saslauthd and multiple dc levels
Gabriele Bulfon
gbulfon at sonicle.com
Tue Dec 30 04:52:37 EST 2014
Hi, I'm trying to follow your suggestion.
So, first I changed openldap configuration with "sasl-secprops none" to have also plain auth enabled.
Running pluginviewer to see the plugins:
Sonicle XStream Server (XStreamOS/illumos) SunOS 5.11 xs_153 Apr 2014
sonicle at www:~$ pluginviewer -m PLAIN
Installed and properly configured auxprop mechanisms are:
sasldb
List of auxprop plugins follows
Plugin "sasldb" , API version: 8
supports store: yes
Installed and properly configured SASL (server side) mechanisms are:
SCRAM-SHA-1 GS2-IAKERB GS2-KRB5 GSSAPI DIGEST-MD5 EXTERNAL OTP CRAM-MD5 PLAIN ANONYMOUS
Available SASL (server side) mechanisms matching your criteria are:
PLAIN
List of server plugins follows
Plugin "plain" [loaded], API version: 4
SASL mechanism: PLAIN, best SSF: 0, supports setpass: no
security flags: NO_ANONYMOUS|PASS_CREDENTIALS
features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
Installed and properly configured SASL (client side) mechanisms are:
SCRAM-SHA-1 GS2-IAKERB GS2-KRB5 GSSAPI DIGEST-MD5 EXTERNAL OTP CRAM-MD5 PLAIN ANONYMOUS
Available SASL (client side) mechanisms matching your criteria are:
SCRAM-SHA-1 GS2-IAKERB GS2-KRB5 GSSAPI DIGEST-MD5 EXTERNAL OTP CRAM-MD5 PLAIN ANONYMOUS
List of client plugins follows
Plugin "plain" [loaded], API version: 4
SASL mechanism: PLAIN, best SSF: 0
security flags: NO_ANONYMOUS|PASS_CREDENTIALS
features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
Now running a search of SASL mechs:
sonicle at www:~$ ldapsearch -xLLLH 'ldap://localhost/' -s base -b '' 'supportedSASLMechanisms'
dn:
supportedSASLMechanisms: SCRAM-SHA-1
supportedSASLMechanisms: GS2-IAKERB
supportedSASLMechanisms: GS2-KRB5
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: OTP
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: ANONYMOUS
Now, try plain auth doing a earch of an existing user:
sonicle at www:~$ ldapsearch -Y PLAIN -U test.user at sonicle.com -H ldap://localhost -W
Enter LDAP Password:
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL(-4): no mechanism available: No worthy mechs found
Can't find a reason for ldapsearch not finding the plain mech.
Also, slapd has been built with sasl:
sonicle at www:~$ ldd /sonicle/libexec/slapd
libdb-4.8.so =/sonicle/lib/libdb-4.8.so
libpthread.so.1 =/lib/libpthread.so.1
libsasl2.so.2 =/sonicle/lib/libsasl2.so.2
libdl.so.1 =/lib/libdl.so.1
libssl.so.0.9.8 =/lib/libssl.so.0.9.8
libcrypto.so.0.9.8 =/lib/libcrypto.so.0.9.8
libresolv.so.2 =/lib/libresolv.so.2
libgen.so.1 =/lib/libgen.so.1
libnsl.so.1 =/lib/libnsl.so.1
libsocket.so.1 =/lib/libsocket.so.1
libc.so.1 =/lib/libc.so.1
libgcc_s.so.1 =/usr/sfw/lib/libgcc_s.so.1
libmd.so.1 =/lib/libmd.so.1
libmp.so.2 =/lib/libmp.so.2
libm.so.2 =/lib/libm.so.2
Any clue? Or...any simpler way to let saslauthd do multiple search base takes?...or maybe let it choose the correct search base
depending on the number of dc arguments determined?
Thanks for your help!
Gabriele.
----------------------------------------------------------------------------------
Da: Dan White
A: Willy Offermans
Cc: Gabriele Bulfon
Raffaele Fullone
info-cyrus at lists.andrew.cmu.edu
Data: 23 dicembre 2014 16.52.46 CET
Oggetto: Re: saslauthd and multiple dc levels
On 12/23/14 16:07 +0100, Willy Offermans wrote:
Hello Dan,
On Tue, Dec 23, 2014 at 08:50:07AM -0600, Dan White wrote:
On 12/23/14 15:22 +0100, Gabriele Bulfon wrote:
How can I let saslauthd support both configurations?
Is the server OpenLDAP? If so, using olcAuthzRegexp would be a far more
flexible way to handle this scenario. Within saslauthd's ldap config, use
'ldap_use_sasl' without specifying a search filter or base.
Within slapd, your regex rules could perform a subtree search, or a simple
string replacement for each domain. See
http://www.openldap.org/doc/admin24/sasl.html and slapd-config(5).
I don't understand how this works.
ldap_use_sasl in saslauthd.conf tells saslauthd to contact OpenLDAP server
via sasl protocol directly. Is this correct?
Correct. The ldap backend to saslauthd itself performs sasl authentication.
And what happens then? How do saslauthd and slapd communicate and how is
authentication performed?
The communication between Cyrus IMAP and saslauthd would not change. imapd
would still communicate with saslauthd in the same manor, by submitting a
username and password via the saslauthd mux.
The ldap backend to saslauthd can be configured to perform SASL over LDAP
authentication to slapd (not to be confused with SASL over IMAP
authentication). slapd would simply return a successful bind code back to
the saslauthd backend, which in turn would respond with an 'OK' to cyrus
IMAP.
Using SASL within the LDAP saslauthd backend is a much simpler
configuration. i.e.:
ldap_servers: ldap://ldap.example.com
ldap_use_sasl: yes
ldap_mech: PLAIN
(This may require you to configure olcSaslSecProps)
The '-r' option to saslauthd may be necessary, if you're not already using
it.
Use ldapwhoami to test your slapd config:
ldapsearch -Y PLAIN -U jsmith at example.com -H ldap://ldap.example.com \
-W
And if that works, verify your saslauthd configuration with:
testsaslauthd -u jsmith at example.com -p password
--
Dan White
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20141230/692144c7/attachment.html
More information about the Info-cyrus
mailing list