Can't get SASL Authentication to work
Doug Campbell
doug at bpta.net
Wed Oct 25 14:26:10 EDT 2006
After much additional testing I think I have solved the SASL related problems.
The first issue I discovered was that the reason I wasn't seeing anything "interesting" in my slapd logs was because slapd wasn't being contacted. I was using unix sockets and it turns out that I had missed a step that I had performed in my original configuration where I set a umask 0 before loading slapd in my init script. That gave 777 access to the ldapi socket and allowed postfix and cyrus the ability to connect to slapd.
The second issue must be due to a change from 2.2 to 2.3 of OpenLDAP (I think). Basically, the credentials for uidNumber and gidNumber were being passed in the opposite order in 2.3 from what they were in 2.2. So I just changed my authz-regexp statement to:
authz-regexp gidNumber=(.*)\\+uidNumber=(.*),cn=peercred,cn=external,cn=auth
ldap:///dc=securemail,dc=swro,dc=local??sub?(&(uidNumber=$2)(gidNumber=$1))
These changes allowed me to successfully SMTP AUTH to the postfix server BUT I am still having the issue with cyrus-imapd.
I am going to try removing the package and readding it to see if that clears up the problem.
If anyone has any thoughts on that error, please let me know.
Thanks!
Doug
Here it is again for convience:
> # imtest -a fred -m DIGEST-MD5
>
> S: * OK securemail.swro.local Cyrus IMAP4
> v2.3.1-Invoca-RPM-2.3.1-2.6.fc5 server ready
> C: C01 CAPABILITY
> S: * CAPABILITY IMAP4 IMAP4rev1 ACL RIGHTS=kxte QUOTA
> LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID
> NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT
> THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE
> IDLE STARTTLS AUTH=DIGEST-MD5 SASL-IR LISTEXT LIST-SUBSCRIBED
> X-NETSCAPE URLAUTH
> S: C01 OK Completed
> C: A01 AUTHENTICATE DIGEST-MD5
> S: +
> bm9uY2U9IituMWFTUVR2akp2THl1S1lVcEhUS3FDeEt3YitXTnFFN2ltREdyM2
> 93bHc9IixyZWFsbT0ic2VjdXJlbWFpbC5zd3JvLmxvY2FsIixxb3A9ImF1dGgs
> YXV0aC1pbnQsYXV0aC1jb25mIixjaXBoZXI9InJjNC00MCxyYzQtNTYscmM0LG
> RlcywzZGVzIixtYXhidWY9NDA5NixjaGFyc2V0PXV0Zi04LGFsZ29yaXRobT1t
> ZDUtc2Vzcw==
> base64 decoding error
> Authentication failed. generic failure
> Security strength factor: 0
> -----Original Message-----
> From: cyrus-sasl-bounces at lists.andrew.cmu.edu
> [mailto:cyrus-sasl-bounces at lists.andrew.cmu.edu] On Behalf Of
> Doug Campbell
> Sent: Wednesday, October 25, 2006 6:11 PM
> To: cyrus-sasl at lists.andrew.cmu.edu
> Subject: Can't get SASL Authentication to work
>
> Sorry to cross post. Immediately after I sent this to the
> OpenLDAP list I realized it probably would be better answered here...
>
> I am trying to setup a postfix and cyrus-impad to
> authenticate using SASL Proxy Authentication to OpenLDAP.
>
> I had this working on another machine about a year back and
> have tried using the same procedure that I used to get that
> machine working but am I so far unsuccesful.
>
> My setup steps are shown below but let me show the tests I am doing:
>
> I have a user (fred) in ldap with the following information:
>
> dn: uid=fred,ou=people,dc=securemail,dc=swro,dc=local
> uid: fred
> cn: Fred Flintstone
> homeDirectory: /home/fred
> uidNumber: 501
> objectClass: posixAccount
> objectClass: shadowAccount
> objectClass: inetOrgPerson
> gidNumber: 501
> gecos: Fred Flintstone
> sn: Flintstone
> givenName: Fred
> shadowLastChange: 12990
> loginShell: /sbin/nologin
> userPassword:: d2lsbWE=
> mail: fred at excel-pacific.com
>
> dn: cn=fred,ou=group,dc=securemail,dc=swro,dc=local
> gidNumber: 501
> cn: fred
> objectClass: posixGroup
>
>
> I try to use SMTP AUTH to authenticate fred to the postfix
> server by doing the following:
>
> # openssl s_client -connect localhost:25 -starttls smtp
>
> 220 securemail.swro.local ESMTP Postfix
> ehlo swro.local
> 250-securemail.swro.local
> 250-PIPELINING
> 250-SIZE 10240000
> 250-VRFY
> 250-ETRN
> 250-AUTH DIGEST-MD5 PLAIN LOGIN
> 250-AUTH=DIGEST-MD5 PLAIN LOGIN
> 250 8BITMIME
> auth login
> 334 VXNlcm5hbWU6
> ZnJlZA==
> 334 UGFzc3dvcmQ6
> d2lsbWE=
> 535 Error: authentication failed
>
> FAILED!
>
>
> I try to use DIGEST-MD5 with the cyrus-imap by doing the following:
>
> # imtest -a fred -m DIGEST-MD5
>
> S: * OK securemail.swro.local Cyrus IMAP4
> v2.3.1-Invoca-RPM-2.3.1-2.6.fc5 server ready
> C: C01 CAPABILITY
> S: * CAPABILITY IMAP4 IMAP4rev1 ACL RIGHTS=kxte QUOTA
> LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID
> NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT
> THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE
> IDLE STARTTLS AUTH=DIGEST-MD5 SASL-IR LISTEXT LIST-SUBSCRIBED
> X-NETSCAPE URLAUTH
> S: C01 OK Completed
> C: A01 AUTHENTICATE DIGEST-MD5
> S: +
> bm9uY2U9IituMWFTUVR2akp2THl1S1lVcEhUS3FDeEt3YitXTnFFN2ltREdyM2
> 93bHc9IixyZWFsbT0ic2VjdXJlbWFpbC5zd3JvLmxvY2FsIixxb3A9ImF1dGgs
> YXV0aC1pbnQsYXV0aC1jb25mIixjaXBoZXI9InJjNC00MCxyYzQtNTYscmM0LG
> RlcywzZGVzIixtYXhidWY9NDA5NixjaGFyc2V0PXV0Zi04LGFsZ29yaXRobT1t
> ZDUtc2Vzcw==
> base64 decoding error
> Authentication failed. generic failure
> Security strength factor: 0
>
> FAILED! I don't even get prompted to enter my password.
>
>
> I have tried turning on logging for OpenLDAP but I can't make
> out what is wrong. I know that on my server that works, I
> get messages with PROXYAUTHZ but I don't see anything like that here.
>
> What other information can I provide?
>
> My setup process is shown below.
>
> Grateful for any help!
>
> Doug
>
>
>
>
>
>
> Here is the procedure I am using:
>
> 1. Started with fresh install of Fedora Core 5
> 2. yum install postfix cyrus-imapd cyrus-imapd-utils
> 3. Download cyrus-sasl-2.1.22 and Install using
>
> ./configure --prefix=/usr/local
> --with-plugindir=/usr/local/lib/sasl2 --with-rc4 \
> --with-dblib=berkeley --enable-anon --enable-cram
> --enable-digest --enable-plain \
> --enable-login --enable-ntlm
>
> make sasldir=/usr/local/lib/sasl2
>
> make install sasldir=/usr/local/lib/sasl2
>
>
>
> 4. Backup/Remove existing FC5 SASL stuff
>
> mv /usr/lib/sasl2 /usr/lib/sasl2.fc5
> ln -s /usr/local/lib/sasl2 /usr/lib/sasl2
>
> mv /usr/lib/libsasl2.a libsasl2.a.fc5
>
> ln -s /usr/local/lib/libsasl2.la /usr/lib/libsasl2.la
>
> ln -s /usr/local/lib/libsasl2.so.2.0.22 /usr/lib/libsasl2.so.2.0.22
>
> ldconfig
>
> rm libsasl2.so
> ln -s libsasl2.so.2.0.22 libsasl2.so
>
>
>
> 5. Download openldap.2.3.28 and Install using
>
> ./configure --prefix=/usr/local --with-slapd --with-slurpd
> --without-ldapd --with-threads=posix \
> --enable-local --enable-ldap --disable-rlookups --with-tls
> --with-cyrus-sasl --enable-bdb \
> --enable-wrappers --enable-passwd --enable-shell
> --enable-cleartext --enable-crypt --enable-spasswd \
> --enable-modules --disable-sql --enable-aci
> --libexecdir=/usr/local/sbin --localstatedir=/var
>
> make depend
>
> make
>
> make test
>
> make install datadir=/var/lib/ldap libexecdir=/usr/local/sbin
> localstatedir=/var sysconfigdir=/etc/openldap
>
>
>
> 6. Editted my /etc/init.d/ldap startup script and replace
> the locations for slapd, slurpd and slaptest to their new
> locations AND change the value of hargs to "ldap:///
> ldapi:///" from "ldap:///"
>
>
> 7. Rebuild cyrus-sasl
>
> make distclean
>
> ./configure --prefix=/usr/local
> --with-plugindir=/usr/local/lib/sasl2 --with-rc4 \
> --with-dblib=berkeley --enable-anon --enable-cram
> --enable-digest --enable-plain \
> --enable-login --enable-ntlm --enable-ldapdb
>
> make sasldir=/usr/local/lib/sasl2
>
> make install sasldir=/usr/local/lib/sasl2
>
>
>
> 7. Created /usr/local/lib/sasl2/slapd.conf and put the
> following in it:
>
> auxprop_plugin: slapd
>
>
> 8. Also created /usr/local/lib/sasl2/smtpd.conf and put the
> following in it:
>
> pwcheck_method: auxprop
> auxprop_plugin: ldapdb
> mech_list: PLAIN LOGIN DIGEST-MD5
> ldapdb_uri: ldapi://%2Fvar%2Frun%2Fldapi/
> ldapdb_mech: EXTERNAL
>
>
> 9. Added the following lines to my OpenLDAP slapd.conf file
>
> password-hash {CLEARTEXT}
> authz-policy to
> authz-regexp
> uidNumber=(.*)\\+gidNumber=(.*),cn=peercred,cn=external,cn=auth
>
> ldap:///dc=securemail,dc=swro,dc=local??sub?(&(uidNumber=$1)(g
> idNumber=$2))
>
> authz-regexp uid=(.*),cn=external,cn=auth
> ldap:///dc=securemail,dc=swro,dc=local??sub?(uid=$1)
>
>
> 10. Modified /etc/imapd.conf to look like this:
>
> configdirectory: /var/lib/imap
> partition-default: /var/spool/imap
> admins: cyrus
> sievedir: /var/lib/imap/sieve
> sendmail: /usr/sbin/sendmail
> hashimapspool: true
> sasl_pwcheck_method: auxprop
> sasl_auxprop_plugin: ldapdb
> sasl_mech_list: digest-md5
> sasl_ldapdb_uri: ldapi://%2Fvar%2Frun%2Fldapi/
> sasl_ldapdb_mech: EXTERNAL
> tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
> tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
> tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt
>
>
> 11. Added the following line to my /etc/ldap.conf (PADL)
>
> uri ldapi://%2Fvar%2Frun%2Fldapi/
>
>
> 12. Added the following ldif for the cyrus account:
>
> dn: uid=cyrus,ou=people,dc=securemail,dc=swro,dc=local
> uid: cyrus
> cn: Cyrus IMAP Server
> objectClass: account
> objectClass: posixAccount
> objectClass: top
> objectClass: shadowAccount
> userPassword: {crypt}!!
> shadowLastChange: 12934
> loginShell: /bin/bash
> uidNumber: 76
> gidNumber: 12
> homeDirectory: /var/lib/imap
> gecos: Cyrus IMAP Server
> authzTo: dn.regex: uid=.*,ou=people,dc=securemail,dc=swro,dc=local
>
>
> 13. Added the following ldif for the postfix account:
>
> dn: uid=postfix,ou=people,dc=securemail,dc=swro,dc=local
> uid: postfix
> cn: Postfix SMTP Server
> objectClass: account
> objectClass: posixAccount
> objectClass: top
> objectClass: shadowAccount
> userPassword: {crypt}!!
> shadowLastChange: 12934
> loginShell: /bin/bash
> uidNumber: 89
> gidNumber: 89
> homeDirectory: /var/spool/postfix
> gecos: Postfix SMTP Server
> authzTo: dn.regex: uid=uid=.*,ou=people,dc=securemail,dc=swro,dc=local
>
>
> 14. Postfix configuration
>
> Added the following lines to my postfix main.cf file
>
> smtpd_use_tls = yes
> smtpd_tls_auth_only = yes
> smtpd_tls_key_file = /etc/pki/tls/certs/cyrus-imapd.pem
> smtpd_tls_cert_file = /etc/pki/tls/certs/cyrus-imapd.pem
> smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
> smtpd_tls_loglevel = 3
> smtpd_tls_received_header = yes
> smtpd_tls_session_cache_timeout = 3600s
> tls_random_source = dev:/dev/urandom
>
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_security_options = noanonymous
> broken_sasl_auth_clients = yes
> smtpd_recipient_restrictions = permit_sasl_authenticated,
> permit_mynetworks, check_relay_domains
>
>
>
> --
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.1.408 / Virus Database: 268.13.11/496 - Release
> Date: 10/24/2006
>
>
More information about the Cyrus-sasl
mailing list