
maxmessagesize: 5000000
sasl_pwcheck_method: saslauthd
sasl_option: 1
sasl_mech_list: plain
servername: pc-systeme.cict.fr
autocreatequota: 10000
lmtp_downcase_rcpt: 1
mailnotifier: log
sievenotifier: log

# ps -ef | grep cyrus
cyrus 17522 1 0 09:16 pts/0 00:00:00 /usr/local/ cyrus_imapd/cyrus/bin/master 
cyrus    17531 17522  0 09:16 pts/0    00:00:00 notifyd

# ps -ef | grep ldap
serveur 17187 1 0 04:03 ? 00:00:00 /usr/local/openldap/ libexec/slapd -h ldaps:/// ldap://127.0.0.1/ ldap://pc- systeme.cict.fr:389/ -f /usr/local/openldap/etc/openldap/slapd.conf -u serveur -g serveur root 17521 1 0 09:16 ? 00:00:00 /usr/sbin/saslauthd -a ldap -c -t 30 root 17523 17521 0 09:16 ? 00:00:00 /usr/sbin/saslauthd -a ldap -c -t 30 root 17524 17521 0 09:16 ? 00:00:00 /usr/sbin/saslauthd -a ldap -c -t 30 root 17525 17521 0 09:16 ? 00:00:00 /usr/sbin/saslauthd -a ldap -c -t 30 root 17526 17521 0 09:16 ? 00:00:00 /usr/sbin/saslauthd -a ldap -c -t 30 


I hope that will help you.

Carole.


Thomas Vogt wrote:



Hi Igor
I've a problem with my new clean, cyrus installation. I can't login with my cyradm admin account. The account information is stored in my ldap database. The sasldb2 is empty. I don't use it. Can you give me some advice? 

For cyradm I use this command:
cyradm --user nmeth2vdiysttboz --server localhost --auth plain
Password:
IMAP Password: <i use the ldap password here>

Error message:
Invalid user at /usr/local/lib/perl5/site_perl/5.8.7/mach/Cyrus/ IMAP/Admin.pm line 118 cyradm: cannot authenticate to server with plain as nmeth2vdiysttboz 

Logfile:
Jul 4 21:00:36 mail03 imap[58290]: badlogin: localhost [127.0.0.1] PLAIN [SASL(-16): encryption needed to use mechanism: security flags do not match 



              ^^^^^^^^^^
This error is self explanatory.
I added this options below to my imapd.conf. But I still get the same error message. I don't want to use any encryption. The password is stored as md5 hash in the ldap database. As far as I know this limits my ability for secure authentication anyway. 

allowplaintext: yes
sasl_mech_list: PLAIN
sasl_minimum_layer: 0

I've compiled sasl with
./configure --sysconfdir=/usr/local/etc --with-plugindir=/usr/ local/ lib/sasl2 --with-dbpath=/usr/local/etc/sasldb2 -- includedir=/usr/ local/include --mandir=/usr/local/man --enable- static --enable-auth- sasldb --with-rc4=openssl --with-ldap --with- saslauthd=/var/state/ saslauthd --with-dblib=ndbm --without-mysql --without-pgsql --without- sqlite --enable-login --disable-ntlm -- disable-gssapi --disable-krb4 --with-openssl=yes --prefix=/usr/local 








Jul  4 21:00:39 mail03 perl: No worthy mechs found
Jul 4 21:00:40 mail03 imap[58290]: ptload(): bad response from ptloader server: identifier not found
pts/ldap configuration problem. Double check ldap_* params in imapd.conf. 

Is there a reason you are using pts authorization module?
I thought this is the best way for my enviroment. Every User information is stored in my ldap server. uid, maildrop, password .... I don't like pam_ldap. My older servers are using auth_unix but I've modified this for ldap. Since my patch no longer works, I decided to use a direct ldap auth version. But I can try other auth mech, if this is possible with ldap. 



Jul  4 21:00:40 mail03 imap[58290]: bad userid authenticated
Jul 4 21:00:40 mail03 imap[58290]: badlogin: localhost [127.0.0.1] plaintext nmeth2vdiysttboz invalid user 

testsaslauthd -u nmeth2vdiysttboz -p 1234
0: OK "Success."

imtest -m LOGIN -a nmeth2vdiysttboz localhost
S: * OK mail03.test.ch Cyrus IMAP4 v2.2.12 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX- REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE LISTEXT LIST-SUBSCRIBED X- NETSCAPE 
S: C01 OK Completed
Please enter your password: <type in here>
C: L01 LOGIN nmeth2vdiysttboz {16}
S: L01 NO Invalid user
Authentication failed. generic failure
Security strength factor: 0

ldap entry for admin:

# nmeth2vdiysttboz, people, test, test.ch
dn: uid=nmeth2vdiysttboz,ou=people,ou=test,dc=test,dc=ch
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: nmeth2vdiysttboz
cn: Cyrus Admin
userPassword:: 1234


saslauthd.conf
ldap_servers: ldap://127.0.0.1/
ldap_search_base: ou=people,ou=test,dc=test,dc=ch


imapd.conf:
configdirectory: /m/imap
partition-default: /m/spool/imap
allowplaintext: yes
admins: nmeth2vdiysttboz
quotawarn: 90
timeout: 30
imapidlepoll: 60
poptimeout: 10
logtimestamps: yes
singleinstancestore: yes
sieveusehomedir: false
sievedir: /m/imap/sieve
hashimapspool: true

sasl_pwcheck_method: saslauthd
sasl_mech_list: plain login

ptloader_sock: /var/imap/socket/ptsock
lmtpsocket: /var/imap/socket/lmtp
idlesocket: /var/imap/socket/idle
notifysocket: /var/imap/socket/notify

ldap_base: dc=test,dc=ch
ldap_deref: search
ldap_sasl: 0
ldap_group_scope: sub
ldap_bind_dn: dc=test,dc=ch
ldap_restart: 1
ldap_scope: sub
ldap_start_tls: 0
ldap_time_limit: 10
ldap_timeout: 15
ptscache_timeout: 1
ldap_tls_check_peer: no
ldap_tls_ciphers: TLSv1:SSLv3:!NULL:!EXPORT:!DES:!LOW:@STRENGTH
ldap_uri: ldap://127.0.0.1/




Do you need ldap_password here?




No. There is no password protection.



  Can you debug slapd?




I will do that. But first I will fix my "sasl mech problem"



Saslauth runs with -a ldap
slapd runs with -h "ldapi:///var/run/openldap/ldapi/ ldap:// 127.0.0.1 " 



                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This will not work, although saslauthd is working fine with you current configuration. (Use ldapi://%2fvar%2frun%2fopenldap% 2fldapi/ 




Thank you.


Regards,
Thomas
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html






---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Reply via email to