cyradm auth mechanism

Thomas Vogt tv at solnet.ch
Tue Jul 5 17:46:49 EDT 2005


Hi

Thank you all. I changed to auth_unix and everything works fine now.

Regards,
Thomas
Am 05.07.2005 um 09:30 schrieb carole gimenez:

> Hi,
>
> I use cyrus-imapd with ldap authentication but i don't use pts for  
> that and it works well.
>
> My config is the following:
>
> * /etc/saslauthd.conf
> ldap_servers: ldaps://pc-systeme.cict.fr:636/
> ldap_auth_method: custom
> ldap_bind_dn: uid=cyrus,ou=appli,dc=ups-tlse,dc=fr
> ldap_password: xxxxxx
> ldap_search_base: dc=ups-tlse,dc=fr
> ldap_tls_check_peer: yes
> ldap_tls_cacert_file: /usr/share/ssl/mon_AC/private/mon_AC.crt
>
> * /etc/cyrus.conf
> SERVICES {
>  # add or remove based on preferences
>  #imap         cmd="imapd" listen="imap" prefork=0
>  imaplocal     cmd="imapd -C /etc/imapd-local.conf"  
> listen="127.0.0.1:imap" prefork=0
>  imaps         cmd="imapd -s -U 30" listen="x.x.x.x:imaps"  
> prefork=0 maxchild=100
> #  pop3         cmd="pop3d" listen="pop3" prefork=0
> #  pop3s                cmd="pop3d -s" listen="pop3s" prefork=0
>  sieve         cmd="timsieved" listen="sieve" prefork=0
>
>  # these are only necessary if receiving/exporting usenet via NNTP
>  #  nntp               cmd="nntpd" listen="nntp" prefork=0
>  #  nntps              cmd="nntpd -s" listen="nntps" prefork=0
>
>  # at least one LMTP is required for delivery
>  #  lmtp               cmd="lmtpd" listen="lmtp" prefork=0
>  lmtpunix      cmd="lmtpd" listen="/var/imap/socket/lmtp" prefork=0  
> maxchild=20
>
>  # this is only necessary if using notifications
>   notify       cmd="notifyd" listen="/var/imap/socket/notify"  
> proto="udp" prefork=1
> }
>
> * /etc/imapd-local.conf
> configdirectory: /var/imap
> partition-default: /var/spool/imap
> admins: cyrus
> sievedir: /var/imap/sieve
> sendmail: /usr/sbin/sendmail
> hashimapspool: true
> maxmessagesize: 5000000
> sasl_pwcheck_method: saslauthd
> sasl_option: 1
> sasl_mech_list: plain
> servername: pc-systeme.cict.fr
> autocreatequota: 10000
> lmtp_downcase_rcpt: 1
> mailnotifier: log
> sievenotifier: log
>
> # ps -ef | grep cyrus
> cyrus    17522     1  0 09:16 pts/0    00:00:00 /usr/local/ 
> cyrus_imapd/cyrus/bin/master
> cyrus    17531 17522  0 09:16 pts/0    00:00:00 notifyd
>
> # ps -ef | grep ldap
> serveur  17187     1  0 04:03 ?        00:00:00 /usr/local/openldap/ 
> libexec/slapd -h ldaps:/// ldap://127.0.0.1/ ldap://pc- 
> systeme.cict.fr:389/ -f /usr/local/openldap/etc/openldap/slapd.conf  
> -u serveur -g serveur
> root     17521     1  0 09:16 ?        00:00:00 /usr/sbin/saslauthd  
> -a ldap -c -t 30
> root     17523 17521  0 09:16 ?        00:00:00 /usr/sbin/saslauthd  
> -a ldap -c -t 30
> root     17524 17521  0 09:16 ?        00:00:00 /usr/sbin/saslauthd  
> -a ldap -c -t 30
> root     17525 17521  0 09:16 ?        00:00:00 /usr/sbin/saslauthd  
> -a ldap -c -t 30
> root     17526 17521  0 09:16 ?        00:00:00 /usr/sbin/saslauthd  
> -a ldap -c -t 30
>
>
> I hope that will help you.
>
> Carole.
>
>
> Thomas Vogt wrote:
>
>
>> Hi Igor
>>
>>
>>>> I've a problem with my new clean, cyrus installation. I  can't   
>>>> login with my cyradm admin account. The account information is   
>>>> stored in my ldap database. The sasldb2 is empty. I don't use  
>>>> it.  Can you give me some advice?
>>>>
>>>> For cyradm I use this command:
>>>> cyradm --user nmeth2vdiysttboz --server localhost --auth plain
>>>> Password:
>>>> IMAP Password: <i use the ldap password here>
>>>>
>>>> Error message:
>>>> Invalid user at /usr/local/lib/perl5/site_perl/5.8.7/mach/Cyrus/  
>>>> IMAP/Admin.pm line 118
>>>> cyradm: cannot authenticate to server with plain as  
>>>> nmeth2vdiysttboz
>>>>
>>>> Logfile:
>>>> Jul  4 21:00:36 mail03 imap[58290]: badlogin: localhost   
>>>> [127.0.0.1] PLAIN [SASL(-16): encryption needed to use  
>>>> mechanism:  security flags do not match
>>>>
>>>>
>>>               ^^^^^^^^^^
>>> This error is self explanatory.
>>>
>>
>>
>> I added this options below to my imapd.conf. But I still get the  
>> same  error message. I don't want to use any encryption. The  
>> password is  stored as md5 hash in the ldap database. As far as I  
>> know this limits  my ability for secure authentication anyway.
>>
>> allowplaintext: yes
>> sasl_mech_list: PLAIN
>> sasl_minimum_layer: 0
>>
>> I've compiled sasl with
>>
>> ./configure --sysconfdir=/usr/local/etc --with-plugindir=/usr/ 
>> local/ lib/sasl2 --with-dbpath=/usr/local/etc/sasldb2 -- 
>> includedir=/usr/ local/include --mandir=/usr/local/man --enable- 
>> static --enable-auth- sasldb --with-rc4=openssl --with-ldap --with- 
>> saslauthd=/var/state/ saslauthd --with-dblib=ndbm --without-mysql  
>> --without-pgsql --without- sqlite --enable-login --disable-ntlm -- 
>> disable-gssapi --disable-krb4  --with-openssl=yes --prefix=/usr/local
>>
>>
>>
>>>
>>>
>>>
>>>> Jul  4 21:00:39 mail03 perl: No worthy mechs found
>>>> Jul  4 21:00:40 mail03 imap[58290]: ptload(): bad response from   
>>>> ptloader server: identifier not found
>>>>
>>>>
>>>
>>> pts/ldap configuration problem.  Double check ldap_* params in   
>>> imapd.conf.
>>>
>>> Is there a reason you are using pts authorization module?
>>>
>>
>>
>> I thought this is the best way for my enviroment. Every User   
>> information is stored in my ldap server. uid, maildrop, password ....
>> I don't like pam_ldap. My older servers are using auth_unix but  
>> I've  modified this for ldap. Since my patch no longer works, I  
>> decided to  use a direct ldap auth version. But I can try other  
>> auth mech, if  this is possible with ldap.
>>
>>
>>>> Jul  4 21:00:40 mail03 imap[58290]: bad userid authenticated
>>>> Jul  4 21:00:40 mail03 imap[58290]: badlogin: localhost   
>>>> [127.0.0.1] plaintext nmeth2vdiysttboz invalid user
>>>>
>>>> testsaslauthd -u nmeth2vdiysttboz -p 1234
>>>> 0: OK "Success."
>>>>
>>>> imtest -m LOGIN -a nmeth2vdiysttboz localhost
>>>> S: * OK mail03.test.ch Cyrus IMAP4 v2.2.12 server ready
>>>> C: C01 CAPABILITY
>>>> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-  
>>>> REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT  
>>>> CHILDREN  MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT  
>>>> THREAD=REFERENCES  ANNOTATEMORE IDLE LISTEXT LIST-SUBSCRIBED X- 
>>>> NETSCAPE
>>>> S: C01 OK Completed
>>>> Please enter your password: <type in here>
>>>> C: L01 LOGIN nmeth2vdiysttboz {16}
>>>> S: L01 NO Invalid user
>>>> Authentication failed. generic failure
>>>> Security strength factor: 0
>>>>
>>>> ldap entry for admin:
>>>>
>>>> # nmeth2vdiysttboz, people, test, test.ch
>>>> dn: uid=nmeth2vdiysttboz,ou=people,ou=test,dc=test,dc=ch
>>>> objectClass: top
>>>> objectClass: person
>>>> objectClass: organizationalPerson
>>>> objectClass: inetOrgPerson
>>>> uid: nmeth2vdiysttboz
>>>> cn: Cyrus Admin
>>>> userPassword:: 1234
>>>>
>>>>
>>>> saslauthd.conf
>>>> ldap_servers: ldap://127.0.0.1/
>>>> ldap_search_base: ou=people,ou=test,dc=test,dc=ch
>>>>
>>>>
>>>> imapd.conf:
>>>> configdirectory: /m/imap
>>>> partition-default: /m/spool/imap
>>>> allowplaintext: yes
>>>> admins: nmeth2vdiysttboz
>>>> quotawarn: 90
>>>> timeout: 30
>>>> imapidlepoll: 60
>>>> poptimeout: 10
>>>> logtimestamps: yes
>>>> singleinstancestore: yes
>>>> sieveusehomedir: false
>>>> sievedir: /m/imap/sieve
>>>> hashimapspool: true
>>>>
>>>> sasl_pwcheck_method: saslauthd
>>>> sasl_mech_list: plain login
>>>>
>>>> ptloader_sock: /var/imap/socket/ptsock
>>>> lmtpsocket: /var/imap/socket/lmtp
>>>> idlesocket: /var/imap/socket/idle
>>>> notifysocket: /var/imap/socket/notify
>>>>
>>>> ldap_base: dc=test,dc=ch
>>>> ldap_deref: search
>>>> ldap_sasl: 0
>>>> ldap_group_scope: sub
>>>> ldap_bind_dn: dc=test,dc=ch
>>>> ldap_restart: 1
>>>> ldap_scope: sub
>>>> ldap_start_tls: 0
>>>> ldap_time_limit: 10
>>>> ldap_timeout: 15
>>>> ptscache_timeout: 1
>>>> ldap_tls_check_peer: no
>>>> ldap_tls_ciphers: TLSv1:SSLv3:!NULL:!EXPORT:!DES:!LOW:@STRENGTH
>>>> ldap_uri: ldap://127.0.0.1/
>>>>
>>>>
>>>
>>> Do you need ldap_password here?
>>>
>>
>>
>> No. There is no password protection.
>>
>>
>>>   Can you debug slapd?
>>>
>>
>>
>> I will do that. But first I will fix my "sasl mech problem"
>>
>>
>>>> Saslauth runs with -a ldap
>>>> slapd runs with -h "ldapi:///var/run/openldap/ldapi/ ldap://  
>>>> 127.0.0.1 "
>>>>
>>>>
>>>                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>> This will not work, although saslauthd is working fine with you   
>>> current configuration.  (Use ldapi://%2fvar%2frun%2fopenldap% 
>>> 2fldapi/
>>>
>>
>>
>> Thank you.
>>
>>
>> Regards,
>> Thomas
>> ---
>> Cyrus Home Page: http://asg.web.cmu.edu/cyrus
>> Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
>> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>>
>>
>

---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html




More information about the Info-cyrus mailing list