Can't get SASL Authentication to work

Doug Campbell doug at bpta.net
Wed Oct 25 06:11:13 EDT 2006 

Sorry to cross post.  Immediately after I sent this to the OpenLDAP list I realized it probably would be better answered here...

I am trying to setup a postfix and cyrus-impad to authenticate using SASL Proxy Authentication to OpenLDAP.

I had this working on another machine about a year back and have tried using the same procedure that I used to get that machine working but am I so far unsuccesful.

My setup steps are shown below but let me show the tests I am doing:

I have a user (fred) in ldap with the following information:

dn: uid=fred,ou=people,dc=securemail,dc=swro,dc=local
uid: fred
cn: Fred Flintstone
homeDirectory: /home/fred
uidNumber: 501
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
gidNumber: 501
gecos: Fred Flintstone
sn: Flintstone
givenName: Fred
shadowLastChange: 12990
loginShell: /sbin/nologin
userPassword:: d2lsbWE=
mail: fred at excel-pacific.com

dn: cn=fred,ou=group,dc=securemail,dc=swro,dc=local
gidNumber: 501
cn: fred
objectClass: posixGroup


I try to use SMTP AUTH to authenticate fred to the postfix server by doing the following:

# openssl s_client -connect localhost:25 -starttls smtp

220 securemail.swro.local ESMTP Postfix
ehlo swro.local
250-securemail.swro.local
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH DIGEST-MD5 PLAIN LOGIN
250-AUTH=DIGEST-MD5 PLAIN LOGIN
250 8BITMIME
auth login
334 VXNlcm5hbWU6
ZnJlZA==
334 UGFzc3dvcmQ6
d2lsbWE=
535 Error: authentication failed

FAILED!


I try to use DIGEST-MD5 with the cyrus-imap by doing the following:

# imtest -a fred -m DIGEST-MD5

S: * OK securemail.swro.local Cyrus IMAP4 v2.3.1-Invoca-RPM-2.3.1-2.6.fc5 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL RIGHTS=kxte QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE IDLE STARTTLS AUTH=DIGEST-MD5 SASL-IR LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH
S: C01 OK Completed
C: A01 AUTHENTICATE DIGEST-MD5
S: + bm9uY2U9IituMWFTUVR2akp2THl1S1lVcEhUS3FDeEt3YitXTnFFN2ltREdyM293bHc9IixyZWFsbT0ic2VjdXJlbWFpbC5zd3JvLmxvY2FsIixxb3A9ImF1dGgsYXV0aC1pbnQsYXV0aC1jb25mIixjaXBoZXI9InJjNC00MCxyYzQtNTYscmM0LGRlcywzZGVzIixtYXhidWY9NDA5NixjaGFyc2V0PXV0Zi04LGFsZ29yaXRobT1tZDUtc2Vzcw==
base64 decoding error
Authentication failed. generic failure
Security strength factor: 0

FAILED!  I don't even get prompted to enter my password.


I have tried turning on logging for OpenLDAP but I can't make out what is wrong.  I know that on my server that works, I get messages with PROXYAUTHZ but I don't see anything like that here.

What other information can I provide?

My setup process is shown below.

Grateful for any help!

Doug 






Here is the procedure I am using:

1. Started with fresh install of Fedora Core 5
2. yum install postfix cyrus-imapd cyrus-imapd-utils
3. Download cyrus-sasl-2.1.22 and Install using

./configure --prefix=/usr/local --with-plugindir=/usr/local/lib/sasl2 --with-rc4 \
--with-dblib=berkeley --enable-anon --enable-cram --enable-digest --enable-plain \
--enable-login --enable-ntlm

make sasldir=/usr/local/lib/sasl2

make install sasldir=/usr/local/lib/sasl2



4.  Backup/Remove existing FC5 SASL stuff

mv /usr/lib/sasl2 /usr/lib/sasl2.fc5
ln -s /usr/local/lib/sasl2 /usr/lib/sasl2

mv /usr/lib/libsasl2.a libsasl2.a.fc5

ln -s /usr/local/lib/libsasl2.la /usr/lib/libsasl2.la

ln -s /usr/local/lib/libsasl2.so.2.0.22 /usr/lib/libsasl2.so.2.0.22

ldconfig

rm libsasl2.so
ln -s libsasl2.so.2.0.22 libsasl2.so



5.  Download openldap.2.3.28 and Install using

./configure --prefix=/usr/local --with-slapd --with-slurpd --without-ldapd --with-threads=posix \
--enable-local --enable-ldap --disable-rlookups --with-tls --with-cyrus-sasl --enable-bdb \
--enable-wrappers --enable-passwd --enable-shell --enable-cleartext --enable-crypt --enable-spasswd \
--enable-modules --disable-sql --enable-aci --libexecdir=/usr/local/sbin --localstatedir=/var

make depend

make

make test

make install datadir=/var/lib/ldap libexecdir=/usr/local/sbin localstatedir=/var sysconfigdir=/etc/openldap



6.  Editted my /etc/init.d/ldap startup script and replace the locations for slapd, slurpd and slaptest to their new locations AND change the value of hargs to "ldap:/// ldapi:///"  from  "ldap:///"


7.  Rebuild cyrus-sasl

make distclean

./configure --prefix=/usr/local --with-plugindir=/usr/local/lib/sasl2 --with-rc4 \
--with-dblib=berkeley --enable-anon --enable-cram --enable-digest --enable-plain \
--enable-login --enable-ntlm --enable-ldapdb

make sasldir=/usr/local/lib/sasl2

make install sasldir=/usr/local/lib/sasl2



7.  Created /usr/local/lib/sasl2/slapd.conf and put the following in it:

auxprop_plugin: slapd


8.  Also created /usr/local/lib/sasl2/smtpd.conf and put the following in it:

pwcheck_method: auxprop
auxprop_plugin: ldapdb
mech_list: PLAIN LOGIN DIGEST-MD5
ldapdb_uri: ldapi://%2Fvar%2Frun%2Fldapi/
ldapdb_mech: EXTERNAL


9.  Added the following lines to my OpenLDAP slapd.conf file

password-hash {CLEARTEXT}
authz-policy to
authz-regexp uidNumber=(.*)\\+gidNumber=(.*),cn=peercred,cn=external,cn=auth
        ldap:///dc=securemail,dc=swro,dc=local??sub?(&(uidNumber=$1)(gidNumber=$2))

authz-regexp uid=(.*),cn=external,cn=auth
        ldap:///dc=securemail,dc=swro,dc=local??sub?(uid=$1)


10.  Modified /etc/imapd.conf to look like this:

configdirectory: /var/lib/imap
partition-default: /var/spool/imap
admins: cyrus
sievedir: /var/lib/imap/sieve
sendmail: /usr/sbin/sendmail
hashimapspool: true
sasl_pwcheck_method: auxprop
sasl_auxprop_plugin: ldapdb
sasl_mech_list: digest-md5
sasl_ldapdb_uri: ldapi://%2Fvar%2Frun%2Fldapi/
sasl_ldapdb_mech: EXTERNAL
tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt


11.  Added the following line to my /etc/ldap.conf  (PADL)

uri ldapi://%2Fvar%2Frun%2Fldapi/


12.  Added the following ldif for the cyrus account:

dn: uid=cyrus,ou=people,dc=securemail,dc=swro,dc=local
uid: cyrus
cn: Cyrus IMAP Server
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}!!
shadowLastChange: 12934
loginShell: /bin/bash
uidNumber: 76
gidNumber: 12
homeDirectory: /var/lib/imap
gecos: Cyrus IMAP Server
authzTo: dn.regex: uid=.*,ou=people,dc=securemail,dc=swro,dc=local


13.  Added the following ldif for the postfix account:

dn: uid=postfix,ou=people,dc=securemail,dc=swro,dc=local
uid: postfix
cn: Postfix SMTP Server
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}!!
shadowLastChange: 12934
loginShell: /bin/bash
uidNumber: 89
gidNumber: 89
homeDirectory: /var/spool/postfix
gecos: Postfix SMTP Server
authzTo: dn.regex: uid=uid=.*,ou=people,dc=securemail,dc=swro,dc=local


14.  Postfix configuration

Added the following lines to my postfix main.cf file

smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/pki/tls/certs/cyrus-imapd.pem
smtpd_tls_cert_file = /etc/pki/tls/certs/cyrus-imapd.pem
smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, check_relay_domains

More information about the Cyrus-sasl mailing list