Cyrus IMAPd, SASL, GSSAPI, Proxy Authorization

ms419 at freezone.co.uk ms419 at freezone.co.uk
Sat Mar 13 19:18:37 EST 2004 

I'm attempting to connect to the Cyrus IMAPd mailbox "admin" on 
"wum.lat" as the Kerberos principal "jablko at LAT", using proxy 
authorization. The principal "imap/wum.lat" is in the realm "RUZ" - 
cross realm authentication is working - I can connect to the mailbox 
"admin" as "admin at LAT". Account information is currently being 
successfully retrieved from an OpenLDAP server, using nss_ldap. I can 
currently ssh to "admin at wum.lat" as "jablko at LAT", using a ".k5login" 
file in admin's home. I should also be able to proxy authorize to the 
OpenLDAP server using saslAuthzTo / From. Cyrus, however, isn't letting 
me in. I am unclear on what I must do to configure proxy authorization 
for Cyrus IMAPd, and why it is calling nss_ldap (and why nss_ldap 
can't, in this case, contact the LDAP server).

Can anyone help?

Thanks!

Jack

==> auth.log <==
Mar 13 15:41:10 wum krb5kdc[17432]: AS_REQ (6 etypes {18 16 23 1 3 2}) 
192.168.179.43: NEEDED_PREAUTH: jablko at LAT for krbtgt/LAT at LAT, 
Additional pre-authentication required
Mar 13 15:41:10 wum krb5kdc[17432]: AS_REQ (6 etypes {18 16 23 1 3 2}) 
192.168.179.43: ISSUE: authtime 1079221270, etypes {rep=16 tkt=16 
ses=16}, jablko at LAT for krbtgt/LAT at LAT
Mar 13 15:41:53 wum krb5kdc[17432]: TGS_REQ (6 etypes {18 16 23 1 3 2}) 
192.168.179.43: ISSUE: authtime 1079221270, etypes {rep=16 tkt=16 
ses=16}, jablko at LAT for krbtgt/RUZ at LAT
Mar 13 15:41:53 wum krb5kdc[17432]: TGS_REQ (5 etypes {16 23 1 3 2}) 
192.168.179.43: ISSUE: authtime 1079221270, etypes {rep=16 tkt=16 
ses=16}, jablko at LAT for imap/wum.lat at RUZ

==> mail.log <==
Mar 13 15:41:53 wum cyrus/imapd[18603]: accepted connection

==> auth.log <==
Mar 13 15:41:54 wum cyrus/imapd[18603]: user jablko is not allowed to 
proxy

==> mail.log <==
Mar 13 15:41:54 wum cyrus/imapd[18603]: nss_ldap: could not connect to 
any LDAP server as (null) - Can't contact LDAP server
Mar 13 15:41:54 wum cyrus/imapd[18603]: badlogin: 
fis.lat[192.168.179.43] GSSAPI [SASL(-13): authentication failure: user 
jablko is not allowed to proxy]

More information about the Info-cyrus mailing list