cyradm auth mechanism

Thomas Vogt tv at solnet.ch
Tue Jul 5 02:41:14 EDT 2005 

Hi Igor

>> I've a problem with my new clean, cyrus installation. I  can't  
>> login with my cyradm admin account. The account information is  
>> stored in my ldap database. The sasldb2 is empty. I don't use it.  
>> Can you give me some advice?
>>
>> For cyradm I use this command:
>> cyradm --user nmeth2vdiysttboz --server localhost --auth plain
>> Password:
>> IMAP Password: <i use the ldap password here>
>>
>> Error message:
>> Invalid user at /usr/local/lib/perl5/site_perl/5.8.7/mach/Cyrus/ 
>> IMAP/Admin.pm line 118
>> cyradm: cannot authenticate to server with plain as nmeth2vdiysttboz
>>
>> Logfile:
>> Jul  4 21:00:36 mail03 imap[58290]: badlogin: localhost  
>> [127.0.0.1] PLAIN [SASL(-16): encryption needed to use mechanism:  
>> security flags do not match
>>
>               ^^^^^^^^^^
> This error is self explanatory.

I added this options below to my imapd.conf. But I still get the same  
error message. I don't want to use any encryption. The password is  
stored as md5 hash in the ldap database. As far as I know this limits  
my ability for secure authentication anyway.

allowplaintext: yes
sasl_mech_list: PLAIN
sasl_minimum_layer: 0

I've compiled sasl with

./configure --sysconfdir=/usr/local/etc --with-plugindir=/usr/local/ 
lib/sasl2 --with-dbpath=/usr/local/etc/sasldb2 --includedir=/usr/ 
local/include --mandir=/usr/local/man --enable-static --enable-auth- 
sasldb --with-rc4=openssl --with-ldap --with-saslauthd=/var/state/ 
saslauthd --with-dblib=ndbm --without-mysql --without-pgsql --without- 
sqlite --enable-login --disable-ntlm --disable-gssapi --disable-krb4  
--with-openssl=yes --prefix=/usr/local


>
>
>> Jul  4 21:00:39 mail03 perl: No worthy mechs found
>> Jul  4 21:00:40 mail03 imap[58290]: ptload(): bad response from  
>> ptloader server: identifier not found
>>
>
> pts/ldap configuration problem.  Double check ldap_* params in  
> imapd.conf.
>
> Is there a reason you are using pts authorization module?

I thought this is the best way for my enviroment. Every User  
information is stored in my ldap server. uid, maildrop, password ....
I don't like pam_ldap. My older servers are using auth_unix but I've  
modified this for ldap. Since my patch no longer works, I decided to  
use a direct ldap auth version. But I can try other auth mech, if  
this is possible with ldap.

>> Jul  4 21:00:40 mail03 imap[58290]: bad userid authenticated
>> Jul  4 21:00:40 mail03 imap[58290]: badlogin: localhost  
>> [127.0.0.1] plaintext nmeth2vdiysttboz invalid user
>>
>> testsaslauthd -u nmeth2vdiysttboz -p 1234
>> 0: OK "Success."
>>
>> imtest -m LOGIN -a nmeth2vdiysttboz localhost
>> S: * OK mail03.test.ch Cyrus IMAP4 v2.2.12 server ready
>> C: C01 CAPABILITY
>> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX- 
>> REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN  
>> MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES  
>> ANNOTATEMORE IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE
>> S: C01 OK Completed
>> Please enter your password: <type in here>
>> C: L01 LOGIN nmeth2vdiysttboz {16}
>> S: L01 NO Invalid user
>> Authentication failed. generic failure
>> Security strength factor: 0
>>
>> ldap entry for admin:
>>
>> # nmeth2vdiysttboz, people, test, test.ch
>> dn: uid=nmeth2vdiysttboz,ou=people,ou=test,dc=test,dc=ch
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: inetOrgPerson
>> uid: nmeth2vdiysttboz
>> cn: Cyrus Admin
>> userPassword:: 1234
>>
>>
>> saslauthd.conf
>> ldap_servers: ldap://127.0.0.1/
>> ldap_search_base: ou=people,ou=test,dc=test,dc=ch
>>
>>
>> imapd.conf:
>> configdirectory: /m/imap
>> partition-default: /m/spool/imap
>> allowplaintext: yes
>> admins: nmeth2vdiysttboz
>> quotawarn: 90
>> timeout: 30
>> imapidlepoll: 60
>> poptimeout: 10
>> logtimestamps: yes
>> singleinstancestore: yes
>> sieveusehomedir: false
>> sievedir: /m/imap/sieve
>> hashimapspool: true
>>
>> sasl_pwcheck_method: saslauthd
>> sasl_mech_list: plain login
>>
>> ptloader_sock: /var/imap/socket/ptsock
>> lmtpsocket: /var/imap/socket/lmtp
>> idlesocket: /var/imap/socket/idle
>> notifysocket: /var/imap/socket/notify
>>
>> ldap_base: dc=test,dc=ch
>> ldap_deref: search
>> ldap_sasl: 0
>> ldap_group_scope: sub
>> ldap_bind_dn: dc=test,dc=ch
>> ldap_restart: 1
>> ldap_scope: sub
>> ldap_start_tls: 0
>> ldap_time_limit: 10
>> ldap_timeout: 15
>> ptscache_timeout: 1
>> ldap_tls_check_peer: no
>> ldap_tls_ciphers: TLSv1:SSLv3:!NULL:!EXPORT:!DES:!LOW:@STRENGTH
>> ldap_uri: ldap://127.0.0.1/
>>
>
> Do you need ldap_password here?

No. There is no password protection.

>   Can you debug slapd?

I will do that. But first I will fix my "sasl mech problem"

>> Saslauth runs with -a ldap
>> slapd runs with -h "ldapi:///var/run/openldap/ldapi/ ldap:// 
>> 127.0.0.1 "
>>
>                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> This will not work, although saslauthd is working fine with you  
> current configuration.  (Use ldapi://%2fvar%2frun%2fopenldap%2fldapi/

Thank you.


Regards,
Thomas
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

More information about the Info-cyrus mailing list