Mapping users (either KerberosV or TLS certs)
Phil Pennock
info-cyrus-spodhuis at spodhuis.org
Wed Jul 5 20:02:01 EDT 2006
Hi,
[My config's at the bottom; Cyrus IMAP 2.2.12; censored email addresses
and look-alikes purely against harvesters; timestamps and '[imapd]'
trimmed from loglines]
I've two questions relating to mapping userids. I've read
documentation, searched the wiki, googled, and tried this at various
times over the space of a few days, so it's probably not a temporary
local blindness issue. ;^) The first issue relates to Kerberos and the
second to TLS+EXTERNAL with client certs.
Kerberos:
From: Lars Kellogg-Stedman <lars at oddbit.com>
Subject: Authenticating (with cyradm) using an alternate Kerberos instance?
Date: Sun, 6 Nov 2005 23:23:27 -0500
Message-ID: <c27faacf0511062023yb8a9fdai432a6115a82b518f at mail.gmail.com>
Nobody answered Lars then and I'm seeing the same issue; on the
off-chance that I'm hitting a lighter spot in your schedules: can anyone
please explain how to configure Cyrus so that a KerberosV /admin
principal can be treated as a Cyrus admin user? I've tried inserting
various entries into sasldb to back this up, putting things into
/etc/krb5.equiv as well as various values for "admins:" and I'm stumped.
Help! Please?
badlogin: domus.home.globnix.net [192.168.1.101] GSSAPI [SASL(-13): authentication failure: bad userid authenticated]
Trying to get TLS with client certificates and SASL EXTERNAL working, I
find that when connecting to IMAPS on port 993, the client cert is
ignored:
starttls: TLSv1 with cipher AES256-SHA (256/256 bits new) no authentication
When connecting on 143 and using STARTTLS, the client cert is not
ignored; anyone know why this might be? When the client cert is used,
then I can get EXTERNAL offered and used, but I can't see how to
persuade Cyrus to map this to a regular user. Is this where I need to
be using ptloader and LDAP? If so, does anyone have sample configs and
LDIF entries for how they manage this, please?
Common:
subject=/C=NL/.../CN=Phil Pennock/emailAddress=censored at domain.tld
starttls: TLSv1 with cipher AES256-SHA (256/256 bits new) authenticated as Phil Pennock
Supplying the same usercode as exists in emailAddress:
badlogin: domus.home.globnix.net [192.168.1.101] EXTERNAL [SASL(-13): authentication failure: user phil pennock is not allowed to proxy]
Supplying no authz:
login: domus.home.globnix.net [192.168.1.101] phil pennock EXTERNAL+TLS User logged in
>>> a3 CAPABILITY
<<< * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=GSSAPI AUTH=CRAM-MD5 AUTH=DIGEST-MD5 AUTH=EXTERNAL SASL-IR LISTEXT LIST-SUBSCRIBED X-NETSCAPE
<<< a3 OK Completed
>>> a4 AUTHENTICATE EXTERNAL Y2Vuc29yZWQ=
<<< a4 NO authentication failure
Also, can someone please explain why imtest(1) sends "=C:" as the id
when no authzid is provided? Where does this value come from? If it is
some kind of CN decode indicator, are there other legal values? That's
what I see with:
----------------------------8< cut here >8------------------------------
$ imtest -m EXTERNAL -t ~/.mutt/email-client.pair.pem domus
[...]
TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits)
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=GSSAPI AUTH=CRAM-MD5 AUTH=DIGEST-MD5 AUTH=EXTERNAL SASL-IR LISTEXT LIST-SUBSCRIBED X-NETSCAPE
S: C01 OK Completed
C: A01 AUTHENTICATE EXTERNAL =C:
S: A01 OK Success (tls protection)
Authenticated.
Security strength factor: 256
----------------------------8< cut here >8------------------------------
Here's the config; I know that keytab's not actually used with GSSAPI,
but I leave it in as harmless -- I set $KRB5_KTNAME in the rc startup
config, which works with Heimdal:
----------------------------8< cut here >8------------------------------
configdirectory: /home/imap/configs
partition-default: /home/imap/mail
sievedir: /home/imap/configs/sieve
tls_cert_file: /etc/cyrusimapd/domus-imapserver.crt.pem
tls_key_file: /etc/cyrusimapd/domus-imapserver.key.pem
tls_ca_path: /etc/ssl/certs/
tls_ca_file: /usr/share/ca-certificates/globnix/globnixCA.pem
tls_cipher_list: ALL:!ADH:!EXP:+HIGH:+MEDIUM:!SSLv2:@STRENGTH
admins: cyrus xxx-admin xxx/admin xxx/admin at REALM.TLD
umask: 027
hashimapspool: yes
allowanonymouslogin: no
allowplaintext: no
mboxlist_db: skiplist
seenstate_db: flat
unixhierarchysep: yes
sasl_minimum_layer: 0
sasl_mech_list: external gssapi digest-md5 cram-md5
keytab: /etc/kerberos/tabs/imapd.keytab
altnamespace: yes
userprefix: Other Users
sharedprefix: Shared Folders
----------------------------8< cut here >8------------------------------
cyrus.conf SERVICES lines for IMAP are:
imap cmd="imapd" listen="imap2" prefork=0
imaps cmd="imapd -s" listen="imaps" prefork=2
# value 71 chosen to match that used by LDAP, in LDAP_PVT_SASL_LOCAL_SSF
imapi cmd="imapd -p 71" listen="/var/run/imapd.sock" prefork=0 maxchild=32
Thank you for any help which you can provide,
--
"Everything has three factors: politics, money, and the right way to do it.
In that order." -- Gary Donahue
More information about the Info-cyrus
mailing list