imapd + sasl + ldapdb problems

Dan White dwhite at olp.net
Wed Feb 5 10:35:49 EST 2014 

On 02/04/14 20:15 -0600, Peter Erickson wrote:
>I'm trying to configure imapd to authenticate against an ldap
>directory using ldapdb and am running into problems. I provide hosting
>services (i.e. ftp, svn, mail, etc) for several people where user
>account information is stored in an openldap directory. In addition to
>having a username/password, each user also has a primary email account
>and a list of services that they are authorized to use. I've got
>authentication working using the a user's uid, but I need to change
>this so that users are only allowed access using their email address.
>I believe I need this to happen as well since I'm using the Cyrus'
>virtdomains option. Once that is done, I'll attempt to restrict access
>based on the existence of the proper "authorizedService" attribute.
>
>In hopes of requiring users login using their email address I set
>sasl_ldapdb_canon_attr, however that resulted in the following syslog
>messages (These same messages occur if comment out the canonuser_attr
>options in imapd.conf as well):
>imtest: ldapdb_canonuser_plug_init() failed in
>sasl_canonuser_add_plugin(): invalid parameter supplied
>imap[16385]: SQL engine 'mysql' not supported
>imap[16385]: auxpropfunc error no mechanism available
>imap[16385]: unable to canonify user and get auxprops
>imap[16385]: badlogin: localhost [127.0.0.1] DIGEST-MD5 [SASL(-1):
>generic failure: unable to canonify user and get auxprops]

You'll need to have a Cyrus SASL version > 2.1.23 installed for the ldapdb
canonuser functionality, or you'll need to patch your existing version.

Check that you have a properly installed cyrus sasl with:

~$ cat > /tmp/pluginviewer.conf << EOF
> ldapdb_uri: ldapi:///
> sql_select: select please_work from the_ether
> EOF
~$ SASL_CONF_PATH=/tmp /usr/sbin/saslpluginviewer -a
Installed and properly configured auxprop mechanisms are:
ldapdb sql sasldb
List of auxprop plugins follows
Plugin "ldapdb" ,       API version: 8
         supports store: yes

Plugin "sql" ,  API version: 8
         supports store: yes

Plugin "sasldb" ,       API version: 8
         supports store: yes

~$ SASL_CONF_PATH=/tmp /usr/sbin/saslpluginviewer -s | grep -i 'cram-md5\|digest-md5'
   GSSAPI DIGEST-MD5 EXTERNAL CRAM-MD5 NTLM PLAIN LOGIN ANONYMOUS
   GSSAPI DIGEST-MD5 CRAM-MD5 NTLM PLAIN LOGIN ANONYMOUS
         SASL mechanism: DIGEST-MD5, best SSF: 128, supports setpass: no
         SASL mechanism: CRAM-MD5, best SSF: 0, supports setpass: no

~$ strings /usr/lib/x86_64-linux-gnu/sasl2/libldapdb.so.2 | grep canon
ldapdb_canonuser_plug_init
sasl_canonuser_init
ldapdb_canon_attr

rm /tmp/pluginviewer.conf

>I tracked down the ldapdb_canonuser_plug_init() error to
>ldapdb_config(). When the "ldapdb_uri" option is read, it apparently
>returns a null string reference which results in the SASL_BADPARAM
>being returned. Unfortunately, not fully understanding the SASL
>package, I'm not really sure where to go from here nor do I know if
>this will even solve my problem if it returns successfully.
>
>Any help in configuring this would be greatly appreciated.
>
>
>imapd.conf:
>configdirectory: /var/cyrus/config
>partition-default: /var/cyrus/spool
>admin: cyrusadmin
>sasl_pwcheck_method: auxprop
>sasl_auxprop_plugin: ldapdb
>sasl_ldapdb_uri: ldaps://localhost
>sasl_ldapdb_id: imapd-user
>sasl_ldapdb_pw: password
>sasl_canon_user_plugin: ldapdb
>sasl_ldapdb_canon_attr: mail
>sasl_mech_list: cram-md5 digest-md5
>virtdomains: userid
>defaultdomain: example.com

Consider that the certificate returned by ldaps://localhost may fail,
unless the certificate used by localhost is named 'localhost', or is
otherwise trusted. ldapi:/// may be a better option.

Other than that, your config looks reasonable. Include an 'ldapdb_mech'
option to reduce confusion. sasl_ldapdb_canon_attr may need to be 'uid'
instead, since example.com is the default domain. This command should
succeed, and return the DN of the test user if your config is good:

ldapwhoami -Y digest-md5 -H ldaps://localhost -U imapd-user -w password -X
u:tuser (or u:tuser at example.com? not sure)

>example ldap entry:
>dn: cn=test user,o=hosted_domain,ou=hosting,dc=example.com
>objectclass: top
>objectclass: inetOrgPerson
>objectclass: authorizedServiceObject
>cn: test user
>sn: user
>uid: tuser
>mail: tuser at example.com
>userPassword: password
>authorizedService: mail
>authorizedService: svn

-- 
Dan White

More information about the Info-cyrus mailing list