Can't get SASL Authentication to work

Doug Campbell doug at bpta.net
Thu Oct 26 13:14:50 EDT 2006


The third issue I had relating to trying to use imtest to test my cyrus-imapd configuration is due to a bug in imtest.  It is discussed (with patch provided) in the following thread.

http://www.irbs.net/internet/cyrus-sasl/0605/0045.html

I have not had time to test the patch but I used a working imtest from another machine to test the cyrus-imapd configuration on this machine and it now is working.

Doug

> -----Original Message-----
> From: cyrus-sasl-bounces at lists.andrew.cmu.edu 
> [mailto:cyrus-sasl-bounces at lists.andrew.cmu.edu] On Behalf Of 
> Doug Campbell
> Sent: Thursday, October 26, 2006 2:26 AM
> To: cyrus-sasl at lists.andrew.cmu.edu
> Subject: RE: Can't get SASL Authentication to work
> 
> After much additional testing I think I have solved the SASL 
> related problems.
> 
> The first issue I discovered was that the reason I wasn't 
> seeing anything "interesting" in my slapd logs was because 
> slapd wasn't being contacted.  I was using unix sockets and 
> it turns out that I had missed a step that I had performed in 
> my original configuration where I set a umask 0 before 
> loading slapd in my init script.  That gave 777 access to the 
> ldapi socket and allowed postfix and cyrus the ability to 
> connect to slapd.
> 
> The second issue must be due to a change from 2.2 to 2.3 of 
> OpenLDAP (I think).  Basically, the credentials for uidNumber 
> and gidNumber were being passed in the opposite order in 2.3 
> from what they were in 2.2.  So I just changed my 
> authz-regexp statement to:
> 
> authz-regexp 
> gidNumber=(.*)\\+uidNumber=(.*),cn=peercred,cn=external,cn=auth
>         
> ldap:///dc=securemail,dc=swro,dc=local??sub?(&(uidNumber=$2)(g
> idNumber=$1))
> 
> These changes allowed me to successfully SMTP AUTH to the 
> postfix server BUT I am still having the issue with cyrus-imapd.
> 
> I am going to try removing the package and readding it to see 
> if that clears up the problem.
> 
> If anyone has any thoughts on that error, please let me know.
> 
> Thanks!
> 
> Doug
> 
> Here it is again for convience:
> 
> > # imtest -a fred -m DIGEST-MD5
> > 
> > S: * OK securemail.swro.local Cyrus IMAP4 
> > v2.3.1-Invoca-RPM-2.3.1-2.6.fc5 server ready
> > C: C01 CAPABILITY
> > S: * CAPABILITY IMAP4 IMAP4rev1 ACL RIGHTS=kxte QUOTA 
> > LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID 
> > NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT 
> > THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE 
> > IDLE STARTTLS AUTH=DIGEST-MD5 SASL-IR LISTEXT LIST-SUBSCRIBED 
> > X-NETSCAPE URLAUTH
> > S: C01 OK Completed
> > C: A01 AUTHENTICATE DIGEST-MD5
> > S: + 
> > bm9uY2U9IituMWFTUVR2akp2THl1S1lVcEhUS3FDeEt3YitXTnFFN2ltREdyM2
> > 93bHc9IixyZWFsbT0ic2VjdXJlbWFpbC5zd3JvLmxvY2FsIixxb3A9ImF1dGgs
> > YXV0aC1pbnQsYXV0aC1jb25mIixjaXBoZXI9InJjNC00MCxyYzQtNTYscmM0LG
> > RlcywzZGVzIixtYXhidWY9NDA5NixjaGFyc2V0PXV0Zi04LGFsZ29yaXRobT1t
> > ZDUtc2Vzcw==
> > base64 decoding error
> > Authentication failed. generic failure
> > Security strength factor: 0
> 
> 
> 
> > -----Original Message-----
> > From: cyrus-sasl-bounces at lists.andrew.cmu.edu 
> > [mailto:cyrus-sasl-bounces at lists.andrew.cmu.edu] On Behalf Of 
> > Doug Campbell
> > Sent: Wednesday, October 25, 2006 6:11 PM
> > To: cyrus-sasl at lists.andrew.cmu.edu
> > Subject: Can't get SASL Authentication to work
> > 
> > Sorry to cross post.  Immediately after I sent this to the 
> > OpenLDAP list I realized it probably would be better 
> answered here...
> > 
> > I am trying to setup a postfix and cyrus-impad to 
> > authenticate using SASL Proxy Authentication to OpenLDAP.
> > 
> > I had this working on another machine about a year back and 
> > have tried using the same procedure that I used to get that 
> > machine working but am I so far unsuccesful.
> > 
> > My setup steps are shown below but let me show the tests I am doing:
> > 
> > I have a user (fred) in ldap with the following information:
> > 
> > dn: uid=fred,ou=people,dc=securemail,dc=swro,dc=local
> > uid: fred
> > cn: Fred Flintstone
> > homeDirectory: /home/fred
> > uidNumber: 501
> > objectClass: posixAccount
> > objectClass: shadowAccount
> > objectClass: inetOrgPerson
> > gidNumber: 501
> > gecos: Fred Flintstone
> > sn: Flintstone
> > givenName: Fred
> > shadowLastChange: 12990
> > loginShell: /sbin/nologin
> > userPassword:: d2lsbWE=
> > mail: fred at excel-pacific.com
> > 
> > dn: cn=fred,ou=group,dc=securemail,dc=swro,dc=local
> > gidNumber: 501
> > cn: fred
> > objectClass: posixGroup
> > 
> > 
> > I try to use SMTP AUTH to authenticate fred to the postfix 
> > server by doing the following:
> > 
> > # openssl s_client -connect localhost:25 -starttls smtp
> > 
> > 220 securemail.swro.local ESMTP Postfix
> > ehlo swro.local
> > 250-securemail.swro.local
> > 250-PIPELINING
> > 250-SIZE 10240000
> > 250-VRFY
> > 250-ETRN
> > 250-AUTH DIGEST-MD5 PLAIN LOGIN
> > 250-AUTH=DIGEST-MD5 PLAIN LOGIN
> > 250 8BITMIME
> > auth login
> > 334 VXNlcm5hbWU6
> > ZnJlZA==
> > 334 UGFzc3dvcmQ6
> > d2lsbWE=
> > 535 Error: authentication failed
> > 
> > FAILED!
> > 
> > 
> > I try to use DIGEST-MD5 with the cyrus-imap by doing the following:
> > 
> > # imtest -a fred -m DIGEST-MD5
> > 
> > S: * OK securemail.swro.local Cyrus IMAP4 
> > v2.3.1-Invoca-RPM-2.3.1-2.6.fc5 server ready
> > C: C01 CAPABILITY
> > S: * CAPABILITY IMAP4 IMAP4rev1 ACL RIGHTS=kxte QUOTA 
> > LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID 
> > NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT 
> > THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE 
> > IDLE STARTTLS AUTH=DIGEST-MD5 SASL-IR LISTEXT LIST-SUBSCRIBED 
> > X-NETSCAPE URLAUTH
> > S: C01 OK Completed
> > C: A01 AUTHENTICATE DIGEST-MD5
> > S: + 
> > bm9uY2U9IituMWFTUVR2akp2THl1S1lVcEhUS3FDeEt3YitXTnFFN2ltREdyM2
> > 93bHc9IixyZWFsbT0ic2VjdXJlbWFpbC5zd3JvLmxvY2FsIixxb3A9ImF1dGgs
> > YXV0aC1pbnQsYXV0aC1jb25mIixjaXBoZXI9InJjNC00MCxyYzQtNTYscmM0LG
> > RlcywzZGVzIixtYXhidWY9NDA5NixjaGFyc2V0PXV0Zi04LGFsZ29yaXRobT1t
> > ZDUtc2Vzcw==
> > base64 decoding error
> > Authentication failed. generic failure
> > Security strength factor: 0
> > 
> > FAILED!  I don't even get prompted to enter my password.
> > 
> > 
> > I have tried turning on logging for OpenLDAP but I can't make 
> > out what is wrong.  I know that on my server that works, I 
> > get messages with PROXYAUTHZ but I don't see anything like 
> that here.
> > 
> > What other information can I provide?
> > 
> > My setup process is shown below.
> > 
> > Grateful for any help!
> > 
> > Doug 
> > 
> > 
> > 
> > 
> > 
> > 
> > Here is the procedure I am using:
> > 
> > 1. Started with fresh install of Fedora Core 5
> > 2. yum install postfix cyrus-imapd cyrus-imapd-utils
> > 3. Download cyrus-sasl-2.1.22 and Install using
> > 
> > ./configure --prefix=/usr/local 
> > --with-plugindir=/usr/local/lib/sasl2 --with-rc4 \
> > --with-dblib=berkeley --enable-anon --enable-cram 
> > --enable-digest --enable-plain \
> > --enable-login --enable-ntlm
> > 
> > make sasldir=/usr/local/lib/sasl2
> > 
> > make install sasldir=/usr/local/lib/sasl2
> > 
> > 
> > 
> > 4.  Backup/Remove existing FC5 SASL stuff
> > 
> > mv /usr/lib/sasl2 /usr/lib/sasl2.fc5
> > ln -s /usr/local/lib/sasl2 /usr/lib/sasl2
> > 
> > mv /usr/lib/libsasl2.a libsasl2.a.fc5
> > 
> > ln -s /usr/local/lib/libsasl2.la /usr/lib/libsasl2.la
> > 
> > ln -s /usr/local/lib/libsasl2.so.2.0.22 /usr/lib/libsasl2.so.2.0.22
> > 
> > ldconfig
> > 
> > rm libsasl2.so
> > ln -s libsasl2.so.2.0.22 libsasl2.so
> > 
> > 
> > 
> > 5.  Download openldap.2.3.28 and Install using
> > 
> > ./configure --prefix=/usr/local --with-slapd --with-slurpd 
> > --without-ldapd --with-threads=posix \
> > --enable-local --enable-ldap --disable-rlookups --with-tls 
> > --with-cyrus-sasl --enable-bdb \
> > --enable-wrappers --enable-passwd --enable-shell 
> > --enable-cleartext --enable-crypt --enable-spasswd \
> > --enable-modules --disable-sql --enable-aci 
> > --libexecdir=/usr/local/sbin --localstatedir=/var
> > 
> > make depend
> > 
> > make
> > 
> > make test
> > 
> > make install datadir=/var/lib/ldap libexecdir=/usr/local/sbin 
> > localstatedir=/var sysconfigdir=/etc/openldap
> > 
> > 
> > 
> > 6.  Editted my /etc/init.d/ldap startup script and replace 
> > the locations for slapd, slurpd and slaptest to their new 
> > locations AND change the value of hargs to "ldap:/// 
> > ldapi:///"  from  "ldap:///"
> > 
> > 
> > 7.  Rebuild cyrus-sasl
> > 
> > make distclean
> > 
> > ./configure --prefix=/usr/local 
> > --with-plugindir=/usr/local/lib/sasl2 --with-rc4 \
> > --with-dblib=berkeley --enable-anon --enable-cram 
> > --enable-digest --enable-plain \
> > --enable-login --enable-ntlm --enable-ldapdb
> > 
> > make sasldir=/usr/local/lib/sasl2
> > 
> > make install sasldir=/usr/local/lib/sasl2
> > 
> > 
> > 
> > 7.  Created /usr/local/lib/sasl2/slapd.conf and put the 
> > following in it:
> > 
> > auxprop_plugin: slapd
> > 
> > 
> > 8.  Also created /usr/local/lib/sasl2/smtpd.conf and put the 
> > following in it:
> > 
> > pwcheck_method: auxprop
> > auxprop_plugin: ldapdb
> > mech_list: PLAIN LOGIN DIGEST-MD5
> > ldapdb_uri: ldapi://%2Fvar%2Frun%2Fldapi/
> > ldapdb_mech: EXTERNAL
> > 
> > 
> > 9.  Added the following lines to my OpenLDAP slapd.conf file
> > 
> > password-hash {CLEARTEXT}
> > authz-policy to
> > authz-regexp 
> > uidNumber=(.*)\\+gidNumber=(.*),cn=peercred,cn=external,cn=auth
> >         
> > ldap:///dc=securemail,dc=swro,dc=local??sub?(&(uidNumber=$1)(g
> > idNumber=$2))
> > 
> > authz-regexp uid=(.*),cn=external,cn=auth
> >         ldap:///dc=securemail,dc=swro,dc=local??sub?(uid=$1)
> > 
> > 
> > 10.  Modified /etc/imapd.conf to look like this:
> > 
> > configdirectory: /var/lib/imap
> > partition-default: /var/spool/imap
> > admins: cyrus
> > sievedir: /var/lib/imap/sieve
> > sendmail: /usr/sbin/sendmail
> > hashimapspool: true
> > sasl_pwcheck_method: auxprop
> > sasl_auxprop_plugin: ldapdb
> > sasl_mech_list: digest-md5
> > sasl_ldapdb_uri: ldapi://%2Fvar%2Frun%2Fldapi/
> > sasl_ldapdb_mech: EXTERNAL
> > tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
> > tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
> > tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt
> > 
> > 
> > 11.  Added the following line to my /etc/ldap.conf  (PADL)
> > 
> > uri ldapi://%2Fvar%2Frun%2Fldapi/
> > 
> > 
> > 12.  Added the following ldif for the cyrus account:
> > 
> > dn: uid=cyrus,ou=people,dc=securemail,dc=swro,dc=local
> > uid: cyrus
> > cn: Cyrus IMAP Server
> > objectClass: account
> > objectClass: posixAccount
> > objectClass: top
> > objectClass: shadowAccount
> > userPassword: {crypt}!!
> > shadowLastChange: 12934
> > loginShell: /bin/bash
> > uidNumber: 76
> > gidNumber: 12
> > homeDirectory: /var/lib/imap
> > gecos: Cyrus IMAP Server
> > authzTo: dn.regex: uid=.*,ou=people,dc=securemail,dc=swro,dc=local
> > 
> > 
> > 13.  Added the following ldif for the postfix account:
> > 
> > dn: uid=postfix,ou=people,dc=securemail,dc=swro,dc=local
> > uid: postfix
> > cn: Postfix SMTP Server
> > objectClass: account
> > objectClass: posixAccount
> > objectClass: top
> > objectClass: shadowAccount
> > userPassword: {crypt}!!
> > shadowLastChange: 12934
> > loginShell: /bin/bash
> > uidNumber: 89
> > gidNumber: 89
> > homeDirectory: /var/spool/postfix
> > gecos: Postfix SMTP Server
> > authzTo: dn.regex: 
> uid=uid=.*,ou=people,dc=securemail,dc=swro,dc=local
> > 
> > 
> > 14.  Postfix configuration
> > 
> > Added the following lines to my postfix main.cf file
> > 
> > smtpd_use_tls = yes
> > smtpd_tls_auth_only = yes
> > smtpd_tls_key_file = /etc/pki/tls/certs/cyrus-imapd.pem
> > smtpd_tls_cert_file = /etc/pki/tls/certs/cyrus-imapd.pem
> > smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
> > smtpd_tls_loglevel = 3
> > smtpd_tls_received_header = yes
> > smtpd_tls_session_cache_timeout = 3600s
> > tls_random_source = dev:/dev/urandom
> > 
> > smtpd_sasl_auth_enable = yes
> > smtpd_sasl_security_options = noanonymous
> > broken_sasl_auth_clients = yes
> > smtpd_recipient_restrictions = permit_sasl_authenticated, 
> > permit_mynetworks, check_relay_domains
> > 
> > 
> > 
> > -- 
> > No virus found in this incoming message.
> > Checked by AVG Free Edition.
> > Version: 7.1.408 / Virus Database: 268.13.11/496 - Release 
> > Date: 10/24/2006
> >  
> > 
> 
> 
> -- 
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.1.408 / Virus Database: 268.13.11/496 - Release 
> Date: 10/24/2006
>  
> 



More information about the Cyrus-sasl mailing list