Cyrus IMAPd, SASL, GSSAPI, Proxy Authorization

ms419 at freezone.co.uk ms419 at freezone.co.uk
Tue Mar 16 15:32:44 EST 2004


Thanks for the help - I thought "proxyservers" meant something to do 
with murder ...

That said, is any finer control available? I don't want to authorize 
"jablko" to all other users, just "admin".

Also, any idea why nss_ldap is complaining, though it works fine 
otherwise? Why does imapd use it  - misconfigured?

>> Mar 13 15:41:54 wum cyrus/imapd[18603]: nss_ldap: could not connect 
>> to any LDAP server as (null) - Can't contact LDAP server

Thanks again!

Jack

On Mar 15, 2004, at 5:54 AM, Earl R Shannon wrote:

> Hello,
>
> It would help to see the imapd.conf file for the server in
> question. That said, is the user jablko listed in the
> imapd.conf file on the proxyservers list? ie:
>
> proxyservers: jablko
>
> Regards,
> Earl Shannon
>
>
> ms419 at freezone.co.uk wrote:
>> I'm attempting to connect to the Cyrus IMAPd mailbox "admin" on 
>> "wum.lat" as the Kerberos principal "jablko at LAT", using proxy 
>> authorization. The principal "imap/wum.lat" is in the realm "RUZ" - 
>> cross realm authentication is working - I can connect to the mailbox 
>> "admin" as "admin at LAT". Account information is currently being 
>> successfully retrieved from an OpenLDAP server, using nss_ldap. I can 
>> currently ssh to "admin at wum.lat" as "jablko at LAT", using a ".k5login" 
>> file in admin's home. I should also be able to proxy authorize to the 
>> OpenLDAP server using saslAuthzTo / From. Cyrus, however, isn't 
>> letting me in. I am unclear on what I must do to configure proxy 
>> authorization for Cyrus IMAPd, and why it is calling nss_ldap (and 
>> why nss_ldap can't, in this case, contact the LDAP server).
>> Can anyone help?
>> Thanks!
>> Jack
>> ==> auth.log <==
>> Mar 13 15:41:10 wum krb5kdc[17432]: AS_REQ (6 etypes {18 16 23 1 3 
>> 2}) 192.168.179.43: NEEDED_PREAUTH: jablko at LAT for krbtgt/LAT at LAT, 
>> Additional pre-authentication required
>> Mar 13 15:41:10 wum krb5kdc[17432]: AS_REQ (6 etypes {18 16 23 1 3 
>> 2}) 192.168.179.43: ISSUE: authtime 1079221270, etypes {rep=16 tkt=16 
>> ses=16}, jablko at LAT for krbtgt/LAT at LAT
>> Mar 13 15:41:53 wum krb5kdc[17432]: TGS_REQ (6 etypes {18 16 23 1 3 
>> 2}) 192.168.179.43: ISSUE: authtime 1079221270, etypes {rep=16 tkt=16 
>> ses=16}, jablko at LAT for krbtgt/RUZ at LAT
>> Mar 13 15:41:53 wum krb5kdc[17432]: TGS_REQ (5 etypes {16 23 1 3 2}) 
>> 192.168.179.43: ISSUE: authtime 1079221270, etypes {rep=16 tkt=16 
>> ses=16}, jablko at LAT for imap/wum.lat at RUZ
>> ==> mail.log <==
>> Mar 13 15:41:53 wum cyrus/imapd[18603]: accepted connection
>> ==> auth.log <==
>> Mar 13 15:41:54 wum cyrus/imapd[18603]: user jablko is not allowed to 
>> proxy
>> ==> mail.log <==
>> Mar 13 15:41:54 wum cyrus/imapd[18603]: nss_ldap: could not connect 
>> to any LDAP server as (null) - Can't contact LDAP server
>> Mar 13 15:41:54 wum cyrus/imapd[18603]: badlogin: 
>> fis.lat[192.168.179.43] GSSAPI [SASL(-13): authentication failure: 
>> user jablko is not allowed to proxy]
>> ---
>> Home Page: http://asg.web.cmu.edu/cyrus
>> Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
>> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>
>

---
Home Page: http://asg.web.cmu.edu/cyrus
Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html




More information about the Info-cyrus mailing list