Re: auxprop pwcheck with sasl ldapdb and openldap backend not working

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello Patrick,

I propose you make first a working setup with sasldb-backend.  This is
a local database with username@domain:password.  Once it works, your
system is set up correctly and only the authentication need to be
tweaked.

DIGEST-MD5 requires that the server stores the password in plain text.
It does work with sasldb, but e.g. with Kerberos it does not work.  You
have to tell the server explicitly not to advertise DIGEST-MD5 in such
cases.

Greetings
  Дилян

On Wed, 2021-11-03 at 18:22 -0400, patrick via SASL wrote:
> Hallo all
> 
> I am trying to set up cyrus-imap in order to - ultimately - use it as
> a caldav/carddav server on a private server.
> 
> I have an openldap instance running in a standard configuration and
> would like to use the "auxprop-hashed" pwcheck method along with the
> "ldapdb" sasl module.
> 
> This seems not to be as simple as it sounds. Most probably, I am
> doing something wrong.
> 
> Is there any chance, somebody could have a look and suggest fixes or
> - actually even preferred - point me to a working example of such a
> configuration?
> 
> I have search near and far and read hundreads of documentation and
> source files, but I fail to make sense of those log lines:
> 
> badlogin: nexus [fec0::5054:ff:fe12:3456] DIGEST-MD5 [SASL(-4): no
> mechanism available: unable to canonify user and get auxprops]
> 
> and (or)
> 
> badlogin: nexus [fec0::5054:ff:fe12:3456] PLAIN [SASL(-4): no
> mechanism available: Password verification failed]
> 
> 
> I do not understand, how, why and by which process they are exactly
> logged. And, most importantly, can not figure out, what the
> underlying problem is, actually? :-) I have tried many tweaks to the
> config. Plain password, "auxprop" instead of "auxprop-hashed"
> pwcheck, and more, all to no avail.
> 
> This is an up-to-date internet-connected ubuntu-20.04-minimal-
> cloudimg-amd64.img currently running in a quemu-vm on MacOS 11.6
> (BigSur, 2nd-latest).
> 
> Any help is much appreciated.
> 
> Patrick
> 
> So far, I have:
> ubuntu@nexus:~$ egrep -v '^\s*(#|$)' /etc/cyrus.conf
> START {
>       recover         cmd="/usr/sbin/cyrus ctl_cyrusdb -r"
>       delprune        cmd="/usr/sbin/cyrus expire -E 3"
>       tlsprune        cmd="/usr/sbin/cyrus tls_prune"
> }
> SERVICES {
>       imaps           cmd="imapd -s -U 30" listen="nexus:imaps"
> prefork=0 maxchild=100
>       imaplocal       cmd="imapd -C /etc/imapd-local.conf -U 30"
> listen="localhost:imap" prefork=0 maxchild=100
>       https           cmd="httpd -s -U 30" listen="8443" prefork=0
> maxchild=100
>       lmtpunix        cmd="lmtpd" listen="/run/cyrus/socket/lmtp"
> prefork=0 maxchild=20
>       sieve           cmd="timsieved" listen="localhost:sieve"
> prefork=0 maxchild=100
>       notify          cmd="notifyd"
> listen="/run/cyrus/socket/notify" proto="udp" prefork=1
> }
> EVENTS {
>       checkpoint      cmd="/usr/sbin/cyrus ctl_cyrusdb -c"
> period=30
>       delprune        cmd="/usr/sbin/cyrus expire -E 3" at=0401
>       tlsprune        cmd="/usr/sbin/cyrus tls_prune" at=0401
>       deleteprune     cmd="/usr/sbin/cyrus expire -E 4 -D 28"
> at=0430
>       expungeprune    cmd="/usr/sbin/cyrus expire -E 4 -X 28"
> at=0445
> }
> 
> ubuntu@nexus:~$ egrep -v '^\s*(#|$)' /etc/imapd.conf 
> configdirectory: /var/lib/cyrus
> proc_path: /run/cyrus/proc
> mboxname_lockpath: /run/cyrus/lock
> defaultpartition: default
> partition-default: /var/spool/cyrus/mail
> partition-news: /var/spool/cyrus/news
> newsspool: /var/spool/news
> altnamespace: no
> unixhierarchysep: no
> lmtp_downcase_rcpt: yes
> allowanonymouslogin: no
> popminpoll: 1
> autocreate_quota: 0
> umask: 077
> sieveusehomedir: false
> sievedir: /var/spool/sieve
> httpmodules: caldav carddav
> hashimapspool: true
> allowplaintext: yes
> sasl_pwcheck_method: auxprop-hashed
> sasl_auxprop_plugin: ldapdb
> @include: /etc/imapd-ldap.conf
> sasl_auto_transition: no
> tls_server_cert: /etc/ssl/certs/ssl-cert-snakeoil.pem
> tls_server_key: /etc/ssl/private/ssl-cert-snakeoil.key
> tls_client_ca_dir: /etc/ssl/certs
> tls_session_timeout: 1440
> lmtpsocket: /run/cyrus/socket/lmtp
> idlesocket: /run/cyrus/socket/idle
> notifysocket: /run/cyrus/socket/notify
> syslog_prefix: cyrus
> 
> ubuntu@nexus:~$ egrep -v '^\s*(#|$)' /etc/imapd-ldap.conf 
> ldap_base: ou=people,dc=patrickpfeifer,dc=net
> ldap_bind_dn: cn=admin,dc=patrickpfeifer,dc=net
> ldap_filter: (mail=%u)
> ldap_password: xxxx
> ldap_scope: one
> ldap_uri: ldapi:///
> ldap_version: 3
> 
> And:
> $ ldapsearch -H ldapi:/// -D cn=admin,dc=patrickpfeifer,dc=net -w
> xxxx -b 'ou=people,dc=patrickpfeifer,dc=net'
> '(mail=patrick@xxxxxxxxxxxxxxxxxx)'
> # extended LDIF
> #
> # LDAPv3
> # base <ou=people,dc=patrickpfeifer,dc=net> with scope subtree
> # filter: (mail=patrick@xxxxxxxxxxxxxxxxxx)
> # requesting: ALL
> #
> # patrick, people, patrickpfeifer.net
> dn: uid=patrick,ou=people,dc=patrickpfeifer,dc=net
> cn: Patrick Pfeifer
> objectClass: inetOrgPerson
> objectClass: top
> objectClass: person
> uid: patrick
> mail: patrick@xxxxxxxxxxxxxxxxxx
> sn: Pfeifer
> userPassword:: e1NTSXXXXXXXXXXXXXXXc9PQ=
> # search result
> search: 2
> result: 0 Success
> 
> # numResponses: 2
> # numEntries: 1
> 
> 
> However:
> $ /usr/lib/cyrus/bin/imtest -s -u patrick@xxxxxxxxxxxxxxxxxx -w xxxxx
> nexus
> verify error:num=18:self signed certificate
> TLS connection established: TLSv1.3 with cipher
> TLS_AES_256_GCM_SHA384 (256/256 bits)
> S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE AUTH=DIGEST-MD5
> AUTH=NTLM AUTH=CRAM-MD5 AUTH=PLAIN AUTH=LOGIN SASL-IR] nexus Cyrus
> IMAP 3.0.13-Debian-3.0.13-5 server ready
> C: A01 AUTHENTICATE DIGEST-MD5
> S: +
> bm9uY2U9IjQ0M3Y3d2R4d0dTNlV1bzFTcFpSTk9JcjFFdHNGL0VkcnU1Q0QzR09PMXc9I
> ixyZWFsbT0ibmV4dXMiLHFvcD0iYXV0aCIsbWF4YnVmPTQwOTYsY2hhcnNldD11dGYtOC
> xhbGdvcml0aG09bWQ1LXNlc3M=
> C:
> dXNlcm5hbWU9InVidW50dSIscmVhbG09Im5leHVzIixhdXRoemlkPSJwYXRyaWNrQHBhd
> HJpY2twZmVpZmVyLm5ldCIsbm9uY2U9IjQ0M3Y3d2R4d0dTNlV1bzFTcFpSTk9JcjFFdH
> NGL0VkcnU1Q0QzR09PMXc9Iixjbm9uY2U9IlM2Yzh4WXJUZXFtcXB3dHYrWGJ2aGk3cTV
> HM1dKby8xUWJlSkZZbGM5K289IixuYz0wMDAwMDAwMSxxb3A9YXV0aCxtYXhidWY9MTAy
> NCxkaWdlc3QtdXJpPSJpbWFwL25leHVzIixyZXNwb25zZT1iZjBmNjVkYmFiMWZhNjg3M
> mRjYjBhNDk0MmJhYzA0OA==
> S: A01 NO no mechanism available
> Authentication failed. generic failure
> Security strength factor: 256
> ^CC: Q01 LOGOUT
> Connection closed.
> 
> And:
> ubuntu@nexus:~$ journalctl -f
> -- Logs begin at Mon 2020-12-28 21:20:09 UTC. --
> 
> ...
> 
> Nov 03 21:55:08 nexus sudo[9147]:   ubuntu : TTY=pts/0 ;
> PWD=/home/ubuntu ; USER=root ; COMMAND=/usr/sbin/service cyrus-imapd
> start
> Nov 03 21:55:08 nexus sudo[9147]: pam_unix(sudo:session): session
> opened for user root by ubuntu(uid=0)
> Nov 03 21:55:09 nexus systemd[1]: Started Cyrus IMAP/POP3 daemons.
> Nov 03 21:55:09 nexus sudo[9147]: pam_unix(sudo:session): session
> closed for user root
> Nov 03 21:55:09 nexus cyrus/ctl_cyrusdb[9157]: skiplist: clean
> shutdown file missing, updating recovery stamp
> Nov 03 21:55:09 nexus cyrus/ctl_cyrusdb[9157]: recovering cyrus
> databases
> Nov 03 21:55:09 nexus cyrus/ctl_cyrusdb[9157]: done recovering cyrus
> databases
> Nov 03 21:55:09 nexus cyrus/cyr_expire[9160]: ldapdb
> Nov 03 21:55:09 nexus cyrus/cyr_expire[9160]: Expired 0 and expunged
> 0 out of 0 messages from 2 mailboxes
> Nov 03 21:55:09 nexus cyrus/cyr_expire[9160]: duplicate_prune:
> pruning back 3.00 days
> Nov 03 21:55:09 nexus cyrus/cyr_expire[9160]: duplicate_prune: purged
> 0 out of 0 entries
> Nov 03 21:55:09 nexus cyrus/tls_prune[9163]: tls_prune: purged 0 out
> of 38 entries
> Nov 03 21:55:09 nexus cyrus/master[9156]: unable to bind to
> imaps/ipv6 socket: Invalid argument
> Nov 03 21:55:09 nexus cyrus/ctl_cyrusdb[9166]: checkpointing cyrus
> databases
> Nov 03 21:55:09 nexus cyrus/ctl_cyrusdb[9166]: done checkpointing
> cyrus databases
> 
> Nov 03 21:55:14 nexus imtest[9170]: ldapdb
> Nov 03 21:55:14 nexus imtest[9170]: _sasl_plugin_load failed on
> sasl_canonuser_init
> Nov 03 21:55:14 nexus cyrus/imaps[9171]: ldapdb
> Nov 03 21:55:14 nexus cyrus/imaps[9171]: auxpropfunc error invalid
> parameter supplied
> Nov 03 21:55:14 nexus cyrus/imaps[9171]: ldapdb
> Nov 03 21:55:14 nexus cyrus/imaps[9171]: inittls: Loading hard-coded
> DH parameters
> Nov 03 21:55:14 nexus cyrus/imaps[9171]: TLS server engine: No client
> CA certs specified. Client side certs may not work
> Nov 03 21:55:14 nexus cyrus/imaps[9171]: starttls: TLSv1.3 with
> cipher TLS_AES_256_GCM_SHA384 (256/256 bits new) no authentication
> Nov 03 21:55:14 nexus imtest[9170]: DIGEST-MD5 client step 2
> Nov 03 21:55:14 nexus imtest[9170]: DIGEST-MD5
> parse_server_challenge()
> Nov 03 21:55:14 nexus imtest[9170]: DIGEST-MD5 ask_user_info()
> Nov 03 21:55:14 nexus imtest[9170]: DIGEST-MD5 client step 2
> Nov 03 21:55:14 nexus imtest[9170]: DIGEST-MD5 ask_user_info()
> Nov 03 21:55:14 nexus imtest[9170]: DIGEST-MD5 make_client_response()
> Nov 03 21:55:14 nexus cyrus/imaps[9171]: SASL unable to canonify user
> and get auxprops
> Nov 03 21:55:14 nexus cyrus/imaps[9171]: badlogin: nexus
> [fec0::5054:ff:fe12:3456] DIGEST-MD5 [SASL(-4): no mechanism
> available: unable to canonify user and get auxprops]
> 
> If I change the "imtest" command line to use then PLAIN mech, I get:
> $ /usr/lib/cyrus/bin/imtest -s -m PLAIN -u patrick@xxxxxxxxxxxxxxxxxx
> -w xxxxx nexus
> 
> Nov 03 22:14:45 nexus imtest[9303]: ldapdb
> Nov 03 22:14:45 nexus imtest[9303]: _sasl_plugin_load failed on
> sasl_canonuser_init
> Nov 03 22:14:45 nexus cyrus/imaps[9304]: ldapdb
> Nov 03 22:14:45 nexus cyrus/imaps[9304]: auxpropfunc error invalid
> parameter supplied
> Nov 03 22:14:45 nexus cyrus/imaps[9304]: ldapdb
> Nov 03 22:14:45 nexus cyrus/imaps[9304]: inittls: Loading hard-coded
> DH parameters
> Nov 03 22:14:45 nexus cyrus/imaps[9304]: TLS server engine: No client
> CA certs specified. Client side certs may not work
> Nov 03 22:14:45 nexus cyrus/imaps[9304]: starttls: TLSv1.3 with
> cipher TLS_AES_256_GCM_SHA384 (256/256 bits new) no authentication
> Nov 03 22:14:45 nexus cyrus/imaps[9304]: SASL unknown password
> verifier(s) auxprop-hashed
> Nov 03 22:14:45 nexus cyrus/imaps[9304]: SASL Password verification
> failed
> Nov 03 22:14:45 nexus cyrus/imaps[9304]: badlogin: nexus
> [fec0::5054:ff:fe12:3456] PLAIN [SASL(-4): no mechanism available:
> Password verification failed]
> 
> 
> 
> More Info:
> ubuntu@nexus:~$ lsb_release -a
> No LSB modules are available.
> Distributor ID:       Ubuntu
> Description:  Ubuntu 20.04.3 LTS
> Release:      20.04
> Codename:     focal
> 
> ubuntu@nexus:~$ dpkg -l | grep cyru\\\|sasl
> ii  cyrus-admin                    3.0.13-5                 
> ii  cyrus-caldav                   3.0.13-5                 
> ii  cyrus-clients                  3.0.13-5                 
> ii  cyrus-common                   3.0.13-5                 
> ii  cyrus-imapd                    3.0.13-5                 
> ii  libcyrus-imap-perl:amd64       3.0.13-5                 
> ii  libsasl2-2:amd64               2.1.27+dfsg-2            
> ii  libsasl2-modules:amd64         2.1.27+dfsg-2            
> ii  libsasl2-modules-db:amd64      2.1.27+dfsg-2            
> ii  libsasl2-modules-ldap:amd64    2.1.27+dfsg-2            
> ii  sasl2-bin                      2.1.27+dfsg-2            
> 
> 
> Cyrus / SASL / seediscussions +participants
> +delivery optionsPermalink

------------------------------------------
Cyrus: SASL
Permalink: https://cyrus.topicbox.com/groups/sasl/T2c60ca246b64197b-M10276cceecc5033d0cbff41e
Delivery options: https://cyrus.topicbox.com/groups/sasl/subscription




[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux