The third issue I had relating to trying to use imtest to test my cyrus-imapd configuration is due to a bug in imtest. It is discussed (with patch provided) in the following thread. http://www.irbs.net/internet/cyrus-sasl/0605/0045.html I have not had time to test the patch but I used a working imtest from another machine to test the cyrus-imapd configuration on this machine and it now is working. Doug > -----Original Message----- > From: cyrus-sasl-bounces@xxxxxxxxxxxxxxxxxxxx > [mailto:cyrus-sasl-bounces@xxxxxxxxxxxxxxxxxxxx] On Behalf Of > Doug Campbell > Sent: Thursday, October 26, 2006 2:26 AM > To: cyrus-sasl@xxxxxxxxxxxxxxxxxxxx > Subject: RE: Can't get SASL Authentication to work > > After much additional testing I think I have solved the SASL > related problems. > > The first issue I discovered was that the reason I wasn't > seeing anything "interesting" in my slapd logs was because > slapd wasn't being contacted. I was using unix sockets and > it turns out that I had missed a step that I had performed in > my original configuration where I set a umask 0 before > loading slapd in my init script. That gave 777 access to the > ldapi socket and allowed postfix and cyrus the ability to > connect to slapd. > > The second issue must be due to a change from 2.2 to 2.3 of > OpenLDAP (I think). Basically, the credentials for uidNumber > and gidNumber were being passed in the opposite order in 2.3 > from what they were in 2.2. So I just changed my > authz-regexp statement to: > > authz-regexp > gidNumber=(.*)\\+uidNumber=(.*),cn=peercred,cn=external,cn=auth > > ldap:///dc=securemail,dc=swro,dc=local??sub?(&(uidNumber=$2)(g > idNumber=$1)) > > These changes allowed me to successfully SMTP AUTH to the > postfix server BUT I am still having the issue with cyrus-imapd. > > I am going to try removing the package and readding it to see > if that clears up the problem. > > If anyone has any thoughts on that error, please let me know. > > Thanks! > > Doug > > Here it is again for convience: > > > # imtest -a fred -m DIGEST-MD5 > > > > S: * OK securemail.swro.local Cyrus IMAP4 > > v2.3.1-Invoca-RPM-2.3.1-2.6.fc5 server ready > > C: C01 CAPABILITY > > S: * CAPABILITY IMAP4 IMAP4rev1 ACL RIGHTS=kxte QUOTA > > LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID > > NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT > > THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE > > IDLE STARTTLS AUTH=DIGEST-MD5 SASL-IR LISTEXT LIST-SUBSCRIBED > > X-NETSCAPE URLAUTH > > S: C01 OK Completed > > C: A01 AUTHENTICATE DIGEST-MD5 > > S: + > > bm9uY2U9IituMWFTUVR2akp2THl1S1lVcEhUS3FDeEt3YitXTnFFN2ltREdyM2 > > 93bHc9IixyZWFsbT0ic2VjdXJlbWFpbC5zd3JvLmxvY2FsIixxb3A9ImF1dGgs > > YXV0aC1pbnQsYXV0aC1jb25mIixjaXBoZXI9InJjNC00MCxyYzQtNTYscmM0LG > > RlcywzZGVzIixtYXhidWY9NDA5NixjaGFyc2V0PXV0Zi04LGFsZ29yaXRobT1t > > ZDUtc2Vzcw== > > base64 decoding error > > Authentication failed. generic failure > > Security strength factor: 0 > > > > > -----Original Message----- > > From: cyrus-sasl-bounces@xxxxxxxxxxxxxxxxxxxx > > [mailto:cyrus-sasl-bounces@xxxxxxxxxxxxxxxxxxxx] On Behalf Of > > Doug Campbell > > Sent: Wednesday, October 25, 2006 6:11 PM > > To: cyrus-sasl@xxxxxxxxxxxxxxxxxxxx > > Subject: Can't get SASL Authentication to work > > > > Sorry to cross post. Immediately after I sent this to the > > OpenLDAP list I realized it probably would be better > answered here... > > > > I am trying to setup a postfix and cyrus-impad to > > authenticate using SASL Proxy Authentication to OpenLDAP. > > > > I had this working on another machine about a year back and > > have tried using the same procedure that I used to get that > > machine working but am I so far unsuccesful. > > > > My setup steps are shown below but let me show the tests I am doing: > > > > I have a user (fred) in ldap with the following information: > > > > dn: uid=fred,ou=people,dc=securemail,dc=swro,dc=local > > uid: fred > > cn: Fred Flintstone > > homeDirectory: /home/fred > > uidNumber: 501 > > objectClass: posixAccount > > objectClass: shadowAccount > > objectClass: inetOrgPerson > > gidNumber: 501 > > gecos: Fred Flintstone > > sn: Flintstone > > givenName: Fred > > shadowLastChange: 12990 > > loginShell: /sbin/nologin > > userPassword:: d2lsbWE= > > mail: fred@xxxxxxxxxxxxxxxxx > > > > dn: cn=fred,ou=group,dc=securemail,dc=swro,dc=local > > gidNumber: 501 > > cn: fred > > objectClass: posixGroup > > > > > > I try to use SMTP AUTH to authenticate fred to the postfix > > server by doing the following: > > > > # openssl s_client -connect localhost:25 -starttls smtp > > > > 220 securemail.swro.local ESMTP Postfix > > ehlo swro.local > > 250-securemail.swro.local > > 250-PIPELINING > > 250-SIZE 10240000 > > 250-VRFY > > 250-ETRN > > 250-AUTH DIGEST-MD5 PLAIN LOGIN > > 250-AUTH=DIGEST-MD5 PLAIN LOGIN > > 250 8BITMIME > > auth login > > 334 VXNlcm5hbWU6 > > ZnJlZA== > > 334 UGFzc3dvcmQ6 > > d2lsbWE= > > 535 Error: authentication failed > > > > FAILED! > > > > > > I try to use DIGEST-MD5 with the cyrus-imap by doing the following: > > > > # imtest -a fred -m DIGEST-MD5 > > > > S: * OK securemail.swro.local Cyrus IMAP4 > > v2.3.1-Invoca-RPM-2.3.1-2.6.fc5 server ready > > C: C01 CAPABILITY > > S: * CAPABILITY IMAP4 IMAP4rev1 ACL RIGHTS=kxte QUOTA > > LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID > > NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT > > THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE > > IDLE STARTTLS AUTH=DIGEST-MD5 SASL-IR LISTEXT LIST-SUBSCRIBED > > X-NETSCAPE URLAUTH > > S: C01 OK Completed > > C: A01 AUTHENTICATE DIGEST-MD5 > > S: + > > bm9uY2U9IituMWFTUVR2akp2THl1S1lVcEhUS3FDeEt3YitXTnFFN2ltREdyM2 > > 93bHc9IixyZWFsbT0ic2VjdXJlbWFpbC5zd3JvLmxvY2FsIixxb3A9ImF1dGgs > > YXV0aC1pbnQsYXV0aC1jb25mIixjaXBoZXI9InJjNC00MCxyYzQtNTYscmM0LG > > RlcywzZGVzIixtYXhidWY9NDA5NixjaGFyc2V0PXV0Zi04LGFsZ29yaXRobT1t > > ZDUtc2Vzcw== > > base64 decoding error > > Authentication failed. generic failure > > Security strength factor: 0 > > > > FAILED! I don't even get prompted to enter my password. > > > > > > I have tried turning on logging for OpenLDAP but I can't make > > out what is wrong. I know that on my server that works, I > > get messages with PROXYAUTHZ but I don't see anything like > that here. > > > > What other information can I provide? > > > > My setup process is shown below. > > > > Grateful for any help! > > > > Doug > > > > > > > > > > > > > > Here is the procedure I am using: > > > > 1. Started with fresh install of Fedora Core 5 > > 2. yum install postfix cyrus-imapd cyrus-imapd-utils > > 3. Download cyrus-sasl-2.1.22 and Install using > > > > ./configure --prefix=/usr/local > > --with-plugindir=/usr/local/lib/sasl2 --with-rc4 \ > > --with-dblib=berkeley --enable-anon --enable-cram > > --enable-digest --enable-plain \ > > --enable-login --enable-ntlm > > > > make sasldir=/usr/local/lib/sasl2 > > > > make install sasldir=/usr/local/lib/sasl2 > > > > > > > > 4. Backup/Remove existing FC5 SASL stuff > > > > mv /usr/lib/sasl2 /usr/lib/sasl2.fc5 > > ln -s /usr/local/lib/sasl2 /usr/lib/sasl2 > > > > mv /usr/lib/libsasl2.a libsasl2.a.fc5 > > > > ln -s /usr/local/lib/libsasl2.la /usr/lib/libsasl2.la > > > > ln -s /usr/local/lib/libsasl2.so.2.0.22 /usr/lib/libsasl2.so.2.0.22 > > > > ldconfig > > > > rm libsasl2.so > > ln -s libsasl2.so.2.0.22 libsasl2.so > > > > > > > > 5. Download openldap.2.3.28 and Install using > > > > ./configure --prefix=/usr/local --with-slapd --with-slurpd > > --without-ldapd --with-threads=posix \ > > --enable-local --enable-ldap --disable-rlookups --with-tls > > --with-cyrus-sasl --enable-bdb \ > > --enable-wrappers --enable-passwd --enable-shell > > --enable-cleartext --enable-crypt --enable-spasswd \ > > --enable-modules --disable-sql --enable-aci > > --libexecdir=/usr/local/sbin --localstatedir=/var > > > > make depend > > > > make > > > > make test > > > > make install datadir=/var/lib/ldap libexecdir=/usr/local/sbin > > localstatedir=/var sysconfigdir=/etc/openldap > > > > > > > > 6. Editted my /etc/init.d/ldap startup script and replace > > the locations for slapd, slurpd and slaptest to their new > > locations AND change the value of hargs to "ldap:/// > > ldapi:///" from "ldap:///"; > > > > > > 7. Rebuild cyrus-sasl > > > > make distclean > > > > ./configure --prefix=/usr/local > > --with-plugindir=/usr/local/lib/sasl2 --with-rc4 \ > > --with-dblib=berkeley --enable-anon --enable-cram > > --enable-digest --enable-plain \ > > --enable-login --enable-ntlm --enable-ldapdb > > > > make sasldir=/usr/local/lib/sasl2 > > > > make install sasldir=/usr/local/lib/sasl2 > > > > > > > > 7. Created /usr/local/lib/sasl2/slapd.conf and put the > > following in it: > > > > auxprop_plugin: slapd > > > > > > 8. Also created /usr/local/lib/sasl2/smtpd.conf and put the > > following in it: > > > > pwcheck_method: auxprop > > auxprop_plugin: ldapdb > > mech_list: PLAIN LOGIN DIGEST-MD5 > > ldapdb_uri: ldapi://%2Fvar%2Frun%2Fldapi/ > > ldapdb_mech: EXTERNAL > > > > > > 9. Added the following lines to my OpenLDAP slapd.conf file > > > > password-hash {CLEARTEXT} > > authz-policy to > > authz-regexp > > uidNumber=(.*)\\+gidNumber=(.*),cn=peercred,cn=external,cn=auth > > > > ldap:///dc=securemail,dc=swro,dc=local??sub?(&(uidNumber=$1)(g > > idNumber=$2)) > > > > authz-regexp uid=(.*),cn=external,cn=auth > > ldap:///dc=securemail,dc=swro,dc=local??sub?(uid=$1) > > > > > > 10. Modified /etc/imapd.conf to look like this: > > > > configdirectory: /var/lib/imap > > partition-default: /var/spool/imap > > admins: cyrus > > sievedir: /var/lib/imap/sieve > > sendmail: /usr/sbin/sendmail > > hashimapspool: true > > sasl_pwcheck_method: auxprop > > sasl_auxprop_plugin: ldapdb > > sasl_mech_list: digest-md5 > > sasl_ldapdb_uri: ldapi://%2Fvar%2Frun%2Fldapi/ > > sasl_ldapdb_mech: EXTERNAL > > tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem > > tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem > > tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt > > > > > > 11. Added the following line to my /etc/ldap.conf (PADL) > > > > uri ldapi://%2Fvar%2Frun%2Fldapi/ > > > > > > 12. Added the following ldif for the cyrus account: > > > > dn: uid=cyrus,ou=people,dc=securemail,dc=swro,dc=local > > uid: cyrus > > cn: Cyrus IMAP Server > > objectClass: account > > objectClass: posixAccount > > objectClass: top > > objectClass: shadowAccount > > userPassword: {crypt}!! > > shadowLastChange: 12934 > > loginShell: /bin/bash > > uidNumber: 76 > > gidNumber: 12 > > homeDirectory: /var/lib/imap > > gecos: Cyrus IMAP Server > > authzTo: dn.regex: uid=.*,ou=people,dc=securemail,dc=swro,dc=local > > > > > > 13. Added the following ldif for the postfix account: > > > > dn: uid=postfix,ou=people,dc=securemail,dc=swro,dc=local > > uid: postfix > > cn: Postfix SMTP Server > > objectClass: account > > objectClass: posixAccount > > objectClass: top > > objectClass: shadowAccount > > userPassword: {crypt}!! > > shadowLastChange: 12934 > > loginShell: /bin/bash > > uidNumber: 89 > > gidNumber: 89 > > homeDirectory: /var/spool/postfix > > gecos: Postfix SMTP Server > > authzTo: dn.regex: > uid=uid=.*,ou=people,dc=securemail,dc=swro,dc=local > > > > > > 14. Postfix configuration > > > > Added the following lines to my postfix main.cf file > > > > smtpd_use_tls = yes > > smtpd_tls_auth_only = yes > > smtpd_tls_key_file = /etc/pki/tls/certs/cyrus-imapd.pem > > smtpd_tls_cert_file = /etc/pki/tls/certs/cyrus-imapd.pem > > smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt > > smtpd_tls_loglevel = 3 > > smtpd_tls_received_header = yes > > smtpd_tls_session_cache_timeout = 3600s > > tls_random_source = dev:/dev/urandom > > > > smtpd_sasl_auth_enable = yes > > smtpd_sasl_security_options = noanonymous > > broken_sasl_auth_clients = yes > > smtpd_recipient_restrictions = permit_sasl_authenticated, > > permit_mynetworks, check_relay_domains > > > > > > > > -- > > No virus found in this incoming message. > > Checked by AVG Free Edition. > > Version: 7.1.408 / Virus Database: 268.13.11/496 - Release > > Date: 10/24/2006 > > > > > > > -- > No virus found in this incoming message. > Checked by AVG Free Edition. > Version: 7.1.408 / Virus Database: 268.13.11/496 - Release > Date: 10/24/2006 > >
