imapd + sasl + ldapdb problems
Peter Erickson
redlamb19 at gmail.com
Wed Feb 5 12:15:50 EST 2014
Dan, thanks for the response.
On Wed, Feb 05, 2014 at 09:35:49AM -0600, Dan White wrote:
> On 02/04/14?20:15?-0600, Peter Erickson wrote:
> >In hopes of requiring users login using their email address I set
> >sasl_ldapdb_canon_attr, however that resulted in the following syslog
> >messages (These same messages occur if comment out the canonuser_attr
> >options in imapd.conf as well):
> >imtest: ldapdb_canonuser_plug_init() failed in
> >sasl_canonuser_add_plugin(): invalid parameter supplied
> >imap[16385]: SQL engine 'mysql' not supported
> >imap[16385]: auxpropfunc error no mechanism available
> >imap[16385]: unable to canonify user and get auxprops
> >imap[16385]: badlogin: localhost [127.0.0.1] DIGEST-MD5 [SASL(-1):
> >generic failure: unable to canonify user and get auxprops]
>
> You'll need to have a Cyrus SASL version > 2.1.23 installed for the ldapdb
> canonuser functionality, or you'll need to patch your existing version.
I am currently working with Cyrus SASL 2.1.26 and Cyrus imap 2.4.17
installed on FreeBSD 9-STABLE.
> Check that you have a properly installed cyrus sasl with:
>
> ~$ cat > /tmp/pluginviewer.conf << EOF
> > ldapdb_uri: ldapi:///
> > sql_select: select please_work from the_ether
> > EOF
> ~$ SASL_CONF_PATH=/tmp /usr/sbin/saslpluginviewer -a
> Installed and properly configured auxprop mechanisms are:
> ldapdb sql sasldb
> List of auxprop plugins follows
> Plugin "ldapdb" , API version: 8
> supports store: yes
>
> Plugin "sql" , API version: 8
> supports store: yes
>
> Plugin "sasldb" , API version: 8
> supports store: yes
# pluginviewer -a
Installed and properly configured auxprop mechanisms are:
ldapdb sasldb
List of auxprop plugins follows
Plugin "ldapdb" , API version: 8
supports store: yes
Plugin "sasldb" , API version: 8
supports store: yes
> ~$ SASL_CONF_PATH=/tmp /usr/sbin/saslpluginviewer -s | grep -i 'cram-md5\|digest-md5'
> GSSAPI DIGEST-MD5 EXTERNAL CRAM-MD5 NTLM PLAIN LOGIN ANONYMOUS
> GSSAPI DIGEST-MD5 CRAM-MD5 NTLM PLAIN LOGIN ANONYMOUS
> SASL mechanism: DIGEST-MD5, best SSF: 128, supports setpass: no
> SASL mechanism: CRAM-MD5, best SSF: 0, supports setpass: no
# pluginviewer -s | grep -i 'cram-md5\|digest-md5'
SCRAM-SHA-1 DIGEST-MD5 EXTERNAL OTP CRAM-MD5 NTLM LOGIN PLAIN ANONYMOUS
SCRAM-SHA-1 DIGEST-MD5 CRAM-MD5 NTLM LOGIN PLAIN ANONYMOUS
SASL mechanism: DIGEST-MD5, best SSF: 128, supports setpass: no
SASL mechanism: CRAM-MD5, best SSF: 0, supports setpass: no
> ~$ strings /usr/lib/x86_64-linux-gnu/sasl2/libldapdb.so.2 | grep canon
> ldapdb_canonuser_plug_init
> sasl_canonuser_init
> ldapdb_canon_attr
# strings /usr/local/lib/sasl2/libldapdb.so.3 | grep canon
ldapdb_canonuser_plug_init
sasl_canonuser_init
ldapdb_canon_attr
> >imapd.conf:
> >configdirectory: /var/cyrus/config
> >partition-default: /var/cyrus/spool
> >admin: cyrusadmin
> >sasl_pwcheck_method: auxprop
> >sasl_auxprop_plugin: ldapdb
> >sasl_ldapdb_uri: ldaps://localhost
> >sasl_ldapdb_id: imapd-user
> >sasl_ldapdb_pw: password
> >sasl_canon_user_plugin: ldapdb
> >sasl_ldapdb_canon_attr: mail
> >sasl_mech_list: cram-md5 digest-md5
> >virtdomains: userid
> >defaultdomain: example.com
>
> Consider that the certificate returned by ldaps://localhost may fail,
> unless the certificate used by localhost is named 'localhost', or is
> otherwise trusted. ldapi:/// may be a better option.
The ldap server is actually on a different system and works properly
with and without the SSL/TLS connection. I just replaced the actual
server with localhost to mask the real host.
> Other than that, your config looks reasonable. Include an 'ldapdb_mech'
> option to reduce confusion. sasl_ldapdb_canon_attr may need to be 'uid'
> instead, since example.com is the default domain. This command should
> succeed, and return the DN of the test user if your config is good:
Just to make sure that I'm understanding the options right, is there a
good explanation for what sasl_ldapdb_canon_attr does? I'm not quite
sure that I understand its purpose.
Based on the following, its possible that my problem isn't with cyrus
imapd/sasl, but a misunderstanding of the ldap proxy authorization
process and I need to recheck my ldap config. I'm more accustomed to
using ldap filters and a base instead of the proxy authorization.
# ldapwhoami -Y digest-md5 -U imapd-user -w password -X u:tuser -Z
SASL/DIGEST-MD5 authentication started
SASL username: u:tuser
SASL SSF: 128
SASL data security layer installed.
dn:cn=test user,o=hosted_domain,ou=hosting,dc=example.com
# ldapwhoami -Y digest-md5 -U imapd-user -w password -X u:tuser at example.com -Z
SASL/DIGEST-MD5 authentication started
ldap_sasl_interactive_bind_s: Insufficient access (50)
additional info: SASL(-14): authorization failure: not authorized
> >example ldap entry:
> >dn: cn=test user,o=hosted_domain,ou=hosting,dc=example.com
> >objectclass: top
> >objectclass: inetOrgPerson
> >objectclass: authorizedServiceObject
> >cn: test user
> >sn: user
> >uid: tuser
> >mail: tuser at example.com
> >userPassword: password
> >authorizedService: mail
> >authorizedService: svn
>
> --
> Dan White
--
Peter Erickson
More information about the Info-cyrus
mailing list