Cyrus SASL, OpenLDAP, problem or misconfiguration?

Norberto Bensa nbensa at gmail.com
Sun Jan 6 13:07:28 EST 2008 

Hello List,

I'm running these versions:

dev-libs/cyrus-sasl-2.1.22-r2
net-mail/cyrus-imapd-2.3.11
mail-mta/postfix-2.4.6-r1
net-nds/openldap--2.3.39-r2

Yup. This is a Gentoo box. OpenLDAP and Postfix are compiled with SASL  
support turned on (sasl USE flag.) And SASL is compiled with LDAP  
support.

I'm trying to get DIGEST-MD5 working with passwords stored on LDAP directory.

# cat /etc/imapd.conf
configdirectory:        /var/imap
partition-default:      /var/spool/imap
sievedir:               /var/imap/sieve

tls_ca_path:            /etc/ssl/certs
tls_cert_file:          /etc/ssl/cyrus/server.crt
tls_key_file:           /etc/ssl/cyrus/server.key

admins:                 cyrus

autocreatequota:        500000
createonpost:           yes
autocreateinboxfolders: Sent|Drafts|Spam

hashimapspool:          yes
allowanonymouslogin:    no
allowplaintext:         yes

allowusermoves:         yes

sieveusehomedir:        no

sasl_pwcheck_method:    auxprop
sasl_auxprop_plugin:    ldapdb
sasl_ldapdb_uri:        ldap://localhost
sasl_ldapdb_starttls:   try
sasl_ldapdb_mech:       DIGEST-MD5
sasl_ldapdb_ui:         cyrus
sasl_ldapdb_pw:         cyrus

sasl_mech_list:         DIGEST-MD5 CRAM-MD5 LOGIN PLAIN NTLM


# cat /etc/openldap/slapd.conf
TLSCACertificateFile    /etc/openldap/ssl/ldap.pem
TLSCertificateFile      /etc/openldap/ssl/ldap.pem
TLSCertificateKeyFile   /etc/openldap/ssl/ldap.pem

include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/samba.schema
include /etc/openldap/schema/horde.schema
include /etc/openldap/schema/rfc2739.schema
include /etc/openldap/schema/amavisd-new.schema
include /etc/openldap/schema/quota.schema

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

loglevel        0

#######################################################################
# BDB database definitions
#######################################################################

database        bdb
suffix          "dc=bensa,dc=ar"
checkpoint      32      30 # <kbyte> <min>

directory       /var/lib/openldap-data

index   sambaSID                                        eq
index   sambaPrimaryGroupSID                            eq
index   sambaDomainName                                 eq
index   objectClass,uid,uidNumber,gidNumber,memberUid   eq
index   cn,mail,surname,givenname,displayName           eq,subinitial

access to  
attrs=userPassword,shadowLastChange,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaPwdMustChange
         by dn="cn=admin,ou=dsa,dc=bensa,dc=ar" write
         by anonymous auth
         by self write

access to dn.base=""
         by * read

access to *
         by dn="cn=admin,ou=dsa,dc=bensa,dc=ar" write
         by * read

password-hash   {CLEARTEXT}

authz-policy to
authz-regexp
         uid=([^,]*),cn=[^,]*,cn=auth
         uid=$1,ou=users,dc=bensa,dc=ar


I can DIGEST-MD5 authenticate any user:

$ ldapsearch -U nbensa 'uid=nbensa'
SASL/DIGEST-MD5 authentication started
Please enter your password:
SASL username: nbensa
SASL SSF: 128
SASL installing layers
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: uid=nbensa
# requesting: ALL
#

# nbensa, users, bensa.ar
dn: uid=nbensa,ou=users,dc=bensa,dc=ar
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaSID: S-1-5-21-3726536789-1157295434-1464998096-3000
sambaPrimaryGroupSID: S-1-5-21-3726536789-1157295434-1464998096-513
sambaLogonScript: logon.bat
sambaHomeDrive: H:
.
.
.

I can do proxy-authorization:

$ ldapwhoami -U cyrus -X u:nbensa -Y DIGEST-MD5
SASL/DIGEST-MD5 authentication started
Please enter your password:
SASL username: u:nbensa
SASL SSF: 128
SASL installing layers
dn:uid=nbensa,ou=users,dc=bensa,dc=ar
Result: Success (0)

But I can't get Cyrus Imapd (and Postfix) to use DIGEST-MD5.

I can see something like this in the logs:

Jan  6 15:56:08 zeddmore imtest: DIGEST-MD5 client step 2
Jan  6 15:56:08 zeddmore imap[1147]: DIGEST-MD5 client step 2
Jan  6 15:56:08 zeddmore imap[1147]: DIGEST-MD5 client step 2
Jan  6 15:56:08 zeddmore imap[1147]: Unexpectedly missing a prompt result
Jan  6 15:56:08 zeddmore imap[1147]: badlogin: localhost [127.0.0.1]  
DIGEST-MD5 [SASL(-13): user not found: no secret in database]


I've been struggling with this for the last three days, reading posts,  
documentation, and trying different configurations, but nothings seems  
to work.

Please note that I can do DIGEST-MD5 authentication if I store the  
passwords in sasldb...

Can anyone give any idea where to look?


Many thanks in advance,
Norberto


----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

More information about the Cyrus-sasl mailing list