authorization with ptloader and authentication by sasl

Thomas Vogt tv at solnet.ch
Thu Jun 9 02:43:33 EDT 2005 

Hi again,

Perhaps I've to give more information inkl. debug output
I'm running cyrus imapd 2.2.12

imap.conf:
configdirectory: /m/imap
partition-default: /m/spool/imap
logtimestamps: yes
sieveusehomedir: false
sievedir: /m/imap/sieve
hashimapspool: true
sasl_pwcheck_method: saslauthd
ptloader_sock: /var/imap/socket/ptsock
lmtpsocket: /var/imap/socket/lmtp
idlesocket: /var/imap/socket/idle
notifysocket: /var/imap/socket/notify
ldap_base: dc=freeweb,dc=ch
ldap_deref: search
ldap_filter: (alias=%U at freeweb.ch) #hardcoded, since I just want to  
test alias login
ldap_sasl: 0
ldap_group_scope: sub
ldap_bind_dn: dc=freeweb,dc=ch
ldap_restart: 1
ldap_scope: sub
ldap_start_tls: 0
ldap_time_limit: 10
ldap_timeout: 15
ptscache_timeout: 0
ldap_tls_check_peer: no
ldap_uri: ldap://localhost/

saslautd.conf
ldap_servers: ldap://localhost/
ldap_search_base: ou=people,ou=freeweb,dc=freeweb,dc=ch

ldap test user entry:
# usermail04, people, freeweb, freeweb, ch
dn: uid=usermail04, ou=people,ou=freeweb,dc=freeweb,dc=ch
uid: usermail04
sn: none
uidNumber: -1
gidNumber: -1
homeDirectory: /nonexistent
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: xMail
cn: Testuser
userPassword:: e01EaEgMEUs4gaUmRZSU9xSll0Y1FnPT0K
maildrop: usermail04 at mail04.freeweb.ch
alias: smail04 at freeweb.ch
alias: usermail04 at freeweb.ch

With the uid I can login as expected:
root at mail04:~# telnet 0 110
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
+OK mail04.freeweb.ch Cyrus POP3 v2.2.12 server ready  
<42593317.1118297848 at mail04.freeweb.ch>
user usermail04
+OK Name is a valid mailbox
pass test
+OK Mailbox locked and ready
list
+OK scan listing follows
1 2908
2 1939
3 2922
4 1430

If i try to login with the alias value from the ldap (alias:  
smail04 at freeweb.ch) I get an error message
root at mail04:~# telnet 0 110
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
+OK mail04.freeweb.ch Cyrus POP3 v2.2.12 server ready  
<558468082.1118297975 at mail04.freeweb.ch>
user smail04
+OK Name is a valid mailbox
pass test
-ERR [AUTH] Invalid login

slapd -d 256 shows:

User login with smail04 (alias user):
daemon: conn=0 fd=8 connection from IP=127.0.0.1:53965  
(IP=127.0.0.1:389) accepted.
conn=0 op=0 BIND dn="DC=FREEWEB,DC=CH" method=128
ber_flush: 14 bytes to sd 8
conn=0 op=0 RESULT tag=97 err=0 text=
conn=0 op=1 SRCH base="dc=freeweb,dc=ch" scope=2  
filter="(alias=smail04 at freeweb.ch)"
ber_flush: 396 bytes to sd 8
ber_flush: 14 bytes to sd 8
conn=0 op=1 SEARCH RESULT tag=101 err=0 text=
conn=0 op=2 SRCH base="uid=usermail04,  
ou=people,ou=freeweb,dc=solnet,dc=ch" scope=0 filter="(objectClass=*)"
ber_flush: 396 bytes to sd 8
ber_flush: 14 bytes to sd 8
conn=0 op=2 SEARCH RESULT tag=101 err=0 text=

password auth:
daemon: conn=3 fd=17 connection from IP=127.0.0.1:54593  
(IP=127.0.0.1:389) accepted.
conn=3 op=0 BIND dn="" method=128
ber_flush: 14 bytes to sd 17
conn=3 op=0 RESULT tag=97 err=0 text=
conn=3 op=1 SRCH base="ou=people,ou=freeweb,dc=freeweb,dc=ch" scope=2  
filter="(uid=smail04)"
ber_flush: 14 bytes to sd 17
conn=3 op=1 SEARCH RESULT tag=101 err=0 text=

I see that sasl uses the uid which of course will never be true with  
"smail04" as username. So I added ldap_filter: (alias=%u at freeweb.ch)  
in saslauthd.conf


Now if i try to login with the alias name I get another error
+OK mail04.freeweb.ch Cyrus POP3 v2.2.12 server ready  
<2017580902.1118298433 at mail04.freeweb.ch>
user smail04
+OK Name is a valid mailbox
pass test
-ERR [SYS/PERM] Unable to locate maildrop: Mailbox does not exist

slapd output for the password auth:
  conn=1 op=0 BIND dn="" method=128
ber_flush: 14 bytes to sd 14
conn=1 op=0 RESULT tag=97 err=0 text=
conn=1 op=1 SRCH base="ou=people,ou=freeweb,dc=freeweb,dc=ch" scope=2  
filter="(alias=smail04 at freeweb.ch)"
ber_flush: 62 bytes to sd 14
ber_flush: 14 bytes to sd 14
conn=1 op=1 SEARCH RESULT tag=101 err=0 text=
conn=1 op=2 BIND  
dn="UID=USERMAIL04,OU=PEOPLE,OU=FREEWEB,DC=FREEWEB,DC=CH" method=128
ber_flush: 14 bytes to sd 14
conn=1 op=2 RESULT tag=97 err=0 text=
conn=0 op=3 SRCH base="dc=freeweb,dc=ch" scope=2  
filter="(alias=smail04 at freeweb.ch)"
ber_flush: 396 bytes to sd 8
ber_flush: 14 bytes to sd 8
conn=0 op=3 SEARCH RESULT tag=101 err=0 text=
conn=0 op=4 SRCH base="uid=usermail04,  
ou=people,ou=freeweb,dc=freeweb,dc=ch" scope=0 filter="(objectClass=*)"
ber_flush: 396 bytes to sd 8
ber_flush: 14 bytes to sd 8
conn=0 op=4 SEARCH RESULT tag=101 err=0 text=


syslog message:
un  9 06:27:34 mail04 pop3[5180]: login: localhost.freeweb.ch  
[127.0.0.1] smail04 plaintext User logged in
Jun  9 06:27:37 mail04 pop3[5180]: Unable to locate maildrop for  
smail04: Mailbox does not exist

But as you can see in the ldap entry my maildrop exists.
If I understand it correctly, then ptloader checks if the mailbox is  
available with an ldap search when I enter the login name. Thats why  
I get an "OK" after that. Ptloader can find the alias value in the  
ldap database. For the password check sasl turns in. It also finds an  
entry for the alias user in my ldap database. But then somethings  
goes wrong. I really have no clue.

Can someone please explain me what happen?

Regards,
Thomas

Am 08.06.2005 um 23:56 schrieb Thomas Vogt:

> Hi all
>
> With ptload we've a nice tool to connect to an ldap backend. And  
> with ldap_filter in imapd.conf the user has the ability to do nice  
> things.This works very well. But as I understand this is only the  
> authorization mechanism. I always have problems with the  
> authentication (sasl).
>
> An example. Lets say we have this user information in the ldap  
> backend.
> # usermail04, people, freeweb, freeweb, ch
> dn: uid=usermail04, ou=people,ou=freeweb,dc=freeweb,dc=ch
> uid: usermail04
> sn: none
> uidNumber: -1
> gidNumber: -1
> homeDirectory: /nonexistent
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: xMail
> cn: Testuser
> userPassword:: e01EaEgMEUs4gaUmRZSU9xSll0Y1FnPT0K
> maildrop: usermail04 at mail04.freeweb.ch
> alias: smail04 at freeweb.ch
> alias: usermail04 at freeweb.ch
>
> I can login without problem if I use the uid as username and the  
> correct password (auth=pts). But is it not possible to use the  
> alias value too with the same password for the login procedure?
> My problem is, that I've an application which is generating random  
> uid as username. Only the alias value is human readable. Which mean  
> I'll give the user the ability to use his alias name for the pop3/ 
> imap authentication. Of course it should work with the uid too. Is  
> there no configuration magic which can do that?
>
>
> A few months ago Igor Brezac send me an example patch. But I never  
> figured out how it works.
>
> Regards,
> Thomas
> ---
> Cyrus Home Page: http://asg.web.cmu.edu/cyrus
> Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>

---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

More information about the Info-cyrus mailing list