Cyrus-sasl Digest, Vol 162, Issue 2

David Faller d.faller at live.de
Mon Oct 28 14:10:01 EDT 2019


I added under /etc/default/saslauthd
-r option under the service.
OPTIONS="-r -c -m /var/run/saslauthd"

And tried again the filter with the option "userprincipalname=%u" and it's working now.

Authentication works only with full domain / realm address.
This help us a look and thank you very much __ 


Am 28.10.19, 17:01 schrieb "Cyrus-sasl im Auftrag von cyrus-sasl-request at lists.andrew.cmu.edu" <cyrus-sasl-bounces+d.faller=live.de at lists.andrew.cmu.edu im Auftrag von cyrus-sasl-request at lists.andrew.cmu.edu>:

    Send Cyrus-sasl mailing list submissions to
    	cyrus-sasl at lists.andrew.cmu.edu
    
    To subscribe or unsubscribe via the World Wide Web, visit
    	https://lists.andrew.cmu.edu/mailman/listinfo/cyrus-sasl
    or, via email, send a message with subject or body 'help' to
    	cyrus-sasl-request at lists.andrew.cmu.edu
    
    You can reach the person managing the list at
    	cyrus-sasl-owner at lists.andrew.cmu.edu
    
    When replying, please edit your Subject line so it is more specific
    than "Re: Contents of Cyrus-sasl digest..."
    
    
    Today's Topics:
    
       1. Re: Ask for saslauthd help (Dan White)
    
    
    ----------------------------------------------------------------------
    
    Message: 1
    Date: Mon, 28 Oct 2019 10:01:24 -0500
    From: Dan White <dwhite at olp.net>
    To: David Faller <d.faller at live.de>
    Cc: "cyrus-sasl at lists.andrew.cmu.edu"
    	<cyrus-sasl at lists.andrew.cmu.edu>
    Subject: Re: Ask for saslauthd help
    Message-ID: <20191028150124.GA8021 at zeno.bixbytelephone.com>
    Content-Type: text/plain; charset="utf-8"; format=flowed
    
    On 10/27/19?14:34?+0000, David Faller wrote:
    >Dear All,
    >I want to try my luck here, perhaps someone could help me.
    >
    >First The Problem:
    >
    >We would like to restrict the ldap authentication over saslauthd, so that users only can login with their valid e-mail address.
    >At the moment users are able to login with username at domain.com or only their username.
    >
    >I tied a lot to specify the ldap_filter to take a lookup for  the userPrincipalName=%u.
    >With the command testsaslauthd it?s working but cyrus can?t grant access with errors like this:
    >
    >saslauthd.service - LSB: saslauthd startup script
    >   Loaded: loaded (/etc/init.d/saslauthd; generated)
    >   Active: active (running) since Fri 2019-10-25 14:07:54 CEST; 1h 33min ago
    >     Docs: man:systemd-sysv-generator(8)
    >  Process: 3707 ExecStart=/etc/init.d/saslauthd start (code=exited, status=0/SUCCESS)
    >    Tasks: 10 (limit: 4915)
    >   Memory: 15.4M
    >   CGroup: /system.slice/saslauthd.service
    >           ??3727 /usr/sbin/saslauthd -a ldap -c -m /var/run/saslauthd -n 5
    >           ??3728 /usr/sbin/saslauthd -a ldap -c -m /var/run/saslauthd -n 5
    >           ??3729 /usr/sbin/saslauthd -a ldap -c -m /var/run/saslauthd -n 5
    >           ??3730 /usr/sbin/saslauthd -a ldap -c -m /var/run/saslauthd -n 5
    >           ??3733 /usr/sbin/saslauthd -a ldap -c -m /var/run/saslauthd -n 5
    >           ??3745 /usr/sbin/saslauthd -a ldap -c -m /var/spool/postfix/var/run/saslauthd -n 5
    >           ??3746 /usr/sbin/saslauthd -a ldap -c -m /var/spool/postfix/var/run/saslauthd -n 5
    >           ??3747 /usr/sbin/saslauthd -a ldap -c -m /var/spool/postfix/var/run/saslauthd -n 5
    >           ??3748 /usr/sbin/saslauthd -a ldap -c -m /var/spool/postfix/var/run/saslauthd -n 5
    >           ??3749 /usr/sbin/saslauthd -a ldap -c -m /var/spool/postfix/var/run/saslauthd -n 5
    >
    >Oct 25 15:38:27 CGSG saslauthd[3747]:                 : auth failure: [user=money] [service=smtp] [realm=uc-central.net] [mech=ldap] [reason=Unknown]
    >Oct 25 15:39:07 CGSG saslauthd[3745]: Entry not found (sAMAccountName=account).
    >Oct 25 15:39:07 CGSG saslauthd[3745]: Authentication failed for account/uc-central.net: User not found (-6)
    >Oct 25 15:39:07 CGSG saslauthd[3745]:                 : auth failure: [user=account] [service=smtp] [realm=uc-central.net] [mech=ldap] [reason=Unknown]
    >Oct 25 15:40:20 CGSG saslauthd[3748]: Entry not found (sAMAccountName=tg).
    >Oct 25 15:40:20 CGSG saslauthd[3748]: Authentication failed for tg/uc-central.net: User not found (-6)
    >Oct 25 15:40:20 CGSG saslauthd[3748]:                 : auth failure: [user=tg] [service=smtp] [realm=uc-central.net] [mech=ldap] [reason=Unknown]
    >Oct 25 15:40:56 CGSG saslauthd[3746]: Entry not found (sAMAccountName=pearl).
    >Oct 25 15:40:56 CGSG saslauthd[3746]: Authentication failed for pearl/uc-central.net: User not found (-6)
    >Oct 25 15:40:56 CGSG saslauthd[3746]:                 : auth failure: [user=pearl] [service=smtp] [realm=uc-central.net] [mech=ldap] [reason=Unknown]
    
    Hi David,
    
    Your detail is appreciated. It helps to paint a good picture of what's going on.
    
    The errors above appear to be for postfix. An ldap filter to try:
    
    ldap_filter: (|(sAMAccountName=%U)(userPrincipalName=%u))
    
    Note that saslauthd does not return the username/auth identity for postfix
    and cyrus imapd to use. It's only used to authenticate the user.
    
    To troubleshoot, you can enable debugging with:
    
    ldap_debug: -1
    
    See (3)ldap_set_option and include/ldap_log.h in the openldap source.
    
    If you don't see ldap output in syslog, try starting saslauthd in debug mode.
    
    The -r option for saslauthdm, which combines the username and realm, may be useful.
    
    >Oct 25 13:49:52 CGSG cyrus/imaps[3074]: SASL Password verification failed
    >
    >Oct 25 13:31:25 CGSG cyrus/imap[2420]: badlogin: localhost [127.0.0.1] plaintext it at mandldreyer.com SASL(-13): authentication failure: checkpass failed
    >Oct 25 13:31:25 CGSG cyrus/imaps[2434]: badlogin: port-83-236-195-74.static.qsc.de[83.236.195.74] LOGIN [SASL(-13): authentication failure: checkpass failed]
    >Oct 25 13:31:25 CGSG cyrus/imaps[2432]: badlogin: port-83-236-195-74.static.qsc.de[83.236.195.74] LOGIN [SASL(-13): authentication failure: checkpass failed]
    >Oct 25 13:31:28 CGSG cyrus/imap[2445]: badlogin: localhost [127.0.0.1] plaintext it at mandldreyer.com SASL(-13): authentication failure: checkpass failed
    >Oct 25 13:31:29 CGSG cyrus/imaps[2432]: badlogin: port-83-236-195-74.static.qsc.de[83.236.195.74] plaintext lager SASL(-13): authentication failure: checkpass failed
    >Oct 25 13:31:29 CGSG cyrus/imaps[2434]: badlogin: port-83-236-195-74.static.qsc.de[83.236.195.74] plaintext sebastian.mandl at mandldreyer.com SASL(-13): authentication failure: checkpass failed
    >
    >The problem is our multi domain setup and when a user login with a client or over the web with only their username, cyrus create new false mailboxes.
    >This we would like to prevent.
    
    The mapping of username[@domain] to mailbox function is a cyrus imap decision. You can influence this by setting:
    
    defaultdomain: <domain>
    
    in /etc/imapd.conf. I recommend being cautious with changing following
    imapd.conf settings on a production system:
    
    defaultdomain
    virtdomains
    
    Or you can use a canonicalization plugin.
    
    >Perhaps someone know how to configure the saslauthd filter right for this special case.
    >
    >Configuration
    >
    >Our /etc/saslauthd.config
    >
    >ldap_servers: ldap://ddcl001.domain.dir
    >ldap_search_base: dc=domain,dc=dir
    >ldap_filter: sAMAccountName=%U
    >#ldap_filter: userPrincipalName=%u
    >
    >#ldap_version: 3
    >ldap_auth_method: bind
    >ldap_bind_dn: cn=Administrator,cn=Users,dc=domain,dc=dir
    >ldap_bind_pw: ******
    >#ldap_scope: sub
    
    If supported on your ldap server, sasl/digest-md5 is a simpler way to go
    about this:
    
    ldap_servers: ldaps://<host>
    ldap_use_sasl: yes
    ldap_mech: DIGEST-MD5
    
    -- 
    Dan White
    
    
    ------------------------------
    
    Subject: Digest Footer
    
    _______________________________________________
    Cyrus-sasl mailing list
    Cyrus-sasl at lists.andrew.cmu.edu
    https://lists.andrew.cmu.edu/mailman/listinfo/cyrus-sasl
    
    
    ------------------------------
    
    End of Cyrus-sasl Digest, Vol 162, Issue 2
    ******************************************
    



More information about the Cyrus-sasl mailing list