authorization with ptloader and authentication by sasl

Igor Brezac igor at ipass.net
Thu Jun 9 11:04:23 EDT 2005


On Thu, 9 Jun 2005, Thomas Vogt wrote:

> Hi again,
>
> Perhaps I've to give more information inkl. debug output
> I'm running cyrus imapd 2.2.12
>
> imap.conf:
> configdirectory: /m/imap
> partition-default: /m/spool/imap
> logtimestamps: yes
> sieveusehomedir: false
> sievedir: /m/imap/sieve
> hashimapspool: true
> sasl_pwcheck_method: saslauthd
> ptloader_sock: /var/imap/socket/ptsock
> lmtpsocket: /var/imap/socket/lmtp
> idlesocket: /var/imap/socket/idle
> notifysocket: /var/imap/socket/notify
> ldap_base: dc=freeweb,dc=ch
> ldap_deref: search
> ldap_filter: (alias=%U at freeweb.ch) #hardcoded, since I just want to test 
> alias login
> ldap_sasl: 0
> ldap_group_scope: sub
> ldap_bind_dn: dc=freeweb,dc=ch
> ldap_restart: 1
> ldap_scope: sub
> ldap_start_tls: 0
> ldap_time_limit: 10
> ldap_timeout: 15
> ptscache_timeout: 0
> ldap_tls_check_peer: no
> ldap_uri: ldap://localhost/
>
> saslautd.conf
> ldap_servers: ldap://localhost/
> ldap_search_base: ou=people,ou=freeweb,dc=freeweb,dc=ch
>
> ldap test user entry:
> # usermail04, people, freeweb, freeweb, ch
> dn: uid=usermail04, ou=people,ou=freeweb,dc=freeweb,dc=ch
> uid: usermail04
> sn: none
> uidNumber: -1
> gidNumber: -1
> homeDirectory: /nonexistent
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: xMail
> cn: Testuser
> userPassword:: e01EaEgMEUs4gaUmRZSU9xSll0Y1FnPT0K
> maildrop: usermail04 at mail04.freeweb.ch
> alias: smail04 at freeweb.ch
> alias: usermail04 at freeweb.ch
>
> With the uid I can login as expected:
> root at mail04:~# telnet 0 110
> Trying 0.0.0.0...
> Connected to 0.
> Escape character is '^]'.
> +OK mail04.freeweb.ch Cyrus POP3 v2.2.12 server ready 
> <42593317.1118297848 at mail04.freeweb.ch>
> user usermail04
> +OK Name is a valid mailbox
> pass test
> +OK Mailbox locked and ready
> list
> +OK scan listing follows
> 1 2908
> 2 1939
> 3 2922
> 4 1430
>
> If i try to login with the alias value from the ldap (alias: 
> smail04 at freeweb.ch) I get an error message
> root at mail04:~# telnet 0 110
> Trying 0.0.0.0...
> Connected to 0.
> Escape character is '^]'.
> +OK mail04.freeweb.ch Cyrus POP3 v2.2.12 server ready 
> <558468082.1118297975 at mail04.freeweb.ch>
> user smail04
> +OK Name is a valid mailbox
> pass test
> -ERR [AUTH] Invalid login
>
> slapd -d 256 shows:
>
> User login with smail04 (alias user):
> daemon: conn=0 fd=8 connection from IP=127.0.0.1:53965 (IP=127.0.0.1:389) 
> accepted.
> conn=0 op=0 BIND dn="DC=FREEWEB,DC=CH" method=128
> ber_flush: 14 bytes to sd 8
> conn=0 op=0 RESULT tag=97 err=0 text=
> conn=0 op=1 SRCH base="dc=freeweb,dc=ch" scope=2 
> filter="(alias=smail04 at freeweb.ch)"
> ber_flush: 396 bytes to sd 8
> ber_flush: 14 bytes to sd 8
> conn=0 op=1 SEARCH RESULT tag=101 err=0 text=
> conn=0 op=2 SRCH base="uid=usermail04, ou=people,ou=freeweb,dc=solnet,dc=ch" 
> scope=0 filter="(objectClass=*)"
> ber_flush: 396 bytes to sd 8
> ber_flush: 14 bytes to sd 8
> conn=0 op=2 SEARCH RESULT tag=101 err=0 text=
>
> password auth:
> daemon: conn=3 fd=17 connection from IP=127.0.0.1:54593 (IP=127.0.0.1:389) 
> accepted.
> conn=3 op=0 BIND dn="" method=128
> ber_flush: 14 bytes to sd 17
> conn=3 op=0 RESULT tag=97 err=0 text=
> conn=3 op=1 SRCH base="ou=people,ou=freeweb,dc=freeweb,dc=ch" scope=2 
> filter="(uid=smail04)"
> ber_flush: 14 bytes to sd 17
> conn=3 op=1 SEARCH RESULT tag=101 err=0 text=
>
> I see that sasl uses the uid which of course will never be true with 
> "smail04" as username. So I added ldap_filter: (alias=%u at freeweb.ch) in 
> saslauthd.conf
>
>
> Now if i try to login with the alias name I get another error
> +OK mail04.freeweb.ch Cyrus POP3 v2.2.12 server ready 
> <2017580902.1118298433 at mail04.freeweb.ch>
> user smail04
> +OK Name is a valid mailbox
> pass test
> -ERR [SYS/PERM] Unable to locate maildrop: Mailbox does not exist
>
> slapd output for the password auth:
> conn=1 op=0 BIND dn="" method=128
> ber_flush: 14 bytes to sd 14
> conn=1 op=0 RESULT tag=97 err=0 text=
> conn=1 op=1 SRCH base="ou=people,ou=freeweb,dc=freeweb,dc=ch" scope=2 
> filter="(alias=smail04 at freeweb.ch)"
> ber_flush: 62 bytes to sd 14
> ber_flush: 14 bytes to sd 14
> conn=1 op=1 SEARCH RESULT tag=101 err=0 text=
> conn=1 op=2 BIND dn="UID=USERMAIL04,OU=PEOPLE,OU=FREEWEB,DC=FREEWEB,DC=CH" 
> method=128
> ber_flush: 14 bytes to sd 14
> conn=1 op=2 RESULT tag=97 err=0 text=
> conn=0 op=3 SRCH base="dc=freeweb,dc=ch" scope=2 
> filter="(alias=smail04 at freeweb.ch)"
> ber_flush: 396 bytes to sd 8
> ber_flush: 14 bytes to sd 8
> conn=0 op=3 SEARCH RESULT tag=101 err=0 text=
> conn=0 op=4 SRCH base="uid=usermail04, ou=people,ou=freeweb,dc=freeweb,dc=ch" 
> scope=0 filter="(objectClass=*)"
> ber_flush: 396 bytes to sd 8
> ber_flush: 14 bytes to sd 8
> conn=0 op=4 SEARCH RESULT tag=101 err=0 text=
>

saslauthd worked fine.

>
> syslog message:
> un  9 06:27:34 mail04 pop3[5180]: login: localhost.freeweb.ch [127.0.0.1] 
> smail04 plaintext User logged in
> Jun  9 06:27:37 mail04 pop3[5180]: Unable to locate maildrop for smail04: 
> Mailbox does not exist
>
> But as you can see in the ldap entry my maildrop exists.

This is saying that mailbox in the mailstore does not exist which is 
true.  The server is looking for the 'smail04' mailbox.

> If I understand it correctly, then ptloader checks if the mailbox is 
> available with an ldap search when I enter the login name. Thats why I get an 
> "OK" after that. Ptloader can find the alias value in the ldap database. For 
> the password check sasl turns in. It also finds an entry for the alias user 
> in my ldap database. But then somethings goes wrong. I really have no clue.
>
> Can someone please explain me what happen?
>

You cannot make this work with the current stock code, you need to write 
custom code.  You have various options, write a new pts module (or hack 
the ldap one to fit your need), a new authorization module or a custom 
sasl canon plugin.

-Igor

> Regards,
> Thomas
>
> Am 08.06.2005 um 23:56 schrieb Thomas Vogt:
>
>> Hi all
>> 
>> With ptload we've a nice tool to connect to an ldap backend. And with 
>> ldap_filter in imapd.conf the user has the ability to do nice things.This 
>> works very well. But as I understand this is only the authorization 
>> mechanism. I always have problems with the authentication (sasl).
>> 
>> An example. Lets say we have this user information in the ldap backend.
>> # usermail04, people, freeweb, freeweb, ch
>> dn: uid=usermail04, ou=people,ou=freeweb,dc=freeweb,dc=ch
>> uid: usermail04
>> sn: none
>> uidNumber: -1
>> gidNumber: -1
>> homeDirectory: /nonexistent
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: inetOrgPerson
>> objectClass: posixAccount
>> objectClass: xMail
>> cn: Testuser
>> userPassword:: e01EaEgMEUs4gaUmRZSU9xSll0Y1FnPT0K
>> maildrop: usermail04 at mail04.freeweb.ch
>> alias: smail04 at freeweb.ch
>> alias: usermail04 at freeweb.ch
>> 
>> I can login without problem if I use the uid as username and the correct 
>> password (auth=pts). But is it not possible to use the alias value too with 
>> the same password for the login procedure?
>> My problem is, that I've an application which is generating random uid as 
>> username. Only the alias value is human readable. Which mean I'll give the 
>> user the ability to use his alias name for the pop3/imap authentication. Of 
>> course it should work with the uid too. Is there no configuration magic 
>> which can do that?
>> 
>> 
>> A few months ago Igor Brezac send me an example patch. But I never figured 
>> out how it works.
>> 
>> Regards,
>> Thomas
>> ---
>> Cyrus Home Page: http://asg.web.cmu.edu/cyrus
>> Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
>> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>> 
>
> ---
> Cyrus Home Page: http://asg.web.cmu.edu/cyrus
> Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>

-- 
Igor
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html




More information about the Info-cyrus mailing list