Mapping users (either KerberosV or TLS certs)

Phil Pennock info-cyrus-spodhuis at spodhuis.org
Wed Jul 5 20:02:01 EDT 2006 

Hi,

[My config's at the bottom; Cyrus IMAP 2.2.12; censored email addresses
 and look-alikes purely against harvesters; timestamps and '[imapd]'
 trimmed from loglines]

I've two questions relating to mapping userids.  I've read
documentation, searched the wiki, googled, and tried this at various
times over the space of a few days, so it's probably not a temporary
local blindness issue.  ;^)  The first issue relates to Kerberos and the
second to TLS+EXTERNAL with client certs.

Kerberos:
 From: Lars Kellogg-Stedman <lars at oddbit.com>
 Subject: Authenticating (with cyradm) using an alternate Kerberos instance?
 Date: Sun, 6 Nov 2005 23:23:27 -0500
 Message-ID: <c27faacf0511062023yb8a9fdai432a6115a82b518f at mail.gmail.com>

Nobody answered Lars then and I'm seeing the same issue; on the
off-chance that I'm hitting a lighter spot in your schedules: can anyone
please explain how to configure Cyrus so that a KerberosV /admin
principal can be treated as a Cyrus admin user?  I've tried inserting
various entries into sasldb to back this up, putting things into
/etc/krb5.equiv as well as various values for "admins:" and I'm stumped.
Help!  Please?
 badlogin: domus.home.globnix.net [192.168.1.101] GSSAPI [SASL(-13): authentication failure: bad userid authenticated]


Trying to get TLS with client certificates and SASL EXTERNAL working, I
find that when connecting to IMAPS on port 993, the client cert is
ignored:
  starttls: TLSv1 with cipher AES256-SHA (256/256 bits new) no authentication
When connecting on 143 and using STARTTLS, the client cert is not
ignored; anyone know why this might be?  When the client cert is used,
then I can get EXTERNAL offered and used, but I can't see how to
persuade Cyrus to map this to a regular user.  Is this where I need to
be using ptloader and LDAP?  If so, does anyone have sample configs and
LDIF entries for how they manage this, please?

Common:
 subject=/C=NL/.../CN=Phil Pennock/emailAddress=censored at domain.tld
 starttls: TLSv1 with cipher AES256-SHA (256/256 bits new) authenticated as Phil Pennock

Supplying the same usercode as exists in emailAddress:
 badlogin: domus.home.globnix.net [192.168.1.101] EXTERNAL [SASL(-13): authentication failure: user phil pennock is not allowed to proxy]

Supplying no authz:
 login: domus.home.globnix.net [192.168.1.101] phil pennock EXTERNAL+TLS User logged in

>>> a3 CAPABILITY
<<< * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=GSSAPI AUTH=CRAM-MD5 AUTH=DIGEST-MD5 AUTH=EXTERNAL SASL-IR LISTEXT LIST-SUBSCRIBED X-NETSCAPE
<<< a3 OK Completed
>>> a4 AUTHENTICATE EXTERNAL Y2Vuc29yZWQ=
<<< a4 NO authentication failure

Also, can someone please explain why imtest(1) sends "=C:" as the id
when no authzid is provided?  Where does this value come from?  If it is
some kind of CN decode indicator, are there other legal values?  That's
what I see with:
----------------------------8< cut here >8------------------------------
$ imtest -m EXTERNAL -t ~/.mutt/email-client.pair.pem domus
[...]
TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits)
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=GSSAPI AUTH=CRAM-MD5 AUTH=DIGEST-MD5 AUTH=EXTERNAL SASL-IR LISTEXT LIST-SUBSCRIBED X-NETSCAPE
S: C01 OK Completed
C: A01 AUTHENTICATE EXTERNAL =C:
S: A01 OK Success (tls protection)
Authenticated.
Security strength factor: 256
----------------------------8< cut here >8------------------------------



Here's the config; I know that keytab's not actually used with GSSAPI,
but I leave it in as harmless -- I set $KRB5_KTNAME in the rc startup
config, which works with Heimdal:
----------------------------8< cut here >8------------------------------
configdirectory:        /home/imap/configs
partition-default:      /home/imap/mail
sievedir:               /home/imap/configs/sieve
tls_cert_file:          /etc/cyrusimapd/domus-imapserver.crt.pem
tls_key_file:           /etc/cyrusimapd/domus-imapserver.key.pem
tls_ca_path:            /etc/ssl/certs/
tls_ca_file:            /usr/share/ca-certificates/globnix/globnixCA.pem
tls_cipher_list:        ALL:!ADH:!EXP:+HIGH:+MEDIUM:!SSLv2:@STRENGTH
admins:                 cyrus xxx-admin xxx/admin xxx/admin at REALM.TLD
umask: 027
hashimapspool:          yes
allowanonymouslogin:    no
allowplaintext:         no
mboxlist_db:            skiplist
seenstate_db:           flat
unixhierarchysep:       yes
sasl_minimum_layer:     0
sasl_mech_list:         external gssapi digest-md5 cram-md5
keytab:                 /etc/kerberos/tabs/imapd.keytab
altnamespace: yes
userprefix: Other Users
sharedprefix: Shared Folders
----------------------------8< cut here >8------------------------------

cyrus.conf SERVICES lines for IMAP are:
  imap     cmd="imapd" listen="imap2" prefork=0
  imaps    cmd="imapd -s" listen="imaps" prefork=2
# value 71 chosen to match that used by LDAP, in LDAP_PVT_SASL_LOCAL_SSF
  imapi    cmd="imapd -p 71" listen="/var/run/imapd.sock" prefork=0 maxchild=32


Thank you for any help which you can provide,
-- 
"Everything has three factors: politics, money, and the right way to do it.
 In that order."  -- Gary Donahue

More information about the Info-cyrus mailing list