upgrade from Cyrus 2.1.15 to cyrus 2.2.3 breaks LDAP auxprop authentication.

Edward Rudd eddie at omegaware.com
Fri Feb 13 00:12:30 EST 2004


I'm not getting the "no worthy mechs" error since I installed cyrus.c
patch.. But their are other errors with the authentication..
I'm going to try and debug ldapdb when I get a chance.. Or try upgrading
openldap to 2.1.25 and the newer ldapdb release.

Oh What release of Cyrus SASL are you using?? 

I'm probably just going to "fall back" to saslauthd for now and give up
on "better authentication" for clients until I get this resolved, as I
really want the newer versions of postfix and cyrus imapd installed on
the "live servers"..

Now it's time to write scripts to update my mail spools for the upgrade.


On Thu, 2004-02-12 at 00:25, Igor Brezac wrote:
> On Wed, 11 Feb 2004, Edward Rudd wrote:
> 
> > OpenLDAP 2.1.22, LDAP AuxProp CVS release 1.1.2.3, I had tried updating
> > to a newer release but it broke things due to the handling of the LDAP
> > v4 PROXY_AUTHZ control in openldap (you directed me to the bug report
> > about it), Cyrus SASL 2.1.15 (2.1.17 causes SLAPD to crash completely).
> > sample client and server work fine, as does postfix. It's just cyrus
> > IMAPd 2.2.3.
> 
> Your cyrus.c looks good.  My guess is that if you debug ldapdb.c you'll
> find 'no worthy mechs' error which means that the ldapdb auxprop is not
> using your new libldap.
> 
> > What did they change from 2.1.x to 2.2.x? Can I roll back those changes?
> 
> I have to look, but my guess is that too many changes took place.  I can
> write a quick patch for this, but the libldap fix works just as well.
> 
> >
> > On Wed, 2004-02-11 at 19:51, Igor Brezac wrote:
> > > Hmm... Can you email me your libraries/libldap/cyrus.c?  What version of
> > > openldap do you use?  I use the latest ldapdb  auxprop and
> > > OPENLDAP_REL_ENG_2_1 (which is 2.1.26 + some patches)
> > > Does ldapdb auxprop work with sample(client|server)?
> > >
> > > -Igor
> > >
> > > On Wed, 11 Feb 2004, Edward Rudd wrote:
> > >
> > > > OK I patched my OpenLDAP and recompiled, installed restarted postfix,
> > > > cyrus imapd, and started up ldap. And it still retuns "user not found"
> > > > when I try to login to cyrus imap. But the auth.log now shows something
> > > > different..
> > > > --- auth.log ---
> > > > Feb 11 19:19:46 devel imtest: DIGEST-MD5 client step 2
> > > > Feb 11 19:19:53 devel imtest: DIGEST-MD5 client step 2
> > > > Feb 11 19:19:53 devel imap[2282]: DIGEST-MD5 server step 2
> > > > Feb 11 19:19:53 devel imap[2282]: DIGEST-MD5 client step 2
> > > > Feb 11 19:19:53 devel imap[2282]: DIGEST-MD5 client step 2
> > > > Feb 11 19:19:53 devel imap[2282]: bad userid authenticated
> > > > Feb 11 19:19:53 devel imap[2282]: no secret in database
> > > > ----
> > > > And my ldap.log shows this (loglevel 255)
> > > > --- ldap.log ---
> > > > Feb 11 19:19:53 devel slapd[2053]: daemon: read activity on 12
> > > > Feb 11 19:19:53 devel slapd[2053]: connection_get(12)
> > > > Feb 11 19:19:53 devel slapd[2053]: connection_get(12): got connid=5
> > > > Feb 11 19:19:53 devel slapd[2053]: connection_read(12): checking for
> > > > input on id=5
> > > > Feb 11 19:19:53 devel slapd[2053]: ber_get_next on fd 12 failed errno=11
> > > > (Resource temporarily unavailable)
> > > > Feb 11 19:19:53 devel slapd[2065]: connection_operation: error: SASL
> > > > bind in progress (tag=66).
> > > > Feb 11 19:19:53 devel slapd[2053]: daemon: select: listen=6
> > > > active_threads=1 tvp=NULL
> > > > Feb 11 19:19:53 devel slapd[2065]: send_ldap_result: conn=5 op=1 p=3
> > > > Feb 11 19:19:53 devel slapd[2053]: daemon: activity on 1 descriptors
> > > > Feb 11 19:19:53 devel slapd[2065]: send_ldap_result: err=1 matched=""
> > > > text="SASL bind in progress"
> > > > Feb 11 19:19:53 devel slapd[2053]: daemon: activity on:
> > > > Feb 11 19:19:53 devel slapd[2065]: send_ldap_response: msgid=0 tag=48
> > > > err=1
> > > > Feb 11 19:19:53 devel slapd[2053]:  12r
> > > > Feb 11 19:19:53 devel slapd[2065]: connection_closing: readying conn=5
> > > > sd=12 for close
> > > > Feb 11 19:19:53 devel slapd[2053]:
> > > > Feb 11 19:19:53 devel slapd[2065]: connection_resched: attempting
> > > > closing conn=5 sd=12
> > > > Feb 11 19:19:53 devel slapd[2053]: daemon: read activity on 12
> > > > Feb 11 19:19:53 devel slapd[2065]: connection_close: conn=5 sd=12
> > > > Feb 11 19:19:53 devel slapd[2065]: daemon: removing 12
> > > > Feb 11 19:19:53 devel slapd[2053]: connection_get(12)
> > > > Feb 11 19:19:53 devel slapd[2053]: connection_get(12): connection not
> > > > used
> > > > Feb 11 19:19:53 devel slapd[2053]: connection_read(12): no connection!
> > > > Feb 11 19:19:53 devel slapd[2053]: daemon: removing 12
> > > > Feb 11 19:19:53 devel slapd[2053]: daemon: closing 12
> > > >
> > > > On Wed, 2004-02-11 at 07:56, Igor Brezac wrote:
> > > > > Check
> > > > > http://www.openldap.org/its/index.cgi/Software%20Bugs?id=2926;selectid=2926
> > > > >
> > > > > Cyrus-imap needs to be fixed, but it was easier to change openldap api.
> > > > >
> > > > > -Igor
> > > > >
> > > > > On Wed, 11 Feb 2004, Edward Rudd wrote:
> > > > >
> > > > > > I'm using the ldapdb auxprop plugin that comes with OpenLDAP 2.1.22 with
> > > > > > cyrus sasl 2.1.15, which works perfectly with the sasl2 sample server
> > > > > > and client programs, postfix 1.1.12, postfix 2.0.16, and cyrus imapd
> > > > > > 2.1.13 to cyrus imapd 2.1.15..   However when I upgraded to cyrus imapd
> > > > > > 2.2.3 (all of these are using Simon Matter's wonderful RPMS), I always
> > > > > > get user not found when trying to login as any user.. (fully qualified
> > > > > > user like test at nowhere.org or the "cyrus" admin user).
> > > > > >
> > > > > > And my ldap logs show nothing going on.. literally.. I see a connection
> > > > > > coming in from sasl, and then disconnecting.. no other activity is
> > > > > > logged. And I have the loglevel for openldap set to 255.
> > > > > >
> > > > > > My auth.log shows "no worthy mechs found" and nothing in my imapd.log
> > > > > >
> > > > > > What changed in relation to SASL configuration from Cyrus IMAPD 2.1.x to
> > > > > > 2.2.x??
> > > > > >
> > > > > > Here is my relavent imapd.conf
> > > > > >
> > > > > > sasl_pwcheck_method: auxprop
> > > > > > sasl_auxprop_plugin: ldapdb
> > > > > > sasl_mech_list:  plain digest-md5 cram-md5 ntlm
> > > > > >
> > > > > > sasl_ldapdb_uri: ldap:///
> > > > > > sasl_ldapdb_id: auxprop_user
> > > > > > sasl_ldapdb_pw: password_for_said_user
> > > > > > sasl_ldapdb_mech: DIGEST-MD5
> > > > > >
> > > > > > Which is the same configuration as sample.conf (for the sample server
> > > > > > and client) and smtpd.conf (for postfix). Except those files don't have
> > > > > > the sasl_ prefix to the configuration directives..
> > > > > >
> > > > > >
> > > >
> >
-- 
Edward Rudd <eddie at omegaware.com>
Website http://outoforder.cc/





More information about the Info-cyrus mailing list