<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Tahoma
}
--></style>
</head>
<body class='hmmessage'>
Hi all<br><br>I configured cyrus-imapd to authenticate through cyrus-sasl with ldapdb auxprop.<br>I did all tests suggested on cyrus-imap, cyrus-sasl, and openldap documentacions<br>but when trying with telnet command I got this error<br><br><br>firewall:/usr/lib/sasl2 # telnet localhost imap<br>Trying ::1...<br>Connected to localhost.<br>Escape character is '^]'.<br>* OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID LOGINDISABLED AUTH=CRAM-MD5 AUTH=DIGEST-MD5 SASL-IR COMPRESS=DEFLATE] firewall Cyrus IMAP v2.3.16 server ready<br>LOGIN test secret1<br>LOGIN BAD Please login first<br><br>I saw all logs, but only showed these lines<br>Nov 25 18:29:52 firewall master[10454]: about to exec /usr/lib/cyrus/bin/imapd<br>Nov 25 18:29:52 firewall imap[10454]: executed<br>Nov 25 18:29:52 firewall imap[10454]: IOERROR: opening /var/lib/imap/user_deny.db: No such file or directory<br>Nov 25 18:29:52 firewall imap[10454]: accepted connection<br><br><br>it seems that cyrus-imapd isn't authenticating at all with cyrus-sasl<br><br>I tested imtest, cyradm, pluginviewer and I got espected results (please see TESTS section below)<br><br>I also tested my openldap configurations (proxy configurations) with ldapwhoami command with no problem (please see TESTS section below)<br>At the bottom of this mail are all the software used and its config files<br><br>I don't know what else to do to solve it, please any hint will be appreciated<br><br>Fernando<br><br> INSTALLED SOFTWARE<br>OPENSUSE 11.3<br>cyrus-sasl-gssapi-2.1.23-11.1.i586<br>cyrus-sasl-ldap-auxprop-2.1.23-11.2.i586<br>cyrus-sasl-saslauthd-2.1.23-11.2.i586<br>cyrus-sasl-2.1.23-11.1.i586<br>cyrus-sasl-plain-2.1.23-11.1.i586<br>cyrus-sasl-digestmd5-2.1.23-11.1.i586<br>perl-Cyrus-SIEVE-managesieve-2.3.16-7.2.i586<br>cyrus-imapd-2.3.16-7.2.i586<br>cyrus-sasl-crammd5-2.1.23-11.1.i586<br>perl-Cyrus-IMAP-2.3.16-7.2.i586<br>openldap2-2.4.21-9.1.i586<br><br><br><br> TESTS <br><br>firewall:/var/log # imtest -m digest-md5 -a cyrus -u fernandito -v localhost<br><br>S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID LOGINDISABLED AUTH=CRAM-MD5 AUTH=DIGEST-MD5 SASL-IR COMPRESS=DEFLATE] firewall Cyrus IMAP v2.3.16 server ready<br>C: A01 AUTHENTICATE DIGEST-MD5<br>S: + bm9uY2U9IkhxQU93ZWlTb0p2eUNIUzRaREs1NG80YWRQRnJGUFl5NjdiSVVaVW1jcjQ9IixyZWFsbT0iZmlyZXdhbGwiLHFvcD0iYXV0aCxhdXRoLWludCxhdXRoLWNvbmYiLGNpcGhlcj0icmM0LTQwLHJjNC01NixyYzQsZGVzLDNkZXMiLG1heGJ1Zj00MDk2LGNoYXJzZXQ9dXRmLTgsYWxnb3JpdGhtPW1kNS1zZXNz<br>Please enter your password: {cyrus-password}<br>C: dXNlcm5hbWU9ImN5cnVzIixyZWFsbT0iZmlyZXdhbGwiLGF1dGh6aWQ9ImZlcm5hbmRpdG8iLG5vbmNlPSJIcUFPd2VpU29KdnlDSFM0WkRLNTRvNGFkUEZyRlBZeTY3YklVWlVtY3I0PSIsY25vbmNlPSJ5WW02VHpxMmxJMDlrUlM4NVZ0RlV1M1BWTThnQjZUUGRsRVZjSzlQYnU4PSIsbmM9MDAwMDAwMDEscW9wPWF1dGgtY29uZixjaXBoZXI9cmM0LG1heGJ1Zj0xMDI0LGRpZ2VzdC11cmk9ImltYXAvbG9jYWxob3N0IixyZXNwb25zZT1hZWYyNDAwNDZkOGJmZWYxZmEzMWU5MzQwNmFkOGMwZg==<br>S: + cnNwYXV0aD1iMjE4MjcxNmZjOTFkNjU2ZDI3ZTQ5NmRmNzljYzRhNw==<br>C:<br>S: A01 OK Success (privacy protection)<br>Authenticated.<br>Security strength factor: 128<br>Asking for capabilities again since they might have changed<br>C: C01 CAPABILITY<br>S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID LOGINDISABLED AUTH=CRAM-MD5 AUTH=DIGEST-MD5 COMPRESS=DEFLATE ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE SCAN IDLE X-NETSCAPE URLAUTH<br>S: C01 OK Completed<br><br>firewall:/usr/lib/sasl2 # pluginviewer -a<br>Installed auxprop mechanisms are:<br>ldapdb sasldb<br>List of auxprop plugins follows<br>Plugin "ldapdb" , API version: 4<br> supports store: yes<br><br>Plugin "sasldb" , API version: 4<br> supports store: yes<br><br><br><br>firewall:/var/log # cyradm --user cyrus --authz fernandito --auth digest-md5 localhost<br>Password:{cyrus password}<br>localhost> lm<br>INBOX (\HasNoChildren)<br><br><br>firewall:/usr/lib/sasl2 # ldapwhoami -U cyrus -X u:test -Y digest-md5<br>SASL/DIGEST-MD5 authentication started<br>Please enter your password: {cyrus-password}<br>SASL username: u:test<br>SASL SSF: 128<br>SASL data security layer installed.<br>dn:uid=test,ou=people,dc=plainjoe,dc=org<br><br> CONFIG FILES<br><br> /etc/imapd.conf<br>configdirectory: /var/lib/imap<br>partition-default: /var/spool/imap<br>sievedir: /var/lib/sieve<br>admins: cyrus proxyuser<br>allowanonymouslogin: no<br>autocreatequota: 10000<br>reject8bit: no<br>quotawarn: 90<br>timeout: 30<br>poptimeout: 10<br>dracinterval: 0<br>drachost: localhost<br>unixhierarchysep: 1<br>virtdomains: yes<br>defaultdomain: plainjoe.org<br><br>#este es con saslauthd<br>#sasl_pwcheck_method: saslauthd<br>#sasl_saslauthd_path: /var/run/sasl2/mux<br><br># esta seccion es para la autenticacion via plugin auxiliar: ldapdb<br>sasl_log_level: 7<br>sasl_mech_list: DIGEST-MD5 PLAIN LOGIN CRAM-MD5 EXTERNAL<br>sasl_pwcheck_method: auxprop<br>sasl_auxprop_plugin: ldapdb<br>sasl_ldapdb_uri: ldap://localhost<br>sasl_ldapdb_id: cyrus<br>sasl_ldapdb_pw: secret<br>sasl_ldapdb_mech: DIGEST-MD5<br>sasl_auto_transition: no<br>lmtp_overquota_perm_failure: no<br>lmtp_downcase_rcpt: yes<br>#<br># if you want TLS, you have to generate certificates and keys<br>#<br>#tls_cert_file: /usr/ssl/certs/cert.pem<br>#tls_key_file: /usr/ssl/certs/skey.pem<br>#tls_ca_file: /usr/ssl/CA/CAcert.pem<br>#tls_ca_path: /usr/ssl/CA<br>firewall:/usr/lib/sasl2 #<br><br><br> /etc/cyrus.conf<br># standard standalone server implementation<br><br>START {<br> # do not delete this entry!<br> recover cmd="ctl_cyrusdb -r"<br><br> # this is only necessary if using idled for IMAP IDLE<br> idled cmd="idled"<br>}<br><br># UNIX sockets start with a slash and are put into /var/lib/imap/socket<br>SERVICES {<br> # add or remove based on preferences<br> imap cmd="imapd" listen="imap" prefork=0<br># imaps cmd="imapd -s" listen="imaps" prefork=0<br> pop3 cmd="pop3d" listen="pop3" prefork=0<br># pop3s cmd="pop3d -s" listen="pop3s" prefork=0<br> sieve cmd="timsieved" listen="sieve" prefork=0<br><br> # at least one LMTP is required for delivery<br># lmtp cmd="lmtpd" listen="lmtp" prefork=0<br> lmtpunix cmd="lmtpd" listen="/var/lib/imap/socket/lmtp" prefork=0<br><br> # this is only necessary if using notifications<br># notify cmd="notifyd" listen="/var/lib/imap/socket/notify" proto="udp" prefork=1<br>}<br><br>EVENTS {<br> # this is required<br> checkpoint cmd="ctl_cyrusdb -c" period=30<br><br> # this is only necessary if using duplicate delivery suppression<br> delprune cmd="cyr_expire -E 3" at=0400<br><br> # this is only necessary if caching TLS sessions<br> tlsprune cmd="tls_prune" at=0400<br><br> # Uncomment the next entry, if you want to automatically remove<br> # old messages of EVERY user.<br> # This example calls ipurge every 60 minutes and ipurge will delete<br> # ALL messages older then 30 days.<br> # enter 'man 8 ipurge' for more details<br><br> # cleanup cmd="ipurge -d 30 -f" period=60<br>}<br><br><br> /etc/openldap/slapd.conf<br>#<br># See slapd.conf(5) for details on configuration options.<br># This file should NOT be world readable.<br>#<br>include /etc/openldap/schema/core.schema<br>include /etc/openldap/schema/cosine.schema<br>include /etc/openldap/schema/inetorgperson.schema<br>include /etc/openldap/schema/rfc2307bis.schema<br>include /etc/openldap/schema/yast.schema<br><br># Define global ACLs to disable default read access.<br><br># Do not enable referrals until AFTER you have a working directory<br># service AND an understanding of referrals.<br>#referral ldap://root.openldap.org<br><br>loglevel -1<br>pidfile /var/run/slapd/slapd.pid<br>argsfile /var/run/slapd/slapd.args<br><br># Load dynamic backend modules:<br># modulepath /usr/lib/openldap/modules<br># moduleload back_bdb.la<br># moduleload back_hdb.la<br># moduleload back_ldap.la<br><br># Sample security restrictions<br># Require integrity protection (prevent hijacking)<br># Require 112-bit (3DES or better) encryption for updates<br># Require 63-bit encryption for simple bind<br># security ssf=1 update_ssf=112 simple_bind=64<br><br># Sample access control policy:<br># Root DSE: allow anyone to read it<br># Subschema (sub)entry DSE: allow anyone to read it<br># Other DSEs:<br># Allow self write access to user password<br># Allow anonymous users to authenticate<br># Allow read access to everything else<br># Directives needed to implement policy:<br>#access to dn.base=""<br># by * read<br><br>#access to dn.base="cn=Subschema"<br># by * read<br><br>#access to attrs=userPassword,userPKCS12<br>access to attrs=userPassword<br> by dn.base="uid=proxyuser,ou=people,dc=plainjoe,dc=org" manage<br> by dn.base="uid=cyrus,ou=people,dc=plainjoe,dc=org" manage<br> by anonymous auth<br> by self write<br> by users read<br> by * none<br># by * auth<br><br>#access to attrs=shadowLastChange<br># by self write<br># by * read<br><br>access to *<br> by * read<br><br># if no access controls are present, the default policy<br># allows anyone and everyone to read anything but restricts<br># updates to rootdn. (e.g., "access to * by * read")<br>#<br># rootdn can always read and write EVERYTHING!<br><br>#######################################################################<br># BDB database definitions<br>#######################################################################<br><br>database bdb<br>suffix "dc=plainjoe,dc=org"<br>checkpoint 1024 5<br>cachesize 10000<br>rootdn "cn=Manager,dc=plainjoe,dc=org"<br># Cleartext passwords, especially for the rootdn, should<br># be avoid. See slappasswd(8) and slapd.conf(5) for details.<br># Use of strong authentication encouraged.<br># la clave es: secret (en ssha)<br>#rootpw {MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ==<br>rootpw secret1<br># The database directory MUST exist prior to running slapd AND<br># should only be accessible by the slapd and slap tools.<br># Mode 700 recommended.<br>directory /var/lib/ldap<br># Indices to maintain<br>index objectClass eq<br>index cn,sn,mail eq,sub<br>index departmentNumber eq<br><br>## -- master slapd --<br># Specify the location of the file to append changes to.<br>#replogfile /var/log/slapd.replog<br>## -- master slapd --<br># Set the hostname and bind credentials used to propagate the changes in the<br># replogfile.<br>#replica host=replica1.plainjoe.org:389<br># suffix="dc=plainjoe,dc=org"<br># binddn="cn=replica,dc=plainjoe,dc=org"<br># credentials=MyPass<br># bindmethod=simple<br># tls=no<br><br>#To use secrets stored in the LDAP directory, place plaintext passwords in the userPassword attribute<br>password-hash {CLEARTEXT}<br><br># haciendo un proxy de usuarios para usar sasl<br>authz-policy to<br>authz-regexp "^uid=([^,]+).*,cn=[^,]*,cn=auth$"<br> "ldap:///dc=plainjoe,dc=org??sub?(uid=$1)"<br>#este es la opcion que funciona en apariencia, devolver a esta en el caso de que lo de arriba no funcione<br>#authz-regexp<br># uid=([^,]*),cn=[^,]*,cn=auth<br># uid=$1,ou=people,dc=plainjoe,dc=org<br><br># ldap:///dc=plainjoe,dc=org??sub?(|(uniqueIdentifier=$1)(mail=$1))<br># uid=$1,ou=people,dc=plainjoe,dc=org<br># uid=(.*),cn=.*,cn=auth<br>#binddn "uid=proxyuser,ou=people,dc=plainjoe,dc=org" credentials=proxyuser mode=self<br><br>#sasl-authz-policy to<br>#sasl-regexp<br># uid=(.*),cn=DIGEST-MD5,cn=auth<br># uid=$1,ou=people,dc=plainjoe,dc=org<br>#sasl-auxprops slapd<br>#sasl-host localhost<br><br><br>#sasl-secprops<br># 2 intento con sasl<br>#sasl-regexp uid=(.*),cn=firewall,cn=DIGEST-MD5,cn=auth uid=$1,ou=People,dc=plainjoe,dc=org<br>firewall:/usr/lib/sasl2 #<br><br> /etc/sasl2/slapd.conf<br>auxprop_plugin: slapd<br><br><br><br>DATA STORED ON OPENLDAP SERVER<br>firewall:/usr/lib/sasl2 # slapcat<br>bdb_monitor_db_open: monitoring disabled; configure monitor database to enable<br>dn: dc=plainjoe,dc=org<br>dc: plainjoe<br>objectClass: dcObject<br>objectClass: organizationalUnit<br>ou: PlainJoe Dot Org<br>structuralObjectClass: organizationalUnit<br>entryUUID: 0335be26-7c73-102f-8bd2-599020d843b8<br>creatorsName: cn=Manager,dc=plainjoe,dc=org<br>createTimestamp: 20101104152159Z<br>entryCSN: 20101104152159.733766Z#000000#000#000000<br>modifiersName: cn=Manager,dc=plainjoe,dc=org<br>modifyTimestamp: 20101104152159Z<br><br>dn: ou=people,dc=plainjoe,dc=org<br>ou: people<br>objectClass: organizationalUnit<br>structuralObjectClass: organizationalUnit<br>entryUUID: 033e9352-7c73-102f-8bd3-599020d843b8<br>creatorsName: cn=Manager,dc=plainjoe,dc=org<br>createTimestamp: 20101104152159Z<br>entryCSN: 20101105231448.878588Z#000000#000#000000<br>modifiersName: cn=Manager,dc=plainjoe,dc=org<br>modifyTimestamp: 20101105231448Z<br><br>dn: uid=proxyuser,ou=people,dc=plainjoe,dc=org<br>uid: proxyuser<br>cn: proxyuser<br>gidNumber: 10002<br>uidNumber: 10002<br>homeDirectory: /dev/null<br>objectClass: account<br>objectClass: posixAccount<br>userPassword:: c2VjcmV0<br>authzTo: ldap:///ou=people,dc=plainjoe,dc=org??sub?(objectClass=account)<br>structuralObjectClass: account<br>entryUUID: 4aeeb5cc-86d4-102f-9773-4f0c54ef34bf<br>creatorsName: cn=Manager,dc=plainjoe,dc=org<br>createTimestamp: 20101117202332Z<br>entryCSN: 20101117202332.874731Z#000000#000#000000<br>modifiersName: cn=Manager,dc=plainjoe,dc=org<br>modifyTimestamp: 20101117202332Z<br><br>dn: uid=test,ou=people,dc=plainjoe,dc=org<br>uid: test<br>cn: testeo principal<br>gidNumber: 10001<br>uidNumber: 10001<br>homeDirectory: /dev/null<br>objectClass: account<br>objectClass: posixAccount<br>userPassword:: c2VjcmV0MQ==<br>structuralObjectClass: account<br>entryUUID: 56c7ff24-86d5-102f-9775-4f0c54ef34bf<br>creatorsName: cn=Manager,dc=plainjoe,dc=org<br>createTimestamp: 20101117203102Z<br>entryCSN: 20101117203102.250410Z#000000#000#000000<br>modifiersName: cn=Manager,dc=plainjoe,dc=org<br>modifyTimestamp: 20101117203102Z<br><br>dn: uid=cyrus,ou=people,dc=plainjoe,dc=org<br>uid: cyrus<br>cn: cyrus<br>gidNumber: 10003<br>uidNumber: 10003<br>homeDirectory: /dev/bash<br>objectClass: account<br>objectClass: posixAccount<br>userPassword:: c2VjcmV0<br>authzTo: ldap:///dc=plainjoe,dc=org??sub?(objectClass=account)<br>structuralObjectClass: account<br>entryUUID: 441f0088-8cee-102f-9457-c7c68dbb10c9<br>creatorsName: cn=Manager,dc=plainjoe,dc=org<br>createTimestamp: 20101125144435Z<br>entryCSN: 20101125144435.338805Z#000000#000#000000<br>modifiersName: cn=Manager,dc=plainjoe,dc=org<br>modifyTimestamp: 20101125144435Z<br><br>dn: ou=policies,dc=plainjoe,dc=org<br>objectClass: organizationalUnit<br>objectClass: top<br>ou: policies<br>structuralObjectClass: organizationalUnit<br>entryUUID: edc640e2-8cee-102f-9458-c7c68dbb10c9<br>creatorsName: cn=Manager,dc=plainjoe,dc=org<br>createTimestamp: 20101125144919Z<br>entryCSN: 20101125144919.969853Z#000000#000#000000<br>modifiersName: cn=Manager,dc=plainjoe,dc=org<br>modifyTimestamp: 20101125144919Z<br><br>dn: uid=fernandito,ou=people,dc=plainjoe,dc=org<br>uid: fernandito<br>cn: Fernandito Torrez<br>gidNumber: 10000<br>uidNumber: 10000<br>homeDirectory: /dev/null<br>objectClass: account<br>objectClass: posixAccount<br>userPassword:: ZmVybmFuZGl0bw==<br>structuralObjectClass: account<br>entryUUID: 53f4b2a0-8cf3-102f-86d4-9f29e1236af7<br>creatorsName: cn=Manager,dc=plainjoe,dc=org<br>createTimestamp: 20101125152049Z<br>entryCSN: 20101125152049.388753Z#000000#000#000000<br>modifiersName: cn=Manager,dc=plainjoe,dc=org<br>modifyTimestamp: 20101125152049Z<br><br> </body>
</html>