Can't get SASL Authentication to work
Doug Campbell
doug at bpta.net
Thu Oct 26 13:14:50 EDT 2006
The third issue I had relating to trying to use imtest to test my cyrus-imapd configuration is due to a bug in imtest. It is discussed (with patch provided) in the following thread.
http://www.irbs.net/internet/cyrus-sasl/0605/0045.html
I have not had time to test the patch but I used a working imtest from another machine to test the cyrus-imapd configuration on this machine and it now is working.
Doug
> -----Original Message-----
> From: cyrus-sasl-bounces at lists.andrew.cmu.edu
> [mailto:cyrus-sasl-bounces at lists.andrew.cmu.edu] On Behalf Of
> Doug Campbell
> Sent: Thursday, October 26, 2006 2:26 AM
> To: cyrus-sasl at lists.andrew.cmu.edu
> Subject: RE: Can't get SASL Authentication to work
>
> After much additional testing I think I have solved the SASL
> related problems.
>
> The first issue I discovered was that the reason I wasn't
> seeing anything "interesting" in my slapd logs was because
> slapd wasn't being contacted. I was using unix sockets and
> it turns out that I had missed a step that I had performed in
> my original configuration where I set a umask 0 before
> loading slapd in my init script. That gave 777 access to the
> ldapi socket and allowed postfix and cyrus the ability to
> connect to slapd.
>
> The second issue must be due to a change from 2.2 to 2.3 of
> OpenLDAP (I think). Basically, the credentials for uidNumber
> and gidNumber were being passed in the opposite order in 2.3
> from what they were in 2.2. So I just changed my
> authz-regexp statement to:
>
> authz-regexp
> gidNumber=(.*)\\+uidNumber=(.*),cn=peercred,cn=external,cn=auth
>
> ldap:///dc=securemail,dc=swro,dc=local??sub?(&(uidNumber=$2)(g
> idNumber=$1))
>
> These changes allowed me to successfully SMTP AUTH to the
> postfix server BUT I am still having the issue with cyrus-imapd.
>
> I am going to try removing the package and readding it to see
> if that clears up the problem.
>
> If anyone has any thoughts on that error, please let me know.
>
> Thanks!
>
> Doug
>
> Here it is again for convience:
>
> > # imtest -a fred -m DIGEST-MD5
> >
> > S: * OK securemail.swro.local Cyrus IMAP4
> > v2.3.1-Invoca-RPM-2.3.1-2.6.fc5 server ready
> > C: C01 CAPABILITY
> > S: * CAPABILITY IMAP4 IMAP4rev1 ACL RIGHTS=kxte QUOTA
> > LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID
> > NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT
> > THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE
> > IDLE STARTTLS AUTH=DIGEST-MD5 SASL-IR LISTEXT LIST-SUBSCRIBED
> > X-NETSCAPE URLAUTH
> > S: C01 OK Completed
> > C: A01 AUTHENTICATE DIGEST-MD5
> > S: +
> > bm9uY2U9IituMWFTUVR2akp2THl1S1lVcEhUS3FDeEt3YitXTnFFN2ltREdyM2
> > 93bHc9IixyZWFsbT0ic2VjdXJlbWFpbC5zd3JvLmxvY2FsIixxb3A9ImF1dGgs
> > YXV0aC1pbnQsYXV0aC1jb25mIixjaXBoZXI9InJjNC00MCxyYzQtNTYscmM0LG
> > RlcywzZGVzIixtYXhidWY9NDA5NixjaGFyc2V0PXV0Zi04LGFsZ29yaXRobT1t
> > ZDUtc2Vzcw==
> > base64 decoding error
> > Authentication failed. generic failure
> > Security strength factor: 0
>
>
>
> > -----Original Message-----
> > From: cyrus-sasl-bounces at lists.andrew.cmu.edu
> > [mailto:cyrus-sasl-bounces at lists.andrew.cmu.edu] On Behalf Of
> > Doug Campbell
> > Sent: Wednesday, October 25, 2006 6:11 PM
> > To: cyrus-sasl at lists.andrew.cmu.edu
> > Subject: Can't get SASL Authentication to work
> >
> > Sorry to cross post. Immediately after I sent this to the
> > OpenLDAP list I realized it probably would be better
> answered here...
> >
> > I am trying to setup a postfix and cyrus-impad to
> > authenticate using SASL Proxy Authentication to OpenLDAP.
> >
> > I had this working on another machine about a year back and
> > have tried using the same procedure that I used to get that
> > machine working but am I so far unsuccesful.
> >
> > My setup steps are shown below but let me show the tests I am doing:
> >
> > I have a user (fred) in ldap with the following information:
> >
> > dn: uid=fred,ou=people,dc=securemail,dc=swro,dc=local
> > uid: fred
> > cn: Fred Flintstone
> > homeDirectory: /home/fred
> > uidNumber: 501
> > objectClass: posixAccount
> > objectClass: shadowAccount
> > objectClass: inetOrgPerson
> > gidNumber: 501
> > gecos: Fred Flintstone
> > sn: Flintstone
> > givenName: Fred
> > shadowLastChange: 12990
> > loginShell: /sbin/nologin
> > userPassword:: d2lsbWE=
> > mail: fred at excel-pacific.com
> >
> > dn: cn=fred,ou=group,dc=securemail,dc=swro,dc=local
> > gidNumber: 501
> > cn: fred
> > objectClass: posixGroup
> >
> >
> > I try to use SMTP AUTH to authenticate fred to the postfix
> > server by doing the following:
> >
> > # openssl s_client -connect localhost:25 -starttls smtp
> >
> > 220 securemail.swro.local ESMTP Postfix
> > ehlo swro.local
> > 250-securemail.swro.local
> > 250-PIPELINING
> > 250-SIZE 10240000
> > 250-VRFY
> > 250-ETRN
> > 250-AUTH DIGEST-MD5 PLAIN LOGIN
> > 250-AUTH=DIGEST-MD5 PLAIN LOGIN
> > 250 8BITMIME
> > auth login
> > 334 VXNlcm5hbWU6
> > ZnJlZA==
> > 334 UGFzc3dvcmQ6
> > d2lsbWE=
> > 535 Error: authentication failed
> >
> > FAILED!
> >
> >
> > I try to use DIGEST-MD5 with the cyrus-imap by doing the following:
> >
> > # imtest -a fred -m DIGEST-MD5
> >
> > S: * OK securemail.swro.local Cyrus IMAP4
> > v2.3.1-Invoca-RPM-2.3.1-2.6.fc5 server ready
> > C: C01 CAPABILITY
> > S: * CAPABILITY IMAP4 IMAP4rev1 ACL RIGHTS=kxte QUOTA
> > LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID
> > NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT
> > THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE
> > IDLE STARTTLS AUTH=DIGEST-MD5 SASL-IR LISTEXT LIST-SUBSCRIBED
> > X-NETSCAPE URLAUTH
> > S: C01 OK Completed
> > C: A01 AUTHENTICATE DIGEST-MD5
> > S: +
> > bm9uY2U9IituMWFTUVR2akp2THl1S1lVcEhUS3FDeEt3YitXTnFFN2ltREdyM2
> > 93bHc9IixyZWFsbT0ic2VjdXJlbWFpbC5zd3JvLmxvY2FsIixxb3A9ImF1dGgs
> > YXV0aC1pbnQsYXV0aC1jb25mIixjaXBoZXI9InJjNC00MCxyYzQtNTYscmM0LG
> > RlcywzZGVzIixtYXhidWY9NDA5NixjaGFyc2V0PXV0Zi04LGFsZ29yaXRobT1t
> > ZDUtc2Vzcw==
> > base64 decoding error
> > Authentication failed. generic failure
> > Security strength factor: 0
> >
> > FAILED! I don't even get prompted to enter my password.
> >
> >
> > I have tried turning on logging for OpenLDAP but I can't make
> > out what is wrong. I know that on my server that works, I
> > get messages with PROXYAUTHZ but I don't see anything like
> that here.
> >
> > What other information can I provide?
> >
> > My setup process is shown below.
> >
> > Grateful for any help!
> >
> > Doug
> >
> >
> >
> >
> >
> >
> > Here is the procedure I am using:
> >
> > 1. Started with fresh install of Fedora Core 5
> > 2. yum install postfix cyrus-imapd cyrus-imapd-utils
> > 3. Download cyrus-sasl-2.1.22 and Install using
> >
> > ./configure --prefix=/usr/local
> > --with-plugindir=/usr/local/lib/sasl2 --with-rc4 \
> > --with-dblib=berkeley --enable-anon --enable-cram
> > --enable-digest --enable-plain \
> > --enable-login --enable-ntlm
> >
> > make sasldir=/usr/local/lib/sasl2
> >
> > make install sasldir=/usr/local/lib/sasl2
> >
> >
> >
> > 4. Backup/Remove existing FC5 SASL stuff
> >
> > mv /usr/lib/sasl2 /usr/lib/sasl2.fc5
> > ln -s /usr/local/lib/sasl2 /usr/lib/sasl2
> >
> > mv /usr/lib/libsasl2.a libsasl2.a.fc5
> >
> > ln -s /usr/local/lib/libsasl2.la /usr/lib/libsasl2.la
> >
> > ln -s /usr/local/lib/libsasl2.so.2.0.22 /usr/lib/libsasl2.so.2.0.22
> >
> > ldconfig
> >
> > rm libsasl2.so
> > ln -s libsasl2.so.2.0.22 libsasl2.so
> >
> >
> >
> > 5. Download openldap.2.3.28 and Install using
> >
> > ./configure --prefix=/usr/local --with-slapd --with-slurpd
> > --without-ldapd --with-threads=posix \
> > --enable-local --enable-ldap --disable-rlookups --with-tls
> > --with-cyrus-sasl --enable-bdb \
> > --enable-wrappers --enable-passwd --enable-shell
> > --enable-cleartext --enable-crypt --enable-spasswd \
> > --enable-modules --disable-sql --enable-aci
> > --libexecdir=/usr/local/sbin --localstatedir=/var
> >
> > make depend
> >
> > make
> >
> > make test
> >
> > make install datadir=/var/lib/ldap libexecdir=/usr/local/sbin
> > localstatedir=/var sysconfigdir=/etc/openldap
> >
> >
> >
> > 6. Editted my /etc/init.d/ldap startup script and replace
> > the locations for slapd, slurpd and slaptest to their new
> > locations AND change the value of hargs to "ldap:///
> > ldapi:///" from "ldap:///"
> >
> >
> > 7. Rebuild cyrus-sasl
> >
> > make distclean
> >
> > ./configure --prefix=/usr/local
> > --with-plugindir=/usr/local/lib/sasl2 --with-rc4 \
> > --with-dblib=berkeley --enable-anon --enable-cram
> > --enable-digest --enable-plain \
> > --enable-login --enable-ntlm --enable-ldapdb
> >
> > make sasldir=/usr/local/lib/sasl2
> >
> > make install sasldir=/usr/local/lib/sasl2
> >
> >
> >
> > 7. Created /usr/local/lib/sasl2/slapd.conf and put the
> > following in it:
> >
> > auxprop_plugin: slapd
> >
> >
> > 8. Also created /usr/local/lib/sasl2/smtpd.conf and put the
> > following in it:
> >
> > pwcheck_method: auxprop
> > auxprop_plugin: ldapdb
> > mech_list: PLAIN LOGIN DIGEST-MD5
> > ldapdb_uri: ldapi://%2Fvar%2Frun%2Fldapi/
> > ldapdb_mech: EXTERNAL
> >
> >
> > 9. Added the following lines to my OpenLDAP slapd.conf file
> >
> > password-hash {CLEARTEXT}
> > authz-policy to
> > authz-regexp
> > uidNumber=(.*)\\+gidNumber=(.*),cn=peercred,cn=external,cn=auth
> >
> > ldap:///dc=securemail,dc=swro,dc=local??sub?(&(uidNumber=$1)(g
> > idNumber=$2))
> >
> > authz-regexp uid=(.*),cn=external,cn=auth
> > ldap:///dc=securemail,dc=swro,dc=local??sub?(uid=$1)
> >
> >
> > 10. Modified /etc/imapd.conf to look like this:
> >
> > configdirectory: /var/lib/imap
> > partition-default: /var/spool/imap
> > admins: cyrus
> > sievedir: /var/lib/imap/sieve
> > sendmail: /usr/sbin/sendmail
> > hashimapspool: true
> > sasl_pwcheck_method: auxprop
> > sasl_auxprop_plugin: ldapdb
> > sasl_mech_list: digest-md5
> > sasl_ldapdb_uri: ldapi://%2Fvar%2Frun%2Fldapi/
> > sasl_ldapdb_mech: EXTERNAL
> > tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
> > tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
> > tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt
> >
> >
> > 11. Added the following line to my /etc/ldap.conf (PADL)
> >
> > uri ldapi://%2Fvar%2Frun%2Fldapi/
> >
> >
> > 12. Added the following ldif for the cyrus account:
> >
> > dn: uid=cyrus,ou=people,dc=securemail,dc=swro,dc=local
> > uid: cyrus
> > cn: Cyrus IMAP Server
> > objectClass: account
> > objectClass: posixAccount
> > objectClass: top
> > objectClass: shadowAccount
> > userPassword: {crypt}!!
> > shadowLastChange: 12934
> > loginShell: /bin/bash
> > uidNumber: 76
> > gidNumber: 12
> > homeDirectory: /var/lib/imap
> > gecos: Cyrus IMAP Server
> > authzTo: dn.regex: uid=.*,ou=people,dc=securemail,dc=swro,dc=local
> >
> >
> > 13. Added the following ldif for the postfix account:
> >
> > dn: uid=postfix,ou=people,dc=securemail,dc=swro,dc=local
> > uid: postfix
> > cn: Postfix SMTP Server
> > objectClass: account
> > objectClass: posixAccount
> > objectClass: top
> > objectClass: shadowAccount
> > userPassword: {crypt}!!
> > shadowLastChange: 12934
> > loginShell: /bin/bash
> > uidNumber: 89
> > gidNumber: 89
> > homeDirectory: /var/spool/postfix
> > gecos: Postfix SMTP Server
> > authzTo: dn.regex:
> uid=uid=.*,ou=people,dc=securemail,dc=swro,dc=local
> >
> >
> > 14. Postfix configuration
> >
> > Added the following lines to my postfix main.cf file
> >
> > smtpd_use_tls = yes
> > smtpd_tls_auth_only = yes
> > smtpd_tls_key_file = /etc/pki/tls/certs/cyrus-imapd.pem
> > smtpd_tls_cert_file = /etc/pki/tls/certs/cyrus-imapd.pem
> > smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
> > smtpd_tls_loglevel = 3
> > smtpd_tls_received_header = yes
> > smtpd_tls_session_cache_timeout = 3600s
> > tls_random_source = dev:/dev/urandom
> >
> > smtpd_sasl_auth_enable = yes
> > smtpd_sasl_security_options = noanonymous
> > broken_sasl_auth_clients = yes
> > smtpd_recipient_restrictions = permit_sasl_authenticated,
> > permit_mynetworks, check_relay_domains
> >
> >
> >
> > --
> > No virus found in this incoming message.
> > Checked by AVG Free Edition.
> > Version: 7.1.408 / Virus Database: 268.13.11/496 - Release
> > Date: 10/24/2006
> >
> >
>
>
> --
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.1.408 / Virus Database: 268.13.11/496 - Release
> Date: 10/24/2006
>
>
More information about the Cyrus-sasl
mailing list