ptloader setup
Igor Brezac
igor at ipass.net
Tue Dec 21 00:39:00 EST 2004
On Tue, 21 Dec 2004, Mike O'Rourke wrote:
> Hi all,
>
> I have IMAPd 2.2.10, compiled with --with-auth=pts --with-pts=ldap
> --with-ldap
> OpenLDAP 2.2.17
>
> my /etc/imapd.conf is:
>
> configdirectory: /var/imap
> defaultpartition: default
> partition-default: /var/spool/imap
> unixhierarchysep: yes
> allowanonymouslogin: no
> allowplaintext: yes
> allowusermoves: yes
> servername: server12.mydom.com
> virtdomains: userid
> defaultdomain: mydom.com
> autocreatequota: -1
> createonpost: 1
> autocreateinboxfolders: Sent|Trash
> autosubscribeinboxfolders: Sent|Trash
> admins: cyrus
> lmtpsocket: /var/imap/socket/lmtp
> sendmail: /usr/sbin/sendmail
> tls_cert_file: /var/imap/server12_cert.pem
> tls_key_file: /var/imap/server12_key.pem
> tls_CA_file: /var/imap/cacerts/cacert.pem
> tls_CA_path: /var/imap/cacerts
> tls_require_cert: 0
> ldap_sasl: 0
> ldap_base: ou=email,o=internet,o=mycom
> ldap_bind_dn: cn=server12.mydom.com,ou=hosts,o=internet,o=mycom
> ldap_filter: (&(uid=%u)(MailUserDefHost=server12.mydom.com))
> ldap_password: mypass
> ldap_tls_cacert_file: /var/imap/cacerts/cacert.pem
> ldap_tls_cert: /var/imap/server12_cert.pem
> ldap_tls_key: /var/imap/server12_key.pem
> ldap_uri: ldaps://192.168.7.11 ldaps://ldap1.mydom.com
> ldaps://ldap2.mydom.com
> ptloader_sock: /var/imap/socket/ptsock
>
> In the ldap_filter, MailUserDefHost is a private attribute to limit
> which host the user can login to.
>
> Authorization fails with a generic failure (see the output from imtest
> below, if you wish). Even though "ldap_sasl" is set to 0 in imapd.conf,
> it would seem that it is trying to use SASL (proxy) authentication after
> a successful bind (see the debugging output from the LDAP server below,
> if you wish).
This is a bug in ptloader/ldap.
Please try this patch:
Index: ldap.c
===================================================================
RCS file: /cvs/src/cyrus/ptclient/ldap.c,v
retrieving revision 1.7
diff -u -r1.7 ldap.c
--- ldap.c 24 Jun 2004 19:28:39 -0000 1.7
+++ ldap.c 21 Dec 2004 05:27:18 -0000
@@ -799,34 +799,38 @@
#if LDAP_VENDOR_VERSION >= 20125
- authzid = xmalloc(size + sizeof("u:"));
- if (authzid == NULL)
- return PTSM_NOMEM;
+ if (ptsm->sasl) {
- strcpy(authzid, "u:");
- strcpy(authzid+2, canon_id);
- c.ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ;
- c.ldctl_value.bv_val = authzid;
- c.ldctl_value.bv_len = size + 2;
- c.ldctl_iscritical = 1;
+ authzid = xmalloc(size + sizeof("u:"));
+ if (authzid == NULL)
+ return PTSM_NOMEM;
- ctrl[0] = &c;
- ctrl[1] = NULL;
- rc = ldap_whoami_s(ptsm->ld, &dn, ctrl, NULL);
- free(authzid);
- if ( rc != LDAP_SUCCESS || !dn ) {
- if (rc == LDAP_SERVER_DOWN) {
- ldap_unbind(ptsm->ld);
- ptsm->ld = NULL;
- return PTSM_RETRY;
+ strcpy(authzid, "u:");
+ strcpy(authzid+2, canon_id);
+ c.ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ;
+ c.ldctl_value.bv_val = authzid;
+ c.ldctl_value.bv_len = size + 2;
+ c.ldctl_iscritical = 1;
+
+ ctrl[0] = &c;
+ ctrl[1] = NULL;
+ rc = ldap_whoami_s(ptsm->ld, &dn, ctrl, NULL);
+ free(authzid);
+ if ( rc != LDAP_SUCCESS || !dn ) {
+ if (rc == LDAP_SERVER_DOWN) {
+ ldap_unbind(ptsm->ld);
+ ptsm->ld = NULL;
+ return PTSM_RETRY;
+ }
+ return PTSM_FAIL;
}
- return PTSM_FAIL;
- }
- if ( dn->bv_val &&
- !strncmp(dn->bv_val, "dn:", 3) )
- *ret = strdup(dn->bv_val+3);
- ber_bvfree(dn);
+ if ( dn->bv_val &&
+ !strncmp(dn->bv_val, "dn:", 3) )
+ *ret = strdup(dn->bv_val+3);
+ ber_bvfree(dn);
+
+ }
#else
> So, am I missing something in the documentation about the setup of my
> LDAP server or Cyrus? What do I need to do? I am not _too_ concerned
> about security here since I am communicating on a private and trusted
> net or via ldaps; hence my setting ldap_sasl to 0.
sasl is not used for security only, but for simplicity as well among
other things.
>
> Thanks, Mike.
>
> imtest -u test1 at testdom.mydom.com -a test1 at testdom.mydom.com -m login
> -t "" localhost
> S: * OK server12.mydom.com Cyrus IMAP4 v2.2.10 server ready
> C: C01 CAPABILITY
> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
> NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND
> BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE
> STARTTLS AUTH=OTP AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR LISTEXT
> LIST-SUBSCRIBED X-NETSCAPE
> S: C01 OK Completed
> C: S01 STARTTLS
> S: S01 OK Begin TLS negotiation now
> verify error:num=19:self signed certificate in certificate chain
> TLS connection established: TLSv1 with cipher AES256-SHA (256/256
> bits)
> C: C01 CAPABILITY
> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
> NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND
> BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE
> AUTH=LOGIN AUTH=PLAIN AUTH=OTP AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR
> LISTEXT LIST-SUBSCRIBED X-NETSCAPE
> S: C01 OK Completed
> Please enter your password:
> C: L01 LOGIN test1 at testdom.mydom.com {9}
> S: L01 NO Invalid user
> Authentication failed. generic failure
> Security strength factor: 256
>
> slapd log output:
>
> ------ default slapd debug level:
>
> Dec 20 18:40:01 server11 slapd[9757]: conn=84 fd=24 ACCEPT from
> IP=192.168.7.12:32809 (IP=0.0.0.0:636)
> Dec 20 18:40:01 server11 slapd[9757]: conn=84 op=0 BIND
> dn="cn=server12.mydom.com,ou=hosts,o=internet,o=mycom" method=128
> Dec 20 18:40:01 server11 slapd[9757]: conn=84 op=0 BIND
> dn="cn=server12.mydom.com,ou=hosts,o=internet,o=mycom" mech=SIMPLE ssf=0
>
> Dec 20 18:40:01 server11 slapd[9757]: conn=84 op=0 RESULT tag=97 err=0
> text=
>
> ------ Begin slapd -d -1 debugging output:
>
> => get_ctrls: oid="2.16.840.1.113730.3.4.18" (critical)
> parseProxyAuthz: conn 0 authzid="u:test1 at testdom.mydom.com"
> slap_sasl_getdn: id=u:test1 at testdom.mydom.com [len=22]
> slap_sasl_getdn: u:id converted to
> uid=test1 at testdom.mydom.com,cn=SIMPLE,cn=auth
>>>> dnNormalize: <uid=test1 at testdom.mydom.com,cn=SIMPLE,cn=auth>
> => ldap_bv2dn(uid=test1 at testdom.mydom.com,cn=SIMPLE,cn=auth,0)
> ldap_err2string
> <= ldap_bv2dn(uid=test1 at testdom.mydom.com,cn=SIMPLE,cn=auth)=0 Success
> => ldap_dn2bv(272)
> ldap_err2string
> <= ldap_dn2bv(uid=test1 at testdom.mydom.com,cn=simple,cn=auth)=0 Success
> <<< dnNormalize: <uid=test1 at testdom.mydom.com,cn=simple,cn=auth>
> ==>slap_sasl2dn: converting SASL name
> uid=test1 at testdom.mydom.com,cn=simple,cn=auth to a DN
> slap_sasl_regexp: converting SASL name
> uid=test1 at testdom.mydom.com,cn=simple,cn=auth
> <==slap_sasl2dn: Converted SASL name to <nothing>
> parseProxyAuthz: conn=0
> "uid=test1 at testdom.mydom.com,cn=simple,cn=auth"
> ==>slap_sasl_authorized: can
> cn=server11.mydom.com,ou=hosts,o=internet,o=mycom become
> uid=test1 at testdom.mydom.com,cn=simple,cn=auth?
> <== slap_sasl_authorized: return 48
> <= get_ctrls: n=1 rc=47 err="not authorized to assume identity"
> send_ldap_result: conn=0 op=1 p=3
> send_ldap_result: err=47 matched="" text="not authorized to assume
> identity"
> send_ldap_response: msgid=2 tag=120 err=47
> conn=0 op=1 RESULT tag=120 err=47 text=not authorized to assume
> identity
> do_extended: get_ctrls failed
>
> ------End slapd -d -1 debugging output
>
> Dec 20 18:40:01 server11 slapd[9757]: conn=84 op=1 RESULT tag=120
> err=47 text=not authorized to assume identity
> Dec 20 18:40:01 server11 slapd[9757]: do_extended: get_ctrls failed
>
> ---
> Cyrus Home Page: http://asg.web.cmu.edu/cyrus
> Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>
--
Igor
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
More information about the Info-cyrus
mailing list