auth failure with cyrus, saslauthd, pam and ldap
Martin Hoffmann
martin at hoffinator.de
Sat May 21 13:03:54 EDT 2005
Hi list,
i ran into serious trouble getting the following setup to work:
Centos 4 OS (Redhat Enterprise 4 compatible)
OpenXchange 0.8.0-2 (web frontend for mail + groupware)
Openldap
Cyrus-Imap
Samba
First of all i like to say that installing OpenXchange with cyrus and openldap
went fine - and did work without problems !
Today i wanted to add samba to my setup and now i get auth_failures with
cyrus-imap rendering the imap server useless :-(
I don't think its a problem with OX but rather with cyrus+ldap or PAM in
general !
Some config files involved:
------------ /etc/openldap/ldap.conf --------------
HOST 127.0.0.1
BASE dc=mydomain,dc=de
scope sub
pam_login_attribute uid
----------- /etc/openldap/sldap.conf --------------
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
allow bind_v2
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
database ldbm
directory /var/lib/ldap
include /usr/local/ox/share/openxchange.schema
include /etc/openldap/schema/samba.schema
suffix "dc=mydomain,dc=de"
rootdn "cn=mailadmin,dc=mydomain,dc=de"
rootpw secret
index objectClass eq
index cn pres,sub,eq
index sn pres,sub,eq
index uid pres,sub,eq
index displayName pres,sub,eq
index uidNumber eq
index gidNumber eq
index memberUID eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
index mailEnabled,givenname,lnetMailAccess,alias,loginDestination eq,sub
include /etc/openldap/acl_ox.conf
------------ /etc/openldap/acl_ox.conf ---------------
access to attrs=userPassword,sambaLMPassword,sambaNTPassword
by self write
by anonymous auth
by * none
access to attr=shadowLastChange
by self write
by * read
access to dn="ou=addr,uid=(.*),ou=Users,ou=OxObjects,dc=mydomain,dc=de"
attr=uid,objectClass,entry filter=(objectClass=OXUserObject)
by self write
by dn="uid=$1,ou=Users,ou=OxObjects,dc=mydomain,dc=de" write
by * none
access to dn.subtree="o=AddressBook,ou=OxObjects,dc=mydomain,dc=de"
by
group="cn=AddressAdmins,o=AddressBook,ou=OxObjects,dc=mydomain,dc=de" write
by users read
by * none
access to * attr=uid,objectClass,entry filter=(objectClass=OXUserObject)
by self write
by * read
access to dn="uid=mailadmin,ou=Users,ou=OxObjects,dc=mydomain,dc=de"
attr=imapServer,mailDomain,smtpServer,sn,givenName,uid
by self write
by users read
access to dn="uid=mailadmin,ou=Users,ou=OxObjects,dc=mydomain,dc=de"
by self write
by * none
access to dn="ou=addr,uid=(.*),ou=Users,ou=OxObjects,dc=mydomain,dc=de"
by dn="uid=$1,ou=Users,ou=OxObjects,dc=mydomain,dc=de" write
by * none
access to dn="ou=Users,ou=OxObjects,dc=mydomain,dc=de"
by self write
by users read
by anonymous auth
access to dn="ou=OxObjects,dc=mydomain,dc=de"
by users read
by anonymous auth
access to dn="dc=mydomain,dc=de"
by dn="uid=*,ou=Users,ou=OxObjects,dc=mydomain,dc=de" read
access to *
by self write
by users read
by anonymous auth
-------------- /etc/imapd.conf --------------
configdirectory: /var/lib/imap
partition-default: /var/spool/imap
admins: root cyrus
sievedir: /var/lib/imap/sieve
sendmail: /usr/sbin/sendmail
hashimapspool: true
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN
tls_cert_file: /usr/share/ssl/certs/cyrus-imapd.pem
tls_key_file: /usr/share/ssl/certs/cyrus-imapd.pem
tls_ca_file: /usr/share/ssl/certs/ca-bundle.crt
--------------- /etc/sysconfig/imapd.conf------------
SOCKETDIR=/var/run/saslauthd
MECH=pam
FLAGS=
------------- /etc/nsswitch.conf ----------
[...]
passwd: files ldap
shadow: files ldap
group: files ldap
[...]
----------- /etc/ldap.conf ------------
host 127.0.0.1
base dc=mydomain,dc=de
rootbinddn cn=mailadmin,dc=mydomain,dc=de
pam_password md5
nss_base_passwd ou=Users,ou=OxObjects,dc=mydomain,dc=de?one
nss_base_shadow ou=Users,ou=OxObjects,dc=mydomain,dc=de?one
nss_base_group ou=Groups,ou=OxObjects,dc=mydomain,dc=de?one
ssl no
---------- /etc/ldap.secret --------------
secret
(so this file only contains the "secret" password followed by a newline ! - of
course my real password won't be "secret" ;-)
------------ /etc/pam.d/imap -------------
auth sufficient /lib/security/pam_ldap.so
auth required /lib/security/pam_stack.so service=system-auth
account sufficient /lib/security/pam_ldap.so
account required /lib/security/pam_stack.so service=system-auth
------------- /etc/pam.d/sieve ------------
auth sufficient /lib/security/pam_ldap.so
auth required /lib/security/pam_stack.so service=system-auth
account sufficient /lib/security/pam_ldap.so
account required /lib/security/pam_stack.so service=system-auth
-------------- /etc/pam.d/system-auth -----------
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so broken_shadow
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account [default=bad success=ok
user_unknown=ignore] /lib/security/$ISA/pam_ldap.so
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok
md5shadow
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_ldap.so
-------------------
In fact some stuff like "getent passwd" works - so basically access to ldap is
okay ! (At least for nsswitch)
Also the Web interface of OpenXchange does work with the same ldap user
accounts !
However all arround cyrus (imap, sieve, ...) or PAM seems to be broken ! Why ?
When i try to log on with my user account into e.g. imap or
sieve /var/log/messages reports:
May 21 18:39:09 saturn saslauthd[3046]: do_auth : auth failure:
[user=mhoffmann] [service=imap] [realm=] [mech=pam] [reason=PAM auth error]
May 21 18:39:35 saturn imap(pam_unix)[3047]: check pass; user unknown
May 21 18:39:35 saturn imap(pam_unix)[3047]: authentication failure; logname=
uid=0 euid=0 tty= ruser= rhost=
May 21 18:39:37 saturn saslauthd[3047]: do_auth : auth failure:
[user=mhoffmann] [service=imap] [realm=] [mech=pam] [reason=PAM auth error]
So imap and sieve are not usable anymore :-(
I'm afraid the system itself does not really accept the users:
#getent passwd | grep mhoffmann
mhoffmann:x:502:500:Martin Hoffmann:/home/mhoffmann/:/bin/bash
Seems okay to me !
However login / su / chmod with this user fails:
# chown mhoffmann testfile
chown: „mhoffmann“: ungültiger Benutzer
(= unknown user)
# su mhoffmann
su: Benutzer mhoffmann existiert nicht
(= user mhoffmann does not exist)
Any clues ?
I hope it's not one of those silly questions but i've been searching the net
up and down for hours now - sadly without luck ...
Is there a way to further debug this ? I mean what's exactly happening for
cyrus / saslauthd ?
Any help welcome :-)
Martin
--
Ferengi Rule of Acquisition Number 58:
There is no substitute for success.
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
More information about the Info-cyrus
mailing list