ptloader setup

Mike O'Rourke mjoop at curia.op.org
Mon Dec 20 20:26:50 EST 2004 

Hi all,

I have IMAPd 2.2.10, compiled with --with-auth=pts --with-pts=ldap
--with-ldap
OpenLDAP 2.2.17

my /etc/imapd.conf is:

configdirectory: /var/imap
defaultpartition: default
partition-default: /var/spool/imap
unixhierarchysep: yes
allowanonymouslogin: no
allowplaintext: yes
allowusermoves: yes
servername: server12.mydom.com
virtdomains: userid
defaultdomain: mydom.com
autocreatequota: -1
createonpost: 1
autocreateinboxfolders: Sent|Trash
autosubscribeinboxfolders: Sent|Trash
admins: cyrus
lmtpsocket: /var/imap/socket/lmtp
sendmail: /usr/sbin/sendmail
tls_cert_file: /var/imap/server12_cert.pem
tls_key_file: /var/imap/server12_key.pem
tls_CA_file: /var/imap/cacerts/cacert.pem
tls_CA_path: /var/imap/cacerts
tls_require_cert: 0
ldap_sasl: 0
ldap_base: ou=email,o=internet,o=mycom
ldap_bind_dn: cn=server12.mydom.com,ou=hosts,o=internet,o=mycom
ldap_filter: (&(uid=%u)(MailUserDefHost=server12.mydom.com))
ldap_password: mypass
ldap_tls_cacert_file: /var/imap/cacerts/cacert.pem
ldap_tls_cert: /var/imap/server12_cert.pem
ldap_tls_key: /var/imap/server12_key.pem
ldap_uri: ldaps://192.168.7.11 ldaps://ldap1.mydom.com
ldaps://ldap2.mydom.com
ptloader_sock: /var/imap/socket/ptsock

In the ldap_filter, MailUserDefHost is a private attribute to limit
which host the user can login to.

Authorization fails with a generic failure (see the output from imtest
below, if you wish). Even though "ldap_sasl" is set to 0 in imapd.conf,
it would seem that it is trying to use SASL (proxy) authentication after
a successful bind (see the debugging output from the LDAP server below,
if you wish).

So, am I missing something in the documentation about the setup of my
LDAP server or Cyrus? What do I need to do? I am not _too_ concerned
about security here since I am communicating on a private and trusted
net or via ldaps; hence my setting ldap_sasl to 0.

Thanks, Mike.

imtest -u test1 at testdom.mydom.com -a test1 at testdom.mydom.com -m login
-t "" localhost
S: * OK server12.mydom.com Cyrus IMAP4 v2.2.10 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND
BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE
STARTTLS AUTH=OTP AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR LISTEXT
LIST-SUBSCRIBED X-NETSCAPE
S: C01 OK Completed
C: S01 STARTTLS
S: S01 OK Begin TLS negotiation now
verify error:num=19:self signed certificate in certificate chain
TLS connection established: TLSv1 with cipher AES256-SHA (256/256
bits)
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND
BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE
AUTH=LOGIN AUTH=PLAIN AUTH=OTP AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR
LISTEXT LIST-SUBSCRIBED X-NETSCAPE
S: C01 OK Completed
Please enter your password: 
C: L01 LOGIN test1 at testdom.mydom.com {9}
S: L01 NO Invalid user
Authentication failed. generic failure
Security strength factor: 256

slapd log output:

------ default slapd debug level:

Dec 20 18:40:01 server11 slapd[9757]: conn=84 fd=24 ACCEPT from
IP=192.168.7.12:32809 (IP=0.0.0.0:636) 
Dec 20 18:40:01 server11 slapd[9757]: conn=84 op=0 BIND
dn="cn=server12.mydom.com,ou=hosts,o=internet,o=mycom" method=128 
Dec 20 18:40:01 server11 slapd[9757]: conn=84 op=0 BIND
dn="cn=server12.mydom.com,ou=hosts,o=internet,o=mycom" mech=SIMPLE ssf=0

Dec 20 18:40:01 server11 slapd[9757]: conn=84 op=0 RESULT tag=97 err=0
text= 

------ Begin slapd -d -1 debugging output:

=> get_ctrls: oid="2.16.840.1.113730.3.4.18" (critical)
parseProxyAuthz: conn 0 authzid="u:test1 at testdom.mydom.com"
slap_sasl_getdn: id=u:test1 at testdom.mydom.com [len=22]
slap_sasl_getdn: u:id converted to
uid=test1 at testdom.mydom.com,cn=SIMPLE,cn=auth
>>> dnNormalize: <uid=test1 at testdom.mydom.com,cn=SIMPLE,cn=auth>
=> ldap_bv2dn(uid=test1 at testdom.mydom.com,cn=SIMPLE,cn=auth,0)
ldap_err2string
<= ldap_bv2dn(uid=test1 at testdom.mydom.com,cn=SIMPLE,cn=auth)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(uid=test1 at testdom.mydom.com,cn=simple,cn=auth)=0 Success
<<< dnNormalize: <uid=test1 at testdom.mydom.com,cn=simple,cn=auth>
==>slap_sasl2dn: converting SASL name
uid=test1 at testdom.mydom.com,cn=simple,cn=auth to a DN
slap_sasl_regexp: converting SASL name
uid=test1 at testdom.mydom.com,cn=simple,cn=auth
<==slap_sasl2dn: Converted SASL name to <nothing>
parseProxyAuthz: conn=0
"uid=test1 at testdom.mydom.com,cn=simple,cn=auth"
==>slap_sasl_authorized: can
cn=server11.mydom.com,ou=hosts,o=internet,o=mycom become
uid=test1 at testdom.mydom.com,cn=simple,cn=auth?
<== slap_sasl_authorized: return 48
<= get_ctrls: n=1 rc=47 err="not authorized to assume identity"
send_ldap_result: conn=0 op=1 p=3
send_ldap_result: err=47 matched="" text="not authorized to assume
identity"
send_ldap_response: msgid=2 tag=120 err=47
conn=0 op=1 RESULT tag=120 err=47 text=not authorized to assume
identity
do_extended: get_ctrls failed

------End slapd -d -1 debugging output

Dec 20 18:40:01 server11 slapd[9757]: conn=84 op=1 RESULT tag=120
err=47 text=not authorized to assume identity 
Dec 20 18:40:01 server11 slapd[9757]: do_extended: get_ctrls failed 

---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

More information about the Info-cyrus mailing list