testing sasl login

brian cyrus-list at logi.ca
Sun Mar 25 17:59:10 EDT 2012 

I'm having some trouble authenticating. I think it may involve the realm 
but can't say for sure.

$ /usr/sbin/saslauthd -v
saslauthd 2.1.24
authentication mechanisms: sasldb getpwent kerberos5 pam rimap shadow ldap


/etc/group:
sasl:x:45:cyrus,postfix


$ ls -l /etc/sasldb2
-rw-rw---- 1 root sasl 12288 2012-03-25 15:34 /etc/sasldb2


$ grep -v '^#' /etc/default/saslauthd
START=yes
DESC="SASL Authentication Daemon"
NAME="saslauthd"
MECHANISMS="sasldb"
MECH_OPTIONS=""
THREADS=5
OPTIONS="-c -m /var/run/saslauthd"


/etc/imapd.conf:
admins: cyrus
allowanonymouslogin: no
allowplaintext: yes
sasl_mech_list: PLAIN LOGIN
loginrealms: DOMAIN.org
sasl_pwcheck_method: auxprop
sasl_auxprop_plugin: sasldb
sasl_auto_transition: no


$ cat /etc/postfix/sasl/smtpd.conf
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: PLAIN LOGIN


$ sudo saslpasswd2 -c test at DOMAIN.org
[The password is "test" so I'm pretty sure the problem isn't there.]


$ sudo sasldblistusers2
cyrus at demeter: userPassword
test at DOMAIN.org: userPassword


$ sudo testsaslauthd -u test at DOMAIN.org -p test
0: NO "authentication failed"


/var/log/auth.log:
demeter saslauthd[9701]: do_auth         : auth failure: 
[user=test at DOMAIN.org] [service=imap] [realm=] [mech=sasldb] 
[reason=Unknown]


I see that realm is empty. I'm unsure about how that works. I didn't 
include one when setting the password, although I don't believe I've 
ever done so before. As I understand it, by passing the @DOMAIN.org when 
creating the password, that part will be used as the realm, and the same 
when authenticating. And if I don't include @DOMAIN.org when 
authenticating, the hostname will be used (which I don't want).

$ postconf -h myhostname
demeter.DOMAIN.org

But this works:

$ sudo testsaslauthd -u test -p test -r DOMAIN.org
0: OK "Success."

Alright, it's looking more promising.

$ echo -ne '\0test at DOMAIN.org\0test' | openssl enc -base64
AHRlc3RAYWZ2Ym0ub3JnAHRlc3Q=


$ telnet localhost 25
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 demeter.DOMAIN.org ESMTP Postfix
EHLO localhost
250-demeter.DOMAIN.org
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH PLAIN AHRlc3RAYWZ2Ym0ub3JnAHRlc3Q=
535 5.7.8 Error: authentication failed: authentication failure


I've also tried it with the output of all of these:

echo -ne 'test at DOMAIN.org\0test at DOMAIN.org\0test' | openssl enc -base64
echo -ne '\0test\0test' | openssl enc -base64
perl -MMIME::Base64 -e 'print 
encode_base64("test at DOMAIN.org\0test at DOMAIN.org\0test");'
perl -MMIME::Base64 -e 'print encode_base64("test\0test\0test");'


I'm thoroughly confused as to whether the domain should be appended 
here. I always have done in the past. The saslauthd startup options include:

  -r  Combine the realm with the login before passing to authentication 
mechanism
      Ex. login: "foo" realm: "bar" will get passed as login: "foo at bar"
      The realm name is passed untouched.

So, if I include the -r and restart the service:

$ sudo testsaslauthd -u test -p test -r DOMAIN.org
0: NO "authentication failed"
$ sudo testsaslauthd -u test -p test at DOMAIN.org -r DOMAIN.org
0: NO "authentication failed"
$ sudo testsaslauthd -u test -p test at DOMAIN.org
0: NO "authentication failed"

OK, so I removed -r and testsaslauthd works again. But what else should 
I be looking for to figure out how to do auth through postfix?


BTW, before I thought to use testsaslauthd first (which makes clear the 
mech used), i changed /etc/default/saslauthd to:
OPTIONS="-c -m /var/run/saslauthd -a sasldb"

But it failed to start up, even though it lists one of the available 
mechanisms for the -a flag as "sasldb".

More information about the Info-cyrus mailing list