From d.faller at live.de Sun Oct 27 10:34:57 2019 From: d.faller at live.de (David Faller) Date: Sun, 27 Oct 2019 14:34:57 +0000 Subject: Ask for saslauthd help Message-ID: Dear All, I want to try my luck here, perhaps someone could help me. First The Problem: We would like to restrict the ldap authentication over saslauthd, so that users only can login with their valid e-mail address. At the moment users are able to login with username at domain.com or only their username. I tied a lot to specify the ldap_filter to take a lookup for the userPrincipalName=%u. With the command testsaslauthd it?s working but cyrus can?t grant access with errors like this: saslauthd.service - LSB: saslauthd startup script Loaded: loaded (/etc/init.d/saslauthd; generated) Active: active (running) since Fri 2019-10-25 14:07:54 CEST; 1h 33min ago Docs: man:systemd-sysv-generator(8) Process: 3707 ExecStart=/etc/init.d/saslauthd start (code=exited, status=0/SUCCESS) Tasks: 10 (limit: 4915) Memory: 15.4M CGroup: /system.slice/saslauthd.service ??3727 /usr/sbin/saslauthd -a ldap -c -m /var/run/saslauthd -n 5 ??3728 /usr/sbin/saslauthd -a ldap -c -m /var/run/saslauthd -n 5 ??3729 /usr/sbin/saslauthd -a ldap -c -m /var/run/saslauthd -n 5 ??3730 /usr/sbin/saslauthd -a ldap -c -m /var/run/saslauthd -n 5 ??3733 /usr/sbin/saslauthd -a ldap -c -m /var/run/saslauthd -n 5 ??3745 /usr/sbin/saslauthd -a ldap -c -m /var/spool/postfix/var/run/saslauthd -n 5 ??3746 /usr/sbin/saslauthd -a ldap -c -m /var/spool/postfix/var/run/saslauthd -n 5 ??3747 /usr/sbin/saslauthd -a ldap -c -m /var/spool/postfix/var/run/saslauthd -n 5 ??3748 /usr/sbin/saslauthd -a ldap -c -m /var/spool/postfix/var/run/saslauthd -n 5 ??3749 /usr/sbin/saslauthd -a ldap -c -m /var/spool/postfix/var/run/saslauthd -n 5 Oct 25 15:38:27 CGSG saslauthd[3747]: : auth failure: [user=money] [service=smtp] [realm=uc-central.net] [mech=ldap] [reason=Unknown] Oct 25 15:39:07 CGSG saslauthd[3745]: Entry not found (sAMAccountName=account). Oct 25 15:39:07 CGSG saslauthd[3745]: Authentication failed for account/uc-central.net: User not found (-6) Oct 25 15:39:07 CGSG saslauthd[3745]: : auth failure: [user=account] [service=smtp] [realm=uc-central.net] [mech=ldap] [reason=Unknown] Oct 25 15:40:20 CGSG saslauthd[3748]: Entry not found (sAMAccountName=tg). Oct 25 15:40:20 CGSG saslauthd[3748]: Authentication failed for tg/uc-central.net: User not found (-6) Oct 25 15:40:20 CGSG saslauthd[3748]: : auth failure: [user=tg] [service=smtp] [realm=uc-central.net] [mech=ldap] [reason=Unknown] Oct 25 15:40:56 CGSG saslauthd[3746]: Entry not found (sAMAccountName=pearl). Oct 25 15:40:56 CGSG saslauthd[3746]: Authentication failed for pearl/uc-central.net: User not found (-6) Oct 25 15:40:56 CGSG saslauthd[3746]: : auth failure: [user=pearl] [service=smtp] [realm=uc-central.net] [mech=ldap] [reason=Unknown] Oct 25 13:49:52 CGSG cyrus/imaps[3074]: SASL Password verification failed Oct 25 13:31:25 CGSG cyrus/imap[2420]: badlogin: localhost [127.0.0.1] plaintext it at mandldreyer.com SASL(-13): authentication failure: checkpass failed Oct 25 13:31:25 CGSG cyrus/imaps[2434]: badlogin: port-83-236-195-74.static.qsc.de[83.236.195.74] LOGIN [SASL(-13): authentication failure: checkpass failed] Oct 25 13:31:25 CGSG cyrus/imaps[2432]: badlogin: port-83-236-195-74.static.qsc.de[83.236.195.74] LOGIN [SASL(-13): authentication failure: checkpass failed] Oct 25 13:31:28 CGSG cyrus/imap[2445]: badlogin: localhost [127.0.0.1] plaintext it at mandldreyer.com SASL(-13): authentication failure: checkpass failed Oct 25 13:31:29 CGSG cyrus/imaps[2432]: badlogin: port-83-236-195-74.static.qsc.de[83.236.195.74] plaintext lager SASL(-13): authentication failure: checkpass failed Oct 25 13:31:29 CGSG cyrus/imaps[2434]: badlogin: port-83-236-195-74.static.qsc.de[83.236.195.74] plaintext sebastian.mandl at mandldreyer.com SASL(-13): authentication failure: checkpass failed The problem is our multi domain setup and when a user login with a client or over the web with only their username, cyrus create new false mailboxes. This we would like to prevent. Perhaps someone know how to configure the saslauthd filter right for this special case. Configuration Our /etc/saslauthd.config ldap_servers: ldap://ddcl001.domain.dir ldap_search_base: dc=domain,dc=dir ldap_filter: sAMAccountName=%U #ldap_filter: userPrincipalName=%u #ldap_version: 3 ldap_auth_method: bind ldap_bind_dn: cn=Administrator,cn=Users,dc=domain,dc=dir ldap_bind_pw: ****** #ldap_scope: sub Best Regards, David Faller Von meinem iPad gesendet -------------- next part -------------- An HTML attachment was scrubbed... URL: From dwhite at olp.net Mon Oct 28 11:01:24 2019 From: dwhite at olp.net (Dan White) Date: Mon, 28 Oct 2019 10:01:24 -0500 Subject: Ask for saslauthd help In-Reply-To: References: Message-ID: <20191028150124.GA8021@zeno.bixbytelephone.com> On 10/27/19?14:34?+0000, David Faller wrote: >Dear All, >I want to try my luck here, perhaps someone could help me. > >First The Problem: > >We would like to restrict the ldap authentication over saslauthd, so that users only can login with their valid e-mail address. >At the moment users are able to login with username at domain.com or only their username. > >I tied a lot to specify the ldap_filter to take a lookup for the userPrincipalName=%u. >With the command testsaslauthd it?s working but cyrus can?t grant access with errors like this: > >saslauthd.service - LSB: saslauthd startup script > Loaded: loaded (/etc/init.d/saslauthd; generated) > Active: active (running) since Fri 2019-10-25 14:07:54 CEST; 1h 33min ago > Docs: man:systemd-sysv-generator(8) > Process: 3707 ExecStart=/etc/init.d/saslauthd start (code=exited, status=0/SUCCESS) > Tasks: 10 (limit: 4915) > Memory: 15.4M > CGroup: /system.slice/saslauthd.service > ??3727 /usr/sbin/saslauthd -a ldap -c -m /var/run/saslauthd -n 5 > ??3728 /usr/sbin/saslauthd -a ldap -c -m /var/run/saslauthd -n 5 > ??3729 /usr/sbin/saslauthd -a ldap -c -m /var/run/saslauthd -n 5 > ??3730 /usr/sbin/saslauthd -a ldap -c -m /var/run/saslauthd -n 5 > ??3733 /usr/sbin/saslauthd -a ldap -c -m /var/run/saslauthd -n 5 > ??3745 /usr/sbin/saslauthd -a ldap -c -m /var/spool/postfix/var/run/saslauthd -n 5 > ??3746 /usr/sbin/saslauthd -a ldap -c -m /var/spool/postfix/var/run/saslauthd -n 5 > ??3747 /usr/sbin/saslauthd -a ldap -c -m /var/spool/postfix/var/run/saslauthd -n 5 > ??3748 /usr/sbin/saslauthd -a ldap -c -m /var/spool/postfix/var/run/saslauthd -n 5 > ??3749 /usr/sbin/saslauthd -a ldap -c -m /var/spool/postfix/var/run/saslauthd -n 5 > >Oct 25 15:38:27 CGSG saslauthd[3747]: : auth failure: [user=money] [service=smtp] [realm=uc-central.net] [mech=ldap] [reason=Unknown] >Oct 25 15:39:07 CGSG saslauthd[3745]: Entry not found (sAMAccountName=account). >Oct 25 15:39:07 CGSG saslauthd[3745]: Authentication failed for account/uc-central.net: User not found (-6) >Oct 25 15:39:07 CGSG saslauthd[3745]: : auth failure: [user=account] [service=smtp] [realm=uc-central.net] [mech=ldap] [reason=Unknown] >Oct 25 15:40:20 CGSG saslauthd[3748]: Entry not found (sAMAccountName=tg). >Oct 25 15:40:20 CGSG saslauthd[3748]: Authentication failed for tg/uc-central.net: User not found (-6) >Oct 25 15:40:20 CGSG saslauthd[3748]: : auth failure: [user=tg] [service=smtp] [realm=uc-central.net] [mech=ldap] [reason=Unknown] >Oct 25 15:40:56 CGSG saslauthd[3746]: Entry not found (sAMAccountName=pearl). >Oct 25 15:40:56 CGSG saslauthd[3746]: Authentication failed for pearl/uc-central.net: User not found (-6) >Oct 25 15:40:56 CGSG saslauthd[3746]: : auth failure: [user=pearl] [service=smtp] [realm=uc-central.net] [mech=ldap] [reason=Unknown] Hi David, Your detail is appreciated. It helps to paint a good picture of what's going on. The errors above appear to be for postfix. An ldap filter to try: ldap_filter: (|(sAMAccountName=%U)(userPrincipalName=%u)) Note that saslauthd does not return the username/auth identity for postfix and cyrus imapd to use. It's only used to authenticate the user. To troubleshoot, you can enable debugging with: ldap_debug: -1 See (3)ldap_set_option and include/ldap_log.h in the openldap source. If you don't see ldap output in syslog, try starting saslauthd in debug mode. The -r option for saslauthdm, which combines the username and realm, may be useful. >Oct 25 13:49:52 CGSG cyrus/imaps[3074]: SASL Password verification failed > >Oct 25 13:31:25 CGSG cyrus/imap[2420]: badlogin: localhost [127.0.0.1] plaintext it at mandldreyer.com SASL(-13): authentication failure: checkpass failed >Oct 25 13:31:25 CGSG cyrus/imaps[2434]: badlogin: port-83-236-195-74.static.qsc.de[83.236.195.74] LOGIN [SASL(-13): authentication failure: checkpass failed] >Oct 25 13:31:25 CGSG cyrus/imaps[2432]: badlogin: port-83-236-195-74.static.qsc.de[83.236.195.74] LOGIN [SASL(-13): authentication failure: checkpass failed] >Oct 25 13:31:28 CGSG cyrus/imap[2445]: badlogin: localhost [127.0.0.1] plaintext it at mandldreyer.com SASL(-13): authentication failure: checkpass failed >Oct 25 13:31:29 CGSG cyrus/imaps[2432]: badlogin: port-83-236-195-74.static.qsc.de[83.236.195.74] plaintext lager SASL(-13): authentication failure: checkpass failed >Oct 25 13:31:29 CGSG cyrus/imaps[2434]: badlogin: port-83-236-195-74.static.qsc.de[83.236.195.74] plaintext sebastian.mandl at mandldreyer.com SASL(-13): authentication failure: checkpass failed > >The problem is our multi domain setup and when a user login with a client or over the web with only their username, cyrus create new false mailboxes. >This we would like to prevent. The mapping of username[@domain] to mailbox function is a cyrus imap decision. You can influence this by setting: defaultdomain: in /etc/imapd.conf. I recommend being cautious with changing following imapd.conf settings on a production system: defaultdomain virtdomains Or you can use a canonicalization plugin. >Perhaps someone know how to configure the saslauthd filter right for this special case. > >Configuration > >Our /etc/saslauthd.config > >ldap_servers: ldap://ddcl001.domain.dir >ldap_search_base: dc=domain,dc=dir >ldap_filter: sAMAccountName=%U >#ldap_filter: userPrincipalName=%u > >#ldap_version: 3 >ldap_auth_method: bind >ldap_bind_dn: cn=Administrator,cn=Users,dc=domain,dc=dir >ldap_bind_pw: ****** >#ldap_scope: sub If supported on your ldap server, sasl/digest-md5 is a simpler way to go about this: ldap_servers: ldaps:// ldap_use_sasl: yes ldap_mech: DIGEST-MD5 -- Dan White From d.faller at live.de Mon Oct 28 14:10:01 2019 From: d.faller at live.de (David Faller) Date: Mon, 28 Oct 2019 18:10:01 +0000 Subject: Cyrus-sasl Digest, Vol 162, Issue 2 In-Reply-To: References: Message-ID: I added under /etc/default/saslauthd -r option under the service. OPTIONS="-r -c -m /var/run/saslauthd" And tried again the filter with the option "userprincipalname=%u" and it's working now. Authentication works only with full domain / realm address. This help us a look and thank you very much __ ?Am 28.10.19, 17:01 schrieb "Cyrus-sasl im Auftrag von cyrus-sasl-request at lists.andrew.cmu.edu" : Send Cyrus-sasl mailing list submissions to cyrus-sasl at lists.andrew.cmu.edu To subscribe or unsubscribe via the World Wide Web, visit https://lists.andrew.cmu.edu/mailman/listinfo/cyrus-sasl or, via email, send a message with subject or body 'help' to cyrus-sasl-request at lists.andrew.cmu.edu You can reach the person managing the list at cyrus-sasl-owner at lists.andrew.cmu.edu When replying, please edit your Subject line so it is more specific than "Re: Contents of Cyrus-sasl digest..." Today's Topics: 1. Re: Ask for saslauthd help (Dan White) ---------------------------------------------------------------------- Message: 1 Date: Mon, 28 Oct 2019 10:01:24 -0500 From: Dan White To: David Faller Cc: "cyrus-sasl at lists.andrew.cmu.edu" Subject: Re: Ask for saslauthd help Message-ID: <20191028150124.GA8021 at zeno.bixbytelephone.com> Content-Type: text/plain; charset="utf-8"; format=flowed On 10/27/19?14:34?+0000, David Faller wrote: >Dear All, >I want to try my luck here, perhaps someone could help me. > >First The Problem: > >We would like to restrict the ldap authentication over saslauthd, so that users only can login with their valid e-mail address. >At the moment users are able to login with username at domain.com or only their username. > >I tied a lot to specify the ldap_filter to take a lookup for the userPrincipalName=%u. >With the command testsaslauthd it?s working but cyrus can?t grant access with errors like this: > >saslauthd.service - LSB: saslauthd startup script > Loaded: loaded (/etc/init.d/saslauthd; generated) > Active: active (running) since Fri 2019-10-25 14:07:54 CEST; 1h 33min ago > Docs: man:systemd-sysv-generator(8) > Process: 3707 ExecStart=/etc/init.d/saslauthd start (code=exited, status=0/SUCCESS) > Tasks: 10 (limit: 4915) > Memory: 15.4M > CGroup: /system.slice/saslauthd.service > ??3727 /usr/sbin/saslauthd -a ldap -c -m /var/run/saslauthd -n 5 > ??3728 /usr/sbin/saslauthd -a ldap -c -m /var/run/saslauthd -n 5 > ??3729 /usr/sbin/saslauthd -a ldap -c -m /var/run/saslauthd -n 5 > ??3730 /usr/sbin/saslauthd -a ldap -c -m /var/run/saslauthd -n 5 > ??3733 /usr/sbin/saslauthd -a ldap -c -m /var/run/saslauthd -n 5 > ??3745 /usr/sbin/saslauthd -a ldap -c -m /var/spool/postfix/var/run/saslauthd -n 5 > ??3746 /usr/sbin/saslauthd -a ldap -c -m /var/spool/postfix/var/run/saslauthd -n 5 > ??3747 /usr/sbin/saslauthd -a ldap -c -m /var/spool/postfix/var/run/saslauthd -n 5 > ??3748 /usr/sbin/saslauthd -a ldap -c -m /var/spool/postfix/var/run/saslauthd -n 5 > ??3749 /usr/sbin/saslauthd -a ldap -c -m /var/spool/postfix/var/run/saslauthd -n 5 > >Oct 25 15:38:27 CGSG saslauthd[3747]: : auth failure: [user=money] [service=smtp] [realm=uc-central.net] [mech=ldap] [reason=Unknown] >Oct 25 15:39:07 CGSG saslauthd[3745]: Entry not found (sAMAccountName=account). >Oct 25 15:39:07 CGSG saslauthd[3745]: Authentication failed for account/uc-central.net: User not found (-6) >Oct 25 15:39:07 CGSG saslauthd[3745]: : auth failure: [user=account] [service=smtp] [realm=uc-central.net] [mech=ldap] [reason=Unknown] >Oct 25 15:40:20 CGSG saslauthd[3748]: Entry not found (sAMAccountName=tg). >Oct 25 15:40:20 CGSG saslauthd[3748]: Authentication failed for tg/uc-central.net: User not found (-6) >Oct 25 15:40:20 CGSG saslauthd[3748]: : auth failure: [user=tg] [service=smtp] [realm=uc-central.net] [mech=ldap] [reason=Unknown] >Oct 25 15:40:56 CGSG saslauthd[3746]: Entry not found (sAMAccountName=pearl). >Oct 25 15:40:56 CGSG saslauthd[3746]: Authentication failed for pearl/uc-central.net: User not found (-6) >Oct 25 15:40:56 CGSG saslauthd[3746]: : auth failure: [user=pearl] [service=smtp] [realm=uc-central.net] [mech=ldap] [reason=Unknown] Hi David, Your detail is appreciated. It helps to paint a good picture of what's going on. The errors above appear to be for postfix. An ldap filter to try: ldap_filter: (|(sAMAccountName=%U)(userPrincipalName=%u)) Note that saslauthd does not return the username/auth identity for postfix and cyrus imapd to use. It's only used to authenticate the user. To troubleshoot, you can enable debugging with: ldap_debug: -1 See (3)ldap_set_option and include/ldap_log.h in the openldap source. If you don't see ldap output in syslog, try starting saslauthd in debug mode. The -r option for saslauthdm, which combines the username and realm, may be useful. >Oct 25 13:49:52 CGSG cyrus/imaps[3074]: SASL Password verification failed > >Oct 25 13:31:25 CGSG cyrus/imap[2420]: badlogin: localhost [127.0.0.1] plaintext it at mandldreyer.com SASL(-13): authentication failure: checkpass failed >Oct 25 13:31:25 CGSG cyrus/imaps[2434]: badlogin: port-83-236-195-74.static.qsc.de[83.236.195.74] LOGIN [SASL(-13): authentication failure: checkpass failed] >Oct 25 13:31:25 CGSG cyrus/imaps[2432]: badlogin: port-83-236-195-74.static.qsc.de[83.236.195.74] LOGIN [SASL(-13): authentication failure: checkpass failed] >Oct 25 13:31:28 CGSG cyrus/imap[2445]: badlogin: localhost [127.0.0.1] plaintext it at mandldreyer.com SASL(-13): authentication failure: checkpass failed >Oct 25 13:31:29 CGSG cyrus/imaps[2432]: badlogin: port-83-236-195-74.static.qsc.de[83.236.195.74] plaintext lager SASL(-13): authentication failure: checkpass failed >Oct 25 13:31:29 CGSG cyrus/imaps[2434]: badlogin: port-83-236-195-74.static.qsc.de[83.236.195.74] plaintext sebastian.mandl at mandldreyer.com SASL(-13): authentication failure: checkpass failed > >The problem is our multi domain setup and when a user login with a client or over the web with only their username, cyrus create new false mailboxes. >This we would like to prevent. The mapping of username[@domain] to mailbox function is a cyrus imap decision. You can influence this by setting: defaultdomain: in /etc/imapd.conf. I recommend being cautious with changing following imapd.conf settings on a production system: defaultdomain virtdomains Or you can use a canonicalization plugin. >Perhaps someone know how to configure the saslauthd filter right for this special case. > >Configuration > >Our /etc/saslauthd.config > >ldap_servers: ldap://ddcl001.domain.dir >ldap_search_base: dc=domain,dc=dir >ldap_filter: sAMAccountName=%U >#ldap_filter: userPrincipalName=%u > >#ldap_version: 3 >ldap_auth_method: bind >ldap_bind_dn: cn=Administrator,cn=Users,dc=domain,dc=dir >ldap_bind_pw: ****** >#ldap_scope: sub If supported on your ldap server, sasl/digest-md5 is a simpler way to go about this: ldap_servers: ldaps:// ldap_use_sasl: yes ldap_mech: DIGEST-MD5 -- Dan White ------------------------------ Subject: Digest Footer _______________________________________________ Cyrus-sasl mailing list Cyrus-sasl at lists.andrew.cmu.edu https://lists.andrew.cmu.edu/mailman/listinfo/cyrus-sasl ------------------------------ End of Cyrus-sasl Digest, Vol 162, Issue 2 ******************************************