Mapping users (either KerberosV or TLS certs)

Thu Jan 24 19:54:29 EST 2008

On 2006-07-06 at 02:02 +0200, Phil Pennock wrote:
> [My config's at the bottom; Cyrus IMAP 2.2.12; censored email addresses
>  and look-alikes purely against harvesters; timestamps and '[imapd]'
>  trimmed from loglines]

Following up for the archives, to provide answers.  Am currently using
Cyrus IMAP 2.3.11.

> I've two questions relating to mapping userids.  I've read
> documentation, searched the wiki, googled, and tried this at various
> times over the space of a few days, so it's probably not a temporary
> local blindness issue.  ;^)  The first issue relates to Kerberos and the
> second to TLS+EXTERNAL with client certs.
> 
> Kerberos:
>  From: Lars Kellogg-Stedman <lars at oddbit.com>
>  Subject: Authenticating (with cyradm) using an alternate Kerberos instance?
>  Date: Sun, 6 Nov 2005 23:23:27 -0500
>  Message-ID: <c27faacf0511062023yb8a9fdai432a6115a82b518f at mail.gmail.com>
> 
> Nobody answered Lars then and I'm seeing the same issue; on the
> off-chance that I'm hitting a lighter spot in your schedules: can anyone
> please explain how to configure Cyrus so that a KerberosV /admin
> principal can be treated as a Cyrus admin user?  I've tried inserting
> various entries into sasldb to back this up, putting things into
> /etc/krb5.equiv as well as various values for "admins:" and I'm stumped.
> Help!  Please?
>  badlogin: domus.home.globnix.net [192.168.1.101] GSSAPI [SASL(-13): authentication failure: bad userid authenticated]

Answer: It's necessary to use "auth_mech: krb5".

When using "auth_mech: unix", Cyrus automagically stripped off the
realm, so things appear to work normally.  When I switched my client to
use SPNEGO to negotiate krb5, instead of using krb5, I found that the
realm wasn't getting stripped off, even though the actual authentication
worked fine, so I was left with no access.

I talked with someone who used to work on this Cyrus code and he pointed
me at changing "auth_mech".  By changing the authorization mechanism to
"krb5", suddenly not only did SPNEGO work but my /admin principals could
request authorization as another user and have this actually work.

It's only confusing because things "almost work" with the default "unix"
setting which does some much more limited canonicalization.

Since the original post I've also set loginrealms and defaultdomain and
I haven't played around to see how those do or don't affect this issue.

> Trying to get TLS with client certificates and SASL EXTERNAL working, I
> find that when connecting to IMAPS on port 993, the client cert is
> ignored:
>   starttls: TLSv1 with cipher AES256-SHA (256/256 bits new) no authentication
> When connecting on 143 and using STARTTLS, the client cert is not
> ignored; anyone know why this might be?  When the client cert is used,
> then I can get EXTERNAL offered and used, but I can't see how to
> persuade Cyrus to map this to a regular user.  Is this where I need to
> be using ptloader and LDAP?  If so, does anyone have sample configs and
> LDIF entries for how they manage this, please?
> 
> Common:
>  subject=/C=NL/.../CN=Phil Pennock/emailAddress=censored at domain.tld
>  starttls: TLSv1 with cipher AES256-SHA (256/256 bits new) authenticated as Phil Pennock
> 
> Supplying the same usercode as exists in emailAddress:
>  badlogin: domus.home.globnix.net [192.168.1.101] EXTERNAL [SASL(-13): authentication failure: user phil pennock is not allowed to proxy]
> 
> Supplying no authz:
>  login: domus.home.globnix.net [192.168.1.101] phil pennock EXTERNAL+TLS User logged in

Some time ago, I worked around this by using "loginuseacl" and granting
admin rights on my inbox to the CN field ("Phil Pennock") from the TLS
client certificate.

Doesn't scale as a generic "here's how to make them work for everyone",
but for an individual or just a couple of users, it works great.

-Phil