Authentication mechanism
carole gimenez
gimenez at cict.fr
Tue May 31 09:49:21 EDT 2005
Hi all,
I'm sorry to write on this mailing list but i don't have any response
from cyrus-sasl mailing list.
I use cyrus-imapd-2.2.10, cyrus-sasl-2.1.20 and openldap-2.2.18.
I whish authenticate users with need of our ldap server.
For that, i followed instructions found on web sites using the saslauthd
daemon which apparently works with the plain mechanism. Is good?
So, i read that saslauthd daemon shouldn't use the /etc/sasldb2 file.
It's only when it's indicate in /etc/impad.conf this:
sasl_pwcheck_method: auxprop
that the sasldb2 databse is used. Is good?
However, it try to write in /etc/sasldb2 (cf auth.log):
May 27 15:36:42 pc-systeme imaps[318]: transitioning user vrc4952a to
auxprop database
May 27 15:36:42 pc-systeme imaps[318]: SASL error opening password file.
Do you have write permissions?
May 27 15:36:42 pc-systeme imaps[318]: Could not open /etc/sasldb2 for
write: gdbm_errno=3
May 27 15:36:42 pc-systeme imaps[318]: setpass failed for vrc4952a:
generic failure
May 27 15:36:42 pc-systeme imaps[318]: SASL error opening password file.
Do you have write permissions?
May 27 15:36:42 pc-systeme imaps[318]: Could not open /etc/sasldb2 for
write: gdbm_errno=3
May 27 15:36:42 pc-systeme imaps[318]: Error putting OTP secret
May 27 15:36:42 pc-systeme imaps[318]: OTP: failed to set secret for
vrc4952a: generic failure (Permission denied)
For the tests, i voluntarily renamed /etc/sasldb2 to /etc/sasldb2.old to
look what it happens.
I don't understand why it do that.
Another questions: What is the difference between ldap_auth_method: bind
or custom in /etc/saslauthd.conf? and what does sasl_auto_transition in
/etc/impad.conf mean?
Can somebody clear up me the ideas?
Thanks for advance.
Carole.
*************************************************************************
Here the differents configuration files of cyrus-imap and cyrus-sasl:
* /usr/lib/sasl2/Cyrus.conf
pwcheck_method: saslauthd
mech_list: plain
* /etc/saslauthd.conf
ldap_servers: ldaps://pc-systeme.cict.fr:636/
#ldap_auth_method: custom
ldap_auth_method: bind
ldap_bind_dn: uid=cyrus,ou=appli,dc=ups-tlse,dc=fr
ldap_password: xxxxx
ldap_search_base: dc=ups-tlse,dc=fr
#ldap_filter: cn=%u
* /etc/cyrus.conf
# standard standalone server implementation
START {
# do not delete this entry!
recover cmd="/usr/local/cyrus_imapd/cyrus/bin/ctl_cyrusdb -r"
# this is only necessary if using idled for IMAP IDLE
# idled cmd="idled"
# this is useful on backend nodes of a Murder cluster
# it causes the backend to syncronize its mailbox list with
# the mupdate master upon startup
# mupdatepush cmd="/usr/local/cyrus_imapd/cyrus/bin/ctl_mboxlist -m"
# this is recommended if using duplicate delivery suppression
delprune cmd="/usr/local/cyrus_imapd/cyrus/bin/ctl_deliver -E 3"
# this is recommended if caching TLS sessions
tlsprune cmd="/usr/local/cyrus_imapd/cyrus/bin/tls_prune"
}
# UNIX sockets start with a slash and are put into /var/imap/socket
# you can use a maxchild=# to limit the maximum number of forks of a service
# you can use babysit=true and maxforkrate=# to keep tight tabs on the
service
# most services also accept -U (limit number of reuses) and -T (timeout)
SERVICES {
# add or remove based on preferences
#imap cmd="imapd" listen="imap" prefork=0
imaplocal cmd="imapd -C /etc/imapd-local.conf"
listen="127.0.0.1:imap" prefork=0
imaps cmd="imapd -s -U 30" listen="130.120.74.17:imaps"
prefork=0 maxchild=100
# pop3 cmd="pop3d" listen="pop3" prefork=0
# pop3s cmd="pop3d -s" listen="pop3s" prefork=0
sieve cmd="timsieved" listen="sieve" prefork=0
# these are only necessary if receiving/exporting usenet via NNTP
# nntp cmd="nntpd" listen="nntp" prefork=0
# nntps cmd="nntpd -s" listen="nntps" prefork=0
# at least one LMTP is required for delivery
# lmtp cmd="lmtpd" listen="lmtp" prefork=0
lmtpunix cmd="lmtpd" listen="/var/imap/socket/lmtp" prefork=0
maxchild=20
# this is only necessary if using notifications
notify cmd="notifyd" listen="/var/imap/socket/notify"
proto="udp" prefork=1
}
EVENTS {
# this is required
checkpoint cmd="/usr/local/cyrus_imapd/cyrus/bin/ctl_cyrusdb -c"
period=30
# this is only necessary if using duplicate delivery suppression,
# Sieve or NNTP
# delprune cmd="cyr_expire -E 3" at=0400
delprune cmd="/usr/local/cyrus_imapd/cyrus/bin/ctl_deliver -E 3" at=0401
# this is only necessary if caching TLS sessions
tlsprune cmd="/usr/local/cyrus_imapd/cyrus/bin/tls_prune" at=0401
squatter cmd="/usr/local/cyrus_imapd/cyrus/bin/squatter -r user.%" at=0401
}
* /etc/imapd-local.conf
configdirectory: /var/imap
partition-default: /var/spool/imap
admins: cyrus
sievedir: /var/imap/sieve
sendmail: /usr/sbin/sendmail
hashimapspool: true
maxmessagesize: 5000000
#allowplaintext: 0
sasl_pwcheck_method: saslauthd
sasl_option: 1
sasl_mech_list: plain
sasl_auto_transition: 1
servername: pc-systeme.cict.fr
lmtp_downcase_rcpt: 1
mailnotifier: log
* /etc/imapd.conf
configdirectory: /var/imap
partition-default: /var/spool/imap
#admins: cyrus
sievedir: /var/imap/sieve
sendmail: /usr/sbin/sendmail
hashimapspool: true
maxmessagesize: 5000000
sasl_pwcheck_method: saslauthd
sasl_option: 1
sasl_mech_list: plain
sasl_auto_transition: 1
servername: pc-systeme.cict.fr
lmtp_downcase_rcpt: 1
mailnotifier: log
tls_ca_file: /usr/share/ssl/mon_AC/private/mon_AC.crt
tls_cert_file: /usr/share/ssl/mon_AC/certs/server_signed.pem
tls_key_file: /usr/share/ssl/mon_AC/private/server_tls.pem
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
More information about the Info-cyrus
mailing list