Authentication mechanism

carole gimenez gimenez at cict.fr
Tue May 31 09:49:21 EDT 2005


Hi all,

I'm sorry to write on this mailing list but i don't have any response 
from cyrus-sasl mailing list.

I use cyrus-imapd-2.2.10, cyrus-sasl-2.1.20 and openldap-2.2.18.

I whish authenticate users with need of our ldap server.

For that, i followed instructions found on web sites using the saslauthd 
daemon which apparently works with the plain mechanism. Is good?


So, i read that saslauthd daemon shouldn't use the /etc/sasldb2 file. 
It's only when it's indicate in /etc/impad.conf this: 
sasl_pwcheck_method: auxprop
that the sasldb2 databse is used. Is good?


However, it try to write in /etc/sasldb2 (cf auth.log):

May 27 15:36:42 pc-systeme imaps[318]: transitioning user vrc4952a to
auxprop database
May 27 15:36:42 pc-systeme imaps[318]: SASL error opening password file.
Do you have write permissions?
May 27 15:36:42 pc-systeme imaps[318]: Could not open /etc/sasldb2 for
write: gdbm_errno=3
May 27 15:36:42 pc-systeme imaps[318]: setpass failed for vrc4952a:
generic failure
May 27 15:36:42 pc-systeme imaps[318]: SASL error opening password file.
Do you have write permissions?
May 27 15:36:42 pc-systeme imaps[318]: Could not open /etc/sasldb2 for
write: gdbm_errno=3
May 27 15:36:42 pc-systeme imaps[318]: Error putting OTP secret
May 27 15:36:42 pc-systeme imaps[318]: OTP: failed to set secret for
vrc4952a: generic failure (Permission denied)


For the tests, i voluntarily renamed /etc/sasldb2 to /etc/sasldb2.old to 
look what it happens.

I don't understand why it do that.


Another questions: What is the difference between ldap_auth_method: bind 
or custom in /etc/saslauthd.conf? and what does sasl_auto_transition in 
/etc/impad.conf mean?


Can somebody clear up me the ideas?


Thanks for advance.

Carole.


*************************************************************************

Here the differents configuration files of cyrus-imap and cyrus-sasl:

* /usr/lib/sasl2/Cyrus.conf
pwcheck_method: saslauthd
mech_list: plain

* /etc/saslauthd.conf
ldap_servers: ldaps://pc-systeme.cict.fr:636/
#ldap_auth_method: custom
ldap_auth_method: bind
ldap_bind_dn: uid=cyrus,ou=appli,dc=ups-tlse,dc=fr
ldap_password: xxxxx
ldap_search_base: dc=ups-tlse,dc=fr
#ldap_filter: cn=%u


* /etc/cyrus.conf
# standard standalone server implementation

START {
  # do not delete this entry!
  recover       cmd="/usr/local/cyrus_imapd/cyrus/bin/ctl_cyrusdb -r"

  # this is only necessary if using idled for IMAP IDLE
  # idled       cmd="idled"

  # this is useful on backend nodes of a Murder cluster
  # it causes the backend to syncronize its mailbox list with
  # the mupdate master upon startup
  # mupdatepush cmd="/usr/local/cyrus_imapd/cyrus/bin/ctl_mboxlist -m"

  # this is recommended if using duplicate delivery suppression
  delprune cmd="/usr/local/cyrus_imapd/cyrus/bin/ctl_deliver -E 3"
  # this is recommended if caching TLS sessions
  tlsprune cmd="/usr/local/cyrus_imapd/cyrus/bin/tls_prune"
}

# UNIX sockets start with a slash and are put into /var/imap/socket
# you can use a maxchild=# to limit the maximum number of forks of a service
# you can use babysit=true and maxforkrate=# to keep tight tabs on the
service
# most services also accept -U (limit number of reuses) and -T (timeout)

SERVICES {
  # add or remove based on preferences
  #imap         cmd="imapd" listen="imap" prefork=0
  imaplocal     cmd="imapd -C /etc/imapd-local.conf"
listen="127.0.0.1:imap" prefork=0
  imaps         cmd="imapd -s -U 30" listen="130.120.74.17:imaps"
prefork=0 maxchild=100
#  pop3         cmd="pop3d" listen="pop3" prefork=0
#  pop3s                cmd="pop3d -s" listen="pop3s" prefork=0
  sieve         cmd="timsieved" listen="sieve" prefork=0

  # these are only necessary if receiving/exporting usenet via NNTP
  #  nntp               cmd="nntpd" listen="nntp" prefork=0
  #  nntps              cmd="nntpd -s" listen="nntps" prefork=0

  # at least one LMTP is required for delivery
  #  lmtp               cmd="lmtpd" listen="lmtp" prefork=0
  lmtpunix      cmd="lmtpd" listen="/var/imap/socket/lmtp" prefork=0
maxchild=20

  # this is only necessary if using notifications
   notify       cmd="notifyd" listen="/var/imap/socket/notify"
proto="udp" prefork=1
}

EVENTS {
  # this is required
  checkpoint    cmd="/usr/local/cyrus_imapd/cyrus/bin/ctl_cyrusdb -c"
period=30

  # this is only necessary if using duplicate delivery suppression,
  # Sieve or NNTP
  # delprune    cmd="cyr_expire -E 3" at=0400
  delprune cmd="/usr/local/cyrus_imapd/cyrus/bin/ctl_deliver -E 3" at=0401

  # this is only necessary if caching TLS sessions
  tlsprune      cmd="/usr/local/cyrus_imapd/cyrus/bin/tls_prune" at=0401

  squatter cmd="/usr/local/cyrus_imapd/cyrus/bin/squatter -r user.%" at=0401
}


* /etc/imapd-local.conf
configdirectory: /var/imap
partition-default: /var/spool/imap
admins: cyrus
sievedir: /var/imap/sieve
sendmail: /usr/sbin/sendmail
hashimapspool: true
maxmessagesize: 5000000
#allowplaintext: 0
sasl_pwcheck_method: saslauthd
sasl_option: 1
sasl_mech_list: plain
sasl_auto_transition: 1
servername: pc-systeme.cict.fr
lmtp_downcase_rcpt: 1
mailnotifier: log


* /etc/imapd.conf
configdirectory: /var/imap
partition-default: /var/spool/imap
#admins: cyrus
sievedir: /var/imap/sieve
sendmail: /usr/sbin/sendmail
hashimapspool: true
maxmessagesize: 5000000
sasl_pwcheck_method: saslauthd
sasl_option: 1
sasl_mech_list: plain
sasl_auto_transition: 1
servername: pc-systeme.cict.fr
lmtp_downcase_rcpt: 1
mailnotifier: log
tls_ca_file: /usr/share/ssl/mon_AC/private/mon_AC.crt
tls_cert_file: /usr/share/ssl/mon_AC/certs/server_signed.pem
tls_key_file: /usr/share/ssl/mon_AC/private/server_tls.pem



---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html




More information about the Info-cyrus mailing list