Can't get SASL Authentication to work
Doug Campbell
doug at bpta.net
Wed Oct 25 06:11:13 EDT 2006
Sorry to cross post. Immediately after I sent this to the OpenLDAP list I realized it probably would be better answered here...
I am trying to setup a postfix and cyrus-impad to authenticate using SASL Proxy Authentication to OpenLDAP.
I had this working on another machine about a year back and have tried using the same procedure that I used to get that machine working but am I so far unsuccesful.
My setup steps are shown below but let me show the tests I am doing:
I have a user (fred) in ldap with the following information:
dn: uid=fred,ou=people,dc=securemail,dc=swro,dc=local
uid: fred
cn: Fred Flintstone
homeDirectory: /home/fred
uidNumber: 501
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
gidNumber: 501
gecos: Fred Flintstone
sn: Flintstone
givenName: Fred
shadowLastChange: 12990
loginShell: /sbin/nologin
userPassword:: d2lsbWE=
mail: fred at excel-pacific.com
dn: cn=fred,ou=group,dc=securemail,dc=swro,dc=local
gidNumber: 501
cn: fred
objectClass: posixGroup
I try to use SMTP AUTH to authenticate fred to the postfix server by doing the following:
# openssl s_client -connect localhost:25 -starttls smtp
220 securemail.swro.local ESMTP Postfix
ehlo swro.local
250-securemail.swro.local
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH DIGEST-MD5 PLAIN LOGIN
250-AUTH=DIGEST-MD5 PLAIN LOGIN
250 8BITMIME
auth login
334 VXNlcm5hbWU6
ZnJlZA==
334 UGFzc3dvcmQ6
d2lsbWE=
535 Error: authentication failed
FAILED!
I try to use DIGEST-MD5 with the cyrus-imap by doing the following:
# imtest -a fred -m DIGEST-MD5
S: * OK securemail.swro.local Cyrus IMAP4 v2.3.1-Invoca-RPM-2.3.1-2.6.fc5 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL RIGHTS=kxte QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE IDLE STARTTLS AUTH=DIGEST-MD5 SASL-IR LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH
S: C01 OK Completed
C: A01 AUTHENTICATE DIGEST-MD5
S: + bm9uY2U9IituMWFTUVR2akp2THl1S1lVcEhUS3FDeEt3YitXTnFFN2ltREdyM293bHc9IixyZWFsbT0ic2VjdXJlbWFpbC5zd3JvLmxvY2FsIixxb3A9ImF1dGgsYXV0aC1pbnQsYXV0aC1jb25mIixjaXBoZXI9InJjNC00MCxyYzQtNTYscmM0LGRlcywzZGVzIixtYXhidWY9NDA5NixjaGFyc2V0PXV0Zi04LGFsZ29yaXRobT1tZDUtc2Vzcw==
base64 decoding error
Authentication failed. generic failure
Security strength factor: 0
FAILED! I don't even get prompted to enter my password.
I have tried turning on logging for OpenLDAP but I can't make out what is wrong. I know that on my server that works, I get messages with PROXYAUTHZ but I don't see anything like that here.
What other information can I provide?
My setup process is shown below.
Grateful for any help!
Doug
Here is the procedure I am using:
1. Started with fresh install of Fedora Core 5
2. yum install postfix cyrus-imapd cyrus-imapd-utils
3. Download cyrus-sasl-2.1.22 and Install using
./configure --prefix=/usr/local --with-plugindir=/usr/local/lib/sasl2 --with-rc4 \
--with-dblib=berkeley --enable-anon --enable-cram --enable-digest --enable-plain \
--enable-login --enable-ntlm
make sasldir=/usr/local/lib/sasl2
make install sasldir=/usr/local/lib/sasl2
4. Backup/Remove existing FC5 SASL stuff
mv /usr/lib/sasl2 /usr/lib/sasl2.fc5
ln -s /usr/local/lib/sasl2 /usr/lib/sasl2
mv /usr/lib/libsasl2.a libsasl2.a.fc5
ln -s /usr/local/lib/libsasl2.la /usr/lib/libsasl2.la
ln -s /usr/local/lib/libsasl2.so.2.0.22 /usr/lib/libsasl2.so.2.0.22
ldconfig
rm libsasl2.so
ln -s libsasl2.so.2.0.22 libsasl2.so
5. Download openldap.2.3.28 and Install using
./configure --prefix=/usr/local --with-slapd --with-slurpd --without-ldapd --with-threads=posix \
--enable-local --enable-ldap --disable-rlookups --with-tls --with-cyrus-sasl --enable-bdb \
--enable-wrappers --enable-passwd --enable-shell --enable-cleartext --enable-crypt --enable-spasswd \
--enable-modules --disable-sql --enable-aci --libexecdir=/usr/local/sbin --localstatedir=/var
make depend
make
make test
make install datadir=/var/lib/ldap libexecdir=/usr/local/sbin localstatedir=/var sysconfigdir=/etc/openldap
6. Editted my /etc/init.d/ldap startup script and replace the locations for slapd, slurpd and slaptest to their new locations AND change the value of hargs to "ldap:/// ldapi:///" from "ldap:///"
7. Rebuild cyrus-sasl
make distclean
./configure --prefix=/usr/local --with-plugindir=/usr/local/lib/sasl2 --with-rc4 \
--with-dblib=berkeley --enable-anon --enable-cram --enable-digest --enable-plain \
--enable-login --enable-ntlm --enable-ldapdb
make sasldir=/usr/local/lib/sasl2
make install sasldir=/usr/local/lib/sasl2
7. Created /usr/local/lib/sasl2/slapd.conf and put the following in it:
auxprop_plugin: slapd
8. Also created /usr/local/lib/sasl2/smtpd.conf and put the following in it:
pwcheck_method: auxprop
auxprop_plugin: ldapdb
mech_list: PLAIN LOGIN DIGEST-MD5
ldapdb_uri: ldapi://%2Fvar%2Frun%2Fldapi/
ldapdb_mech: EXTERNAL
9. Added the following lines to my OpenLDAP slapd.conf file
password-hash {CLEARTEXT}
authz-policy to
authz-regexp uidNumber=(.*)\\+gidNumber=(.*),cn=peercred,cn=external,cn=auth
ldap:///dc=securemail,dc=swro,dc=local??sub?(&(uidNumber=$1)(gidNumber=$2))
authz-regexp uid=(.*),cn=external,cn=auth
ldap:///dc=securemail,dc=swro,dc=local??sub?(uid=$1)
10. Modified /etc/imapd.conf to look like this:
configdirectory: /var/lib/imap
partition-default: /var/spool/imap
admins: cyrus
sievedir: /var/lib/imap/sieve
sendmail: /usr/sbin/sendmail
hashimapspool: true
sasl_pwcheck_method: auxprop
sasl_auxprop_plugin: ldapdb
sasl_mech_list: digest-md5
sasl_ldapdb_uri: ldapi://%2Fvar%2Frun%2Fldapi/
sasl_ldapdb_mech: EXTERNAL
tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt
11. Added the following line to my /etc/ldap.conf (PADL)
uri ldapi://%2Fvar%2Frun%2Fldapi/
12. Added the following ldif for the cyrus account:
dn: uid=cyrus,ou=people,dc=securemail,dc=swro,dc=local
uid: cyrus
cn: Cyrus IMAP Server
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}!!
shadowLastChange: 12934
loginShell: /bin/bash
uidNumber: 76
gidNumber: 12
homeDirectory: /var/lib/imap
gecos: Cyrus IMAP Server
authzTo: dn.regex: uid=.*,ou=people,dc=securemail,dc=swro,dc=local
13. Added the following ldif for the postfix account:
dn: uid=postfix,ou=people,dc=securemail,dc=swro,dc=local
uid: postfix
cn: Postfix SMTP Server
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}!!
shadowLastChange: 12934
loginShell: /bin/bash
uidNumber: 89
gidNumber: 89
homeDirectory: /var/spool/postfix
gecos: Postfix SMTP Server
authzTo: dn.regex: uid=uid=.*,ou=people,dc=securemail,dc=swro,dc=local
14. Postfix configuration
Added the following lines to my postfix main.cf file
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/pki/tls/certs/cyrus-imapd.pem
smtpd_tls_cert_file = /etc/pki/tls/certs/cyrus-imapd.pem
smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, check_relay_domains
More information about the Cyrus-sasl
mailing list