Re: ldap auxprop plugin on centos4/rhel4?
--- Simon Matter <[EMAIL PROTECTED]> wrote: > > I'm currently using saslauthd configured to use LDAP. Trying to switch > > to ldap auxprop plugin. Went through the man pages, and Googled > > around, and all examples I found don't seem to work. The Cyrus simply > > doesn't talk to my LDAP server (not even attempting, as witnessed by > > tcpdump). Do I need any additional RPM package for CentOS4 or RHEL4 to > > make this work? Do I need to recompile cyrus-sasl with any special > > options (looks the one distributed with CentOS4 and RHEL4 is compiled > > with '--with-ldap')? > > On an old RedHat 7.2 test box with my own cyrus-sasl rpm I was using this > config: > > /etc/imapd.conf: > sasl_pwcheck_method: saslauthd > sasl_mech_list: PLAIN > > /etc/sysconfig/saslauthd: > MECH=ldap > > /etc/saslauthd.conf: > ldap_servers: ldap://localhost/ > ldap_search_base: dc=invoca,dc=ch > #ldap_bind_dn: > #ldap_bind_pw: > > Is this what you tried? > Simon No Simon. I believe Aleksandar is talking about AuxProp: LDAP-DB. AFAIK, AuxProp can have 3 backends: SASL-DB, SQL (MySQL and PgSQL) and LDAP-DB. He is trying to cut out SASLAuthD from the picture. This is basically a good move, since it will enable even CRAM-MD5 and DIGEST-MD5 against MS Active Directory. Is that what you're after, Alex? We will be introducing an IMAP4 server into our intranet, soon. Of course, GSSAPI will be on the top of my list, but even (PLAIN+SSL) or CRAM-MD5 -> AuxProp -> LDAP -> ADS sounds fine. Nixie. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
(no subject)
unsubscribe Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Strange quotas
Hello, I'm running into a "strange" problems using quotas under Cyrus 2.2 (haven't tried 2.3 yet). I'm using virtual domains and I've defined domain-wise quota, like sq @domain.tld 10 and under @domain.tld, I have certain users who have quotas too, like sq user/[EMAIL PROTECTED] 5000 and some others who have no quotas. The users without quotas have the quotaroot updated when they get a new mail, but the users with quotas only get their own quotas updated when they get a message; the quotaroot isn't updated. Am I missing something, is this a normal thing ? I would have expected something like domain (quota ) +--- user1 (quota Y) +--- user2 (no quota) +--- user3 (quota Z) +--- user4 (no quota) With quota the number that u1+u2+u3+u4 can't go beyond, but it appears that this particular number is right now +Y+Z, which is obviously not what I expected... Thanks, Arnaud. Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: ldap auxprop plugin on centos4/rhel4?
Quoting Igor Brezac <[EMAIL PROTECTED]>: It has been integrated into sasl awhile back. Check cyrus-sasl/doc/options.html for documentation. I've checked it. There's no mention of LDAP auxprop plugin, or any option for it for that matter. The only place where I found some documentation for auxprop plugin was imapd.conf man page. -- See Ya' later, alligator! http://www.8-P.ca/ This message was sent using IMP, the Internet Messaging Program. Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: ldap auxprop plugin on centos4/rhel4?
Quoting Simon Matter <[EMAIL PROTECTED]>: On an old RedHat 7.2 test box with my own cyrus-sasl rpm I was using this config: /etc/imapd.conf: sasl_pwcheck_method: saslauthd Thanks Simon. However, that is exactly what I'm currently using. However what I wanted to do was to eliminate saslauthd and have Cyrus IMAPD talk directly to LDAP (well, through SASL library and auxprop plugin that is), without relaying on external process/service. -- See Ya' later, alligator! http://www.8-P.ca/ This message was sent using IMP, the Internet Messaging Program. Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: ldap auxprop plugin on centos4/rhel4?
On Thu, 9 Mar 2006, Aleksandar Milivojevic wrote: Quoting Igor Brezac <[EMAIL PROTECTED]>: It has been integrated into sasl awhile back. Check cyrus-sasl/doc/options.html for documentation. I've checked it. There's no mention of LDAP auxprop plugin, or any option for it for that matter. https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sasl/doc/options.html?rev=1.30&content-type=text/x-cvsweb-markup You must not have the latest version of cyrus sasl. The only place where I found some documentation for auxprop plugin was imapd.conf man page. These are ptloader/ldap options (not auxprop). -- Igor Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: ldap auxprop plugin on centos4/rhel4?
Am Do, den 09.03.2006 schrieb Aleksandar Milivojevic um 15:12: > Quoting Igor Brezac <[EMAIL PROTECTED]>: > > It has been integrated into sasl awhile back. Check > > cyrus-sasl/doc/options.html for documentation. > > I've checked it. There's no mention of LDAP auxprop plugin, or any > option for it for that matter. The only place where I found some > documentation for auxprop plugin was imapd.conf man page. I confirm this. cyrus-sasl on RHEL4 isn't compiled with ldapdb auxprop support (easy to be seen from the .spec file) - unfortunately. So I am too using saslauthd with LDAP backend. Upcoming Fedora Core 5 will have a cyrus-sasl-ldap RPM; RHEL5 will have too (but that is far away in future). Alexander -- Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773 legal statement: http://www.uni-x.org/legal.html Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp Serendipity 15:37:51 up 13 days, 17:26, load average: 0.06, 0.07, 0.15 signature.asc Description: Dies ist ein digital signierter Nachrichtenteil Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: ldap auxprop plugin on centos4/rhel4?
Am Do, den 09.03.2006 schrieb Igor Brezac um 15:23: > On Thu, 9 Mar 2006, Aleksandar Milivojevic wrote: > > I've checked it. There's no mention of LDAP auxprop plugin, or any option > > for it for that matter. > > https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sasl/doc/options.html?rev=1.30&content-type=text/x-cvsweb-markup > > You must not have the latest version of cyrus sasl. Yes, enterprise Linux distributions mostly never ship with latest and biggest releases of applications and libs. They come with well and long term tested tools. $ rpm -qi cyrus-sasl Name: cyrus-sasl Relocations: (not relocatable) Version : 2.1.19Vendor: CentOS Release : 5.EL4 Build Date: Sa 05 Mär 2005 19:10:13 CET Install Date: So 04 Sep 2005 20:44:59 CEST Build Host: monk.karan.org Group : Systemumgebung/Bibliotheken Source RPM: cyrus-sasl-2.1.19-5.EL4.src.rpm Size: 2864344 License: Freely Distributable Alexander -- Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773 legal statement: http://www.uni-x.org/legal.html Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp Serendipity 15:42:57 up 13 days, 17:31, load average: 0.12, 0.11, 0.15 signature.asc Description: Dies ist ein digital signierter Nachrichtenteil Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: How to activate sieve script for users?
Kai Wang wrote: Greetings. We are migrating from uw-imap to cyrus. I have converted our users' procmailrc files to sieve scripts. I have root access and know the user cyrus' password. But I don't know users' password. Can anybody tell me how to activate for them? sieveshell --authname=cyrus --user= Give the cyrus admin's password when prompted and you will be alloew to proxy as -- Kenneth Murchison Systems Programmer Project Cyrus Developer/Maintainer Carnegie Mellon University Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: ldap auxprop plugin on centos4/rhel4?
Quoting Igor Brezac <[EMAIL PROTECTED]>: You must not have the latest version of cyrus sasl. Well, I have Cyrus SASL 2.1.19-5.EL4 RPM (RHEL4/CentOS4). Is it recent enough or I need to go more cutting edge than that? If not recent enough, would updating with 2.1.20-5 from Fedora Core 4 or 2.1.21-10 from Fedora rawhide be good enough? BTW, I compiled and installed the module from openldap contrib directory. However, it seems to simply connect and then disconnect from my LDAP server, without attempting to do anything (both slapd.log and tcpdump simply show it connecting and issuing unbind right away). I've attempted using hole bunch of options, with anonymous bind and also using username. To no avail. Basically something like this: sasl_pwcheck_method: auxprop sasl_auxprop_plugin: ldapdb sasl_ldapdb_uri: ldap://ldap.foobar.com/ sasl_ldap_base: ou=people,dc=foobar,dc=com sasl_ldap_filter: (uid=%u) sasl_ldap_sasl: 0 sasl_ldap_tls_check_peer: 0 sasl_ldap_version: 3 # Try with and without sasl_ldapdb_mech #sasl_ldapdb_mech: PLAIN LOGIN # Try with and withoug bind_dn and password options sasl_ldap_bind_dn: uid=foobar,ou=people,dc=foobar,dc=com sasl_ldap_password: Am I missing something way too obvious here? -- See Ya' later, alligator! http://www.8-P.ca/ This message was sent using IMP, the Internet Messaging Program. Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: ldap auxprop plugin on centos4/rhel4?
On Thu, 9 Mar 2006, Aleksandar Milivojevic wrote: Quoting Igor Brezac <[EMAIL PROTECTED]>: You must not have the latest version of cyrus sasl. Well, I have Cyrus SASL 2.1.19-5.EL4 RPM (RHEL4/CentOS4). Is it recent enough or I need to go more cutting edge than that? If not recent enough, would updating with 2.1.20-5 from Fedora Core 4 or 2.1.21-10 from Fedora rawhide be good enough? 2.1.21. I build things by hand, so I cannot comment on rpms. BTW, I compiled and installed the module from openldap contrib directory. Which version on openldap? However, it seems to simply connect and then disconnect from my LDAP server, without attempting to do anything (both slapd.log and tcpdump simply show it connecting and issuing unbind right away). I've attempted using hole bunch of options, with anonymous bind and also using username. To no avail. Basically something like this: sasl_pwcheck_method: auxprop sasl_auxprop_plugin: ldapdb sasl_ldapdb_uri: ldap://ldap.foobar.com/ sasl_ldap_base: ou=people,dc=foobar,dc=com sasl_ldap_filter: (uid=%u) sasl_ldap_sasl: 0 sasl_ldap_tls_check_peer: 0 sasl_ldap_version: 3 # Try with and without sasl_ldapdb_mech #sasl_ldapdb_mech: PLAIN LOGIN # Try with and withoug bind_dn and password options sasl_ldap_bind_dn: uid=foobar,ou=people,dc=foobar,dc=com sasl_ldap_password: All of these are saslauthd options and they have no effect in imapd.conf. Please read options.html from cyrus-sasl 2.1.21 -- Igor Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: ldap auxprop plugin on centos4/rhel4?
Quoting Igor Brezac <[EMAIL PROTECTED]>: Which version on openldap? 2.2.13 sasl_ldap_base: ou=people,dc=foobar,dc=com [snip] All of these are saslauthd options and they have no effect in imapd.conf. Please read options.html from cyrus-sasl 2.1.21 Hmmm... Strange... They were documented in imapd.conf file, and I could see some small variations in slapd.conf file (for example, if I comment out ldapdb_mech, it asks for supportedSASLMechanisms). -- See Ya' later, alligator! http://www.8-P.ca/ This message was sent using IMP, the Internet Messaging Program. Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: ldap auxprop plugin on centos4/rhel4?
On Thu, 9 Mar 2006, Aleksandar Milivojevic wrote: Quoting Igor Brezac <[EMAIL PROTECTED]>: Which version on openldap? 2.2.13 This is old and buggy. At minimum I recommend using the latest 2.2, but your best bet is to use the latest 2.3 (currently 2.3.20) sasl_ldap_base: ou=people,dc=foobar,dc=com [snip] All of these are saslauthd options and they have no effect in imapd.conf. Please read options.html from cyrus-sasl 2.1.21 Hmmm... Strange... They were documented in imapd.conf file, Those are not ldapdb auxprop options. -- Igor Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: ldap auxprop plugin on centos4/rhel4?
Quoting Igor Brezac <[EMAIL PROTECTED]>: Quoting Igor Brezac <[EMAIL PROTECTED]>: Which version on openldap? 2.2.13 This is old and buggy. At minimum I recommend using the latest 2.2, but your best bet is to use the latest 2.3 (currently 2.3.20) Actually, it's the Red Hat RPM package with backported patches. Not 2.2.13 from openldap.org tarball. It's probably closer to latest 2.2.x then to original 2.2.13 tarball. Should work OK (and so far was working OK). Those are not ldapdb auxprop options. OK, I see. I'm currently building newer Cyrus-SASL on CentOS4 from Fedora rawhide SRPM (2.1.21-10). Seems to be building OK for now without any changes to spec file. Looking at the spec file, it should be built with --enable-ldapdb and have cyrus-sasl-ldap subpackage defined. Which is all what I need, I guess. I kind of prefer sticking with RPM packages whenever possible (many many thanks to Simon for doing an awesome job with cyrus-imapd SRPM). Makes things way more managable. -- See Ya' later, alligator! http://www.8-P.ca/ This message was sent using IMP, the Internet Messaging Program. Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: How to activate sieve script for users?
Hi, you dont need to known user passwords to set sieve scripts. Become the cyrus user if you can. For each user : - determine the directory for sieve scripts of the user (in imapd.conf, see sievedir hashimapspool fulldirhash) - mkdir -p the dir if not exist - copy your script for the user in that dir (eg: s0.script) - sievec s0.script s0.bc - ln -s s0.bc defaultbc - (if root) set ownership of the entire sieve hierarchy to the cyrus user Kai Wang a écrit : Greetings. We are migrating from uw-imap to cyrus. I have converted our users' procmailrc files to sieve scripts. I have root access and know the user cyrus' password. But I don't know users' password. Can anybody tell me how to activate for them? Thanks in advance Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: How to activate sieve script for users?
you dont need to known user passwords to set sieve scripts. The more interesting problem is how you will then maintain the scripts. Most users do not have the technical background to hand-edit sieve scripts. Instead they use a GUI to do this. But I'll grant that someone who could write .procmailrc recipes should be able to handle sieve. The GUI clients are write-only. That is, they can translate their own ruleset into sieve script, but they cannot translate back from sieve script. So you use the GUI, it stores its ruleset, and puts a sieve version to the server. When you want to update, the GUI reads its ruleset to show you what you have, and if you change something, it again puts a sieve version to the server. What we're doing here is implementing the web-based Ingo interface, and disallowing any other. This gets us at least the portability that the Ingo page can be accessed from anywhere, so that a user can update sieve rules from anywhere. (Actually the user is updating Ingo rulesets that are put to the server as sieve rules.) The down side is that some things you can really do with sieve itself are not available. Joseph Brennan Columbia University Information Technology Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: How to activate sieve script for users?
On Thu, 2006-03-09 at 12:57 -0500, Joseph Brennan wrote: > > you dont need to known user passwords to set sieve scripts. > > > The more interesting problem is how you will then maintain the > scripts. Most users do not have the technical background to > hand-edit sieve scripts. Instead they use a GUI to do this. > > But I'll grant that someone who could write .procmailrc recipes > should be able to handle sieve. > > The GUI clients are write-only. That is, they can translate > their own ruleset into sieve script, but they cannot translate > back from sieve script. So you use the GUI, it stores its > ruleset, and puts a sieve version to the server. When you > want to update, the GUI reads its ruleset to show you what > you have, and if you change something, it again puts a sieve > version to the server. > > What we're doing here is implementing the web-based Ingo > interface, and disallowing any other. This gets us at least > the portability that the Ingo page can be accessed from anywhere, > so that a user can update sieve rules from anywhere. (Actually > the user is updating Ingo rulesets that are put to the server > as sieve rules.) The down side is that some things you can > really do with sieve itself are not available. as Chuck would say...patches are welcome all in all, Ingo/Sieve is a pretty dynamite combination for end users to actually be able to maintain their sieve scripts. Craig Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: ldap auxprop plugin on centos4/rhel4?
OK, I got the newer cyrus-sasl installed on the imap server, with ldap module. I've placed this into imapd.conf: sasl_pwcheck_method: auxprop sasl_auxprop_plugin: ldapdb sasl_ldapdb_uri: ldaps://ldap.foobar.com/ And things were still failing. slapd.log showed clinet conencting and disconnected right away, without attempting to bind. Figured it was the certificate verification problem. I don't see in options.html file from cyrus-sasl docs that there's option for ldapdb to specify CA certificate directly in imapd.conf file, so I created /etc/openldap/ldap.conf as follows: BASEdc=foobar,dc=com URI ldaps://ldap.foobar.com TLS_CACERT /usr/share/ssl/certs/cacert.pem The cacert.pem contains certificate of CA used to sign LDAP server's certificate. The exact same ldap.conf works perfectly for all other programs/servers/tools/whatever. However, seems that ldap SASL module chokes on TLS_CACERT line. If it is present in ldap.conf file (and only if it is present), I get following in system log: Mar 9 14:07:32 mail imap[10643]: Unexpectedly missing a prompt result The LDAP server itslef offers only simple bind, SASL PLAIN and SASL LOGIN, and requires SSL or TLS to use them. Using ldapsearch (from the same box cyrus-imapd is running on), I can authenticate correctly, so I know that LDAP server is configured as it should be: $ ldapsearch -U foobar -H ldaps://ldap.foobar.com/ -W '(uid=foobar)' Enter LDAP Password: SASL/LOGIN authentication started SASL username: foobar SASL SSF: 0 # extended LDIF follows... Same thing if I try StartTLS using -ZZ instead of ldaps URI. Also all works fine if I try simple bind either over SSL or using StartTLS. BTW, would it be possible to use simple bind with ldapdb cyrus-sasl module? Simple bind ovar SSL/TLS would work for me. It would even simplify things on LDAP server side since I wouldn't need to support SASL on it. -- See Ya' later, alligator! http://www.8-P.ca/ This message was sent using IMP, the Internet Messaging Program. Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
