Cyrus murder auth issue
Forster, Gabriel
Gabriel.Forster at searshc.com
Tue Jul 28 14:33:07 EDT 2015
On 07/28/15 16:37 +0000, Forster, Gabriel wrote:
>Hello,
>
>This was asked in the Kolab list, but they mentioned this list may be more appropriate:
>
>Trying to get Kolab 3.4 setup in a distrubuted environment. The last piece of the puzzle seems to be getting Cyrus configured correctly for a murder environement. Currently, only using 1 frontend and one backend.
>
>mupdatetest and testsaslauthd checks seem to work fine. But, when trying to create a user account using the command-line cyradm tools, from the backend, I'm getting the following error:
>
>
>cyradm -t "" -u kolab -w "${password}" ${cyrus_host}
>
>verify error:num=18:self signed certificate
>
>> cm user/kolab3test
>
>verify error:num=18:self signed certificate
>
>Invalid user at /usr/lib64/perl5/vendor_perl/Cyrus/IMAP/Admin.pm line 118
>
>cyradm: cannot authenticate to [redacted.fqdn.backend.server]
>
>
>and directly from the frontend:
>
>> cm user/kolab3test
>
>Password:
>
>IMAP Password:
>
> Invalid user at /usr/lib64/perl5/vendor_perl/Cyrus/IMAP/Admin.pm line 118
>
>cyradm: cannot authenticate to [redacted.fqdn.backend.server]
>
>
>/var/log/messages on the backend only shows "perl: No worthy mechs found"
>
>and /var/log/maillog says:
>
> imap[27001]: SASL bad userid authenticated
>
>imap[27001]: badlogin: [redacted.fqdn.frontend.server] [10.2.1.26] PLAIN [SASL(-13): authentication failure: bad userid authenticated]
Check your auth facility syslog (e.g. /var/log/auth.log) as well.
Verify your configuration with:
http://cyrusimap.org/docs/cyrus-imapd/2.5.4/install-murder.php
For further assistance, provide redacted copies of your /etc/imapd.conf,
/etc/cyrus.conf, and saslauthd.conf (if existing) files for both the
frontent and backend servers.
--
Dan White
___________________
Thanks for the response. Redacted versions of /etc/imapd.conf, /etc/saslauthd.conf and /etc/cyrus.conf for both frontend and backend servers are below.
BACKEND /etc/imapd.conf
configdirectory: /srv/imap/be/lib
# partition-default: /var/spool/imap
partition-default: /srv/imap/be/spool
# admins: kolab
admins: kolab
sievedir: /var/lib/imap/sieve
sendmail: /usr/sbin/sendmail
# sasl_pwcheck_method: saslauthd
sasl_pwcheck_method: saslauthd
# sasl_mech_list: PLAIN LOGIN
sasl_mech_list: PLAIN
# allowplaintext: no
allowplaintext: 1
tls_server_cert: /var/imap/server.pem
tls_server_key: /var/imap/server.pem
# tls_server_ca_file: /var/imap/server.pem
# tls_client_ca_file: /var/imap/server.pem
# uncomment this if you're operating in a DSCP environment (RFC-4594)
# qosmarking: af13
auth_mech: pts
pts_module: ldap
ldap_servers: {redacted}
ldap_sasl: 0
ldap_base: ou=people,o=intra,dc={redacted},dc={redacted}
ldap_bind_dn: uid={redacted},ou=People,o={redacted},dc={redacted},dc={redacted}
ldap_password: F@{redacted}
ldap_filter: {redacted}
ldap_user_attribute: uid
ldap_group_base: o=intra,dc={redacted},dc={redacted}
ldap_bind_dn: uid={redacted},ou=People,o=intra,dc={redacted},dc={redacted}
ldap_password: {redacted}
ldap_filter:{redacted}
ldap_user_attribute: uid
ldap_group_base: o=intra,dc={redacted},dc={redacted}
ldap_group_filter: (&(cn=%u)(objectclass=ldapsubentry)(objectclass=nsroledefinition))
ldap_group_scope: one
ldap_member_base: ou=People,o=intra,dc={redacted},dc={redacted}
ldap_member_method: attribute
ldap_member_attribute: nsrole
ldap_restart: 1
ldap_timeout: 10
ldap_time_limit: 10
# allowallsubscribe: 0
allowallsubscribe: 1
allowusermoves: 1
altnamespace: 1
hashimapspool: 1
unixhierarchysep: 1
annotation_definitions: /etc/imapd.annotations.conf
sieve_extensions: fileinto reject envelope body vacation imapflags notify include regex subaddress relational copy date index
anysievefolder: 1
fulldirhash: 0
sieveusehomedir: 0
# sieve_allowreferrals: 0
sieve_allowreferrals: 1
lmtp_downcase_rcpt: 1
lmtp_fuzzy_mailbox_match: 1
username_tolower: 1
deletedprefix: DELETED
delete_mode: delayed
expunge_mode: delayed
# This value not in Kolab 2
postuser: shared
# Only run a murder on the master site
# We run a discreet murder
mupdate_config: standard
# Mailbox master runs on the first frontend
mupdate_server: {redacted}
mupdate_port: 3905
mupdate_authname: {redacted}
mupdate_username: {redacted}
mupdate_password: {redacted}-
# proxyservers: murder
proxyservers: {redacted}
proxy_authname: {redacted}
proxy_password: {redacted}-
# virtdomains: userid
virtdomains: off
FRONTEND /etc/imapd.conf
configdirectory: /var/lib/imap
partition-default: /var/spool/imap
admins: {redacted}
sievedir: /var/lib/imap/sieve
sendmail: /usr/sbin/sendmail
sasl_pwcheck_method: saslauthd auxprop
sasl_auxprop_plugin: sasldb
sasl_mech_list: PLAIN
allowplaintext: 1
auth_mech: pts
pts_module: ldap
ldap_servers: ldap://{redacted}
ldap_sasl: 0
ldap_base: ou=people,o=intra,dc={redacted},dc={redacted}
ldap_scope: one
ldap_bind_dn: uid={redacted},ou=People,o=intra,dc={redacted},dc={redacted}
ldap_password: {redacted}
ldap_filter: {redacted}
ldap_user_attribute: uid
ldap_group_base: o=intra,dc={redacted},dc={redacted}
ldap_group_filter: (&(cn=%u)(objectclass=ldapsubentry)(objectclass=nsroledefinition))
ldap_group_scope: one
ldap_member_base: ou=People,o=intra,dc={redacted},dc={redacted}
ldap_member_method: attribute
ldap_member_attribute: nsrole
ldap_restart: 1
ldap_timeout: 10
ldap_time_limit: 10
tls_server_cert: /var/imap/server.pem
tls_server_key: /var/imap/server.pem
# tls_server_ca_file: /var/imap/server.pem
#tls_client_ca_file: /var/imap/server.pem
annotation_definitions: /etc/imapd.annotations.conf
allowallsubscribe: 1
allowusermoves: 1
altnamespace: 1
hashimapspool: 1
unixhierarchysep: 1
anysievefolder: 1
fulldirhash: 0
sieveusehomedir: 0
sieve_allowreferrals: 1
lmtp_downcase_rcpt: 1
lmtp_fuzzy_mailbox_match: 1
username_to_lower: 1
normalizeuid: 1
deletedprefix: DELETED
delete_mode: delayed
expunge_mode: delayed
# Only run a murder on the master site
# We run a discreet murder
mupdate_config: standard
# Mailbox master runs on the first frontend
mupdate_server: {redacted}
mupdate_port: 3905
mupdate_authname: {redacted}
mupdate_username: {redacted}
mupdate_password: {redacted}
defaultserver: {redacted}
serverlist: {redacted}
proxy_authname: {redacted}
proxy_password: {redacted}
virtdomains: off
BACKEND /etc/saslauthd.conf
ldap_servers: ldap://{redacted}
ldap_bind_dn: uid={redacted},ou=People,o=intra,dc={redacted},dc={redacted}
ldap_password: {redacted}
# Use the upper level search base or expell ou=Special Users when using
# ou=People; cyrus-admin would not be able to authenticate.
ldap_search_base: ou=People,o=intra,dc={redacted},dc={redacted}
# Note: Allows login with uid, but is not translated to mailbox name
# Enable once Cyrus IMAP 2.4 can do authn w/ uid and authz w/ mail
ldap_filter: ({redacted}
ldap_referrals: yes
result_attribute: uid
FRONTEND /etc/saslauthd.conf
ldap_servers: ldap://{redacted}
ldap_bind_dn: uid={redacted},ou=People,o=intra,dc={redacted},dc={redacted}
ldap_password: {redacted}
# Use the upper level search base or expell ou=Special Users when using
# ou=People; cyrus-admin would not be able to authenticate.
ldap_search_base: ou=People,o=intra,dc={redacted},dc={redacted}
# Note: Allows login with uid, but is not translated to mailbox name
# Enable once Cyrus IMAP 2.4 can do authn w/ uid and authz w/ mail
ldap_filter: ({redacted}
ldap_referrals: yes
result_attribute: uid
log_level: 6
BACKEND /etc/cyrus.conf
START {
# do not delete this entry!
recover cmd="ctl_cyrusdb -r"
# this is only necessary if using idled for IMAP IDLE
idled cmd="idled"
}
# UNIX sockets start with a slash and are put into /var/lib/imap/sockets
SERVICES {
# add or remove based on preferences
imap cmd="imapd" listen="imap" prefork=5
imaps cmd="imapd -s" listen="imaps" prefork=1
# pop3 cmd="pop3d" listen="pop3" prefork=3
# pop3s cmd="pop3d -s" listen="pop3s" prefork=1
sieve cmd="timsieved" listen="sieve" prefork=0
ptloader cmd="ptloader" listen="/var/lib/imap/ptclient/ptsock" prefork=0
# these are only necessary if receiving/exporting usenet via NNTP
#nntp cmd="nntpd" listen="nntp" prefork=3
#nntps cmd="nntpd -s" listen="nntps" prefork=1
# at least one LMTP is required for delivery
#lmtp cmd="lmtpd" listen="lmtp" prefork=0
lmtpunix cmd="lmtpd" listen="/var/lib/imap/socket/lmtp" prefork=1
# this is only necessary if using notifications
notify cmd="notifyd" listen="/var/lib/imap/socket/notify" proto="udp" prefork=1
}
EVENTS {
# this is required
checkpoint cmd="ctl_cyrusdb -c" period=30
# this is only necessary if using duplicate delivery suppression,
# Sieve or NNTP
duplicateprune cmd="cyr_expire -E 3" at=0400
# Expire data older then 69 days. Two full months of 31 days
# each includes two full backup cycles, plus 1 week margin
# because we run our full backups on the first sat/sun night
# of each month.
deleteprune cmd="cyr_expire -E 4 -D 69" at=0430
expungeprune cmd="cyr_expire -E 4 -X 69" at=0445
# this is only necessary if caching TLS sessions
tlsprune cmd="tls_prune" at=0400
# Create search indexes regularly
#squatter cmd="squatter -s -i" at=0530
}
FRONTEND /etc/cyrus.conf
START {
# do not delete this entry!
recover cmd="ctl_cyrusdb -r"
# this is only necessary if using idled for IMAP IDLE
idled cmd="idled"
}
SERVICES {
# The following lines enable the frontend server to proxy connections
# to the appropriate backend server.
#
imap cmd="proxyd" listen="imap" prefork=5 maxchild=4096
imaps cmd="proxyd -s" listen="imaps" prefork=5 maxchild=4096
# The frontend servers need to communicate about where the backend servers
# are, since they contain the mailboxes.
#
mupdate cmd="mupdate -m" listen=3905 prefork=1
ptloader cmd="ptloader" listen="/var/lib/imap/ptclient/ptsock" prefork=0
sievefilter cmd="timsieved" listen=4190 prefork=0
sieve cmd="timsieved" listen=sieve prefork=0
}
EVENTS {
# This is required
checkpoint cmd="ctl_cyrusdb -c" period=30
# this is only necessary if caching TLS sessions
tlsprune cmd="tls_prune" at=0500
}
Gabriel Forster
This message, including any attachments, is the property of Sears Holdings Corporation and/or one of its subsidiaries. It is confidential and may contain proprietary or legally privileged information. If you are not the intended recipient, please delete it without reading the contents. Thank you.
More information about the Info-cyrus
mailing list