Cyrus SASL, OpenLDAP, problem or misconfiguration?
Norberto Bensa
nbensa at gmail.com
Sun Jan 6 13:07:28 EST 2008
Hello List,
I'm running these versions:
dev-libs/cyrus-sasl-2.1.22-r2
net-mail/cyrus-imapd-2.3.11
mail-mta/postfix-2.4.6-r1
net-nds/openldap--2.3.39-r2
Yup. This is a Gentoo box. OpenLDAP and Postfix are compiled with SASL
support turned on (sasl USE flag.) And SASL is compiled with LDAP
support.
I'm trying to get DIGEST-MD5 working with passwords stored on LDAP directory.
# cat /etc/imapd.conf
configdirectory: /var/imap
partition-default: /var/spool/imap
sievedir: /var/imap/sieve
tls_ca_path: /etc/ssl/certs
tls_cert_file: /etc/ssl/cyrus/server.crt
tls_key_file: /etc/ssl/cyrus/server.key
admins: cyrus
autocreatequota: 500000
createonpost: yes
autocreateinboxfolders: Sent|Drafts|Spam
hashimapspool: yes
allowanonymouslogin: no
allowplaintext: yes
allowusermoves: yes
sieveusehomedir: no
sasl_pwcheck_method: auxprop
sasl_auxprop_plugin: ldapdb
sasl_ldapdb_uri: ldap://localhost
sasl_ldapdb_starttls: try
sasl_ldapdb_mech: DIGEST-MD5
sasl_ldapdb_ui: cyrus
sasl_ldapdb_pw: cyrus
sasl_mech_list: DIGEST-MD5 CRAM-MD5 LOGIN PLAIN NTLM
# cat /etc/openldap/slapd.conf
TLSCACertificateFile /etc/openldap/ssl/ldap.pem
TLSCertificateFile /etc/openldap/ssl/ldap.pem
TLSCertificateKeyFile /etc/openldap/ssl/ldap.pem
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/samba.schema
include /etc/openldap/schema/horde.schema
include /etc/openldap/schema/rfc2739.schema
include /etc/openldap/schema/amavisd-new.schema
include /etc/openldap/schema/quota.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
loglevel 0
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=bensa,dc=ar"
checkpoint 32 30 # <kbyte> <min>
directory /var/lib/openldap-data
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index objectClass,uid,uidNumber,gidNumber,memberUid eq
index cn,mail,surname,givenname,displayName eq,subinitial
access to
attrs=userPassword,shadowLastChange,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaPwdMustChange
by dn="cn=admin,ou=dsa,dc=bensa,dc=ar" write
by anonymous auth
by self write
access to dn.base=""
by * read
access to *
by dn="cn=admin,ou=dsa,dc=bensa,dc=ar" write
by * read
password-hash {CLEARTEXT}
authz-policy to
authz-regexp
uid=([^,]*),cn=[^,]*,cn=auth
uid=$1,ou=users,dc=bensa,dc=ar
I can DIGEST-MD5 authenticate any user:
$ ldapsearch -U nbensa 'uid=nbensa'
SASL/DIGEST-MD5 authentication started
Please enter your password:
SASL username: nbensa
SASL SSF: 128
SASL installing layers
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: uid=nbensa
# requesting: ALL
#
# nbensa, users, bensa.ar
dn: uid=nbensa,ou=users,dc=bensa,dc=ar
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaSID: S-1-5-21-3726536789-1157295434-1464998096-3000
sambaPrimaryGroupSID: S-1-5-21-3726536789-1157295434-1464998096-513
sambaLogonScript: logon.bat
sambaHomeDrive: H:
.
.
.
I can do proxy-authorization:
$ ldapwhoami -U cyrus -X u:nbensa -Y DIGEST-MD5
SASL/DIGEST-MD5 authentication started
Please enter your password:
SASL username: u:nbensa
SASL SSF: 128
SASL installing layers
dn:uid=nbensa,ou=users,dc=bensa,dc=ar
Result: Success (0)
But I can't get Cyrus Imapd (and Postfix) to use DIGEST-MD5.
I can see something like this in the logs:
Jan 6 15:56:08 zeddmore imtest: DIGEST-MD5 client step 2
Jan 6 15:56:08 zeddmore imap[1147]: DIGEST-MD5 client step 2
Jan 6 15:56:08 zeddmore imap[1147]: DIGEST-MD5 client step 2
Jan 6 15:56:08 zeddmore imap[1147]: Unexpectedly missing a prompt result
Jan 6 15:56:08 zeddmore imap[1147]: badlogin: localhost [127.0.0.1]
DIGEST-MD5 [SASL(-13): user not found: no secret in database]
I've been struggling with this for the last three days, reading posts,
documentation, and trying different configurations, but nothings seems
to work.
Please note that I can do DIGEST-MD5 authentication if I store the
passwords in sasldb...
Can anyone give any idea where to look?
Many thanks in advance,
Norberto
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
More information about the Cyrus-sasl
mailing list