Cyrus + SASL + PAM + LDAP

Imre Veres imre.veres at gmail.com
Thu May 4 08:21:24 EDT 2006


Hi All,

I have a problem that may globally cyrus and sasl-related but I have a
feeling it's more sasl. So, at first the obligatory versions: Ubuntu
server 5.04, cyrus 2.1.18-1ubuntu1, openldap 2.2.26-3, cyrus-sasl2
2.1.19-1.5ubuntu4

PAM<->LDAP seems to work good, I can do ssh logins with LDAP users. I
guess cyrus-imapd settings are good, too because I can do plaintext
imap logins with users in sasldb. My problem is that I cannot log into
imap server with an LDAP user (which is not included in sasldb, of
course).

Let's see what I've done so far:

/etc/imapd.conf:
-----
sasl_pwcheck_method: auxprop
sasl_mech_list: plain login
sasl_minimum_layer: 0

If I set sasl_pwcheck_method to saslauthd I could never authenticate
again with sasldb users, either (so imap and cyradm login won't work).

/etc/default/saslauthd:
------
START=yes
MECHANISMS="pam"

I've tried with MECHANISMS="pam ldap" but it did not work.

My /etc/pam.d/imap looks like this:
------
auth        sufficient   /lib/security/pam_ldap.so
account     sufficient   /lib/security/pam_ldap.so

Now if I try with an LDAP user I can see this:

# imtest -a testuser -l0 -m login 192.168.1.10

S: * OK gape Cyrus IMAP4 v2.1.18-IPv6-Debian-2.1.18-1ubuntu1 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND
SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE ANNOTATEMORE
S: C01 OK Completed
Please enter your password:
C: L01 LOGIN testuser {8}
S: + go ahead
C: <omitted>
S: L01 NO Login failed: user not found
Authentication failed. generic failure
Security strength factor: 0

and if I try to logon with a sasldb user (I use this user to lmtp
connection, by the way):

imtest -a lmtpuser -l0 -m login 192.168.1.10
S: * OK gape Cyrus IMAP4 v2.1.18-IPv6-Debian-2.1.18-1ubuntu1 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND
SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE ANNOTATEMORE
S: C01 OK Completed
Please enter your password:
C: L01 LOGIN lmtpuser {10}
S: + go ahead
C: <omitted>
S: L01 OK User logged in
Authenticated.
Security strength factor: 0

So you can see it's working. Logs:

May  4 14:13:48 gape cyrus/imapd[6948]: badlogin:
gape.company.hu[192.168.1.10] plaintext testuser SASL(-13): user not
found: checkpass failed
May  4 14:14:45 gape cyrus/imapd[6948]: telling master 1
May  4 14:14:45 gape cyrus/master[6604]: service imap pid 6948 in BUSY
state: now available and in READY state
May  4 14:14:45 gape cyrus/master[6604]: service imap now has 1 ready workers
May  4 14:14:53 gape cyrus/imapd[6948]: telling master 2
May  4 14:14:53 gape cyrus/imapd[6948]: accepted connection
May  4 14:14:53 gape cyrus/imapd[6948]: telling master 3
May  4 14:14:53 gape cyrus/master[6604]: service imap pid 6948 in
READY state: now unavailable and in BUSY state
May  4 14:14:53 gape cyrus/master[6604]: service imap now has 0 ready workers
May  4 14:14:53 gape cyrus/master[6604]: service imap pid 6948 in BUSY
state: now serving connection
May  4 14:14:53 gape cyrus/master[6604]: service imap now has 0 ready workers
May  4 14:14:56 gape cyrus/imapd[6948]: login:
gape.company.hu[192.168.1.10] lmtpuser plaintext
May  4 14:16:16 gape cyrus/imapd[6948]: telling master 1
May  4 14:16:16 gape cyrus/master[6604]: service imap pid 6948 in BUSY
state: now available and in READY state
May  4 14:16:16 gape cyrus/master[6604]: service imap now has 1 ready workers

Now I'm clueless a little. Cyrus authentication works with sasldb. I
can login with LDAP users through PAM. How can I force SASL to use PAM
if it cannot find sasldb user?

Thanks in advance,

Imre Veres


More information about the Cyrus-sasl mailing list