Re: auxprop pwcheck with sasl ldapdb and openldap backend not working

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello Дилян

Thank you for the suggestion. This makes sense.

So, I had the "sasldb" authprop plugin working before, for the "ldaplocal" configuration. Only there I have the administrative user "cyrus" enabled - and that worked.

Now I have also added a simple mailbox (using cyradm "addmailbox user.patrick") to cyrus and to the sasldb (using saslpasswd2) and this works now as well.

I tested with imtest and fetchmail from a "remote" machine (the macos host where the vm runs).

But ldapdb doesn't.

One "challenge" probably is, that I would like the mailboxes and usernames of ldap users to be their full mail address, e.g. "patrick@xxxxxxxxxxxxxxxxxx". I might give up on that... it seems it would be possible by changin the "separator" in imapd.conf from "." to "/", but while for mailboxes it kind of makes sense and would match my current setup (w/ dovecot), for caldav/carddav accounts, it probably makes less sense and in my current setup (w/ apple calendarserver) the ldap users are identified with their "uid" only as well. As cyrus combines imap/pop and caldav/carddav, i will have to make a choice here anyway. Not a big deal - I think I am going to go with "uid" mailboxes as well then. Althought "email" would certainly be more scalable (the box is acting as MTA and MUA for a handful of domains).

Another "challange" is plaintext passwords. "DIGEST-MD5 requires that the server stores the password in plain text." I was not aware of that.

For the "PLAIN" SASL Mechanism, this is not required though, right? I certainly do _not_ want to store plaintext passwords in the ldap. No way.

And a final question: Am I right, that the "auxprop-hashed" "pwcheck" mmethods can authenticate users against hashed ldap "userPassord" entries?

What are the restrictions with this method? So obviously DIGEST-MD5 will not work. Right? Will "PLAIN" work when? And how can I conigure the server to only advertise those mechanisms that work??? (It would have been really nice, if that would not need to be configured. (I am just asking for the information though and not the feature! ;-) I might give it a shot one day to implement, but am almost certain that I do not yet understand the problem well enough.)

Thank you!

Cheers

Patrick


On 2021-11-4 06:46, Дилян Палаузов wrote:
Hello Patrick,

I propose you make first a working setup with sasldb-backend. This is
a local database with username@domain:password. Once it works, your
system is set up correctly and only the authentication need to be
tweaked.

DIGEST-MD5 requires that the server stores the password in plain text.
It does work with sasldb, but e.g. with Kerberos it does not work. You
have to tell the server explicitly not to advertise DIGEST-MD5 in such
cases.

Greetings
Дилян

On Wed, 2021-11-03 at 18:22 -0400, patrick via SASL wrote:
Hallo all

I am trying to set up cyrus-imap in order to - ultimately - use it as
a caldav/carddav server on a private server.

I have an openldap instance running in a standard configuration and
would like to use the "auxprop-hashed" pwcheck method along with the
"ldapdb" sasl module.

This seems not to be as simple as it sounds. Most probably, I am
doing something wrong.

Is there any chance, somebody could have a look and suggest fixes or
- actually even preferred - point me to a working example of such a
configuration?

I have search near and far and read hundreads of documentation and
source files, but I fail to make sense of those log lines:

badlogin: nexus [fec0::5054:ff:fe12:3456] DIGEST-MD5 [SASL(-4): no
mechanism available: unable to canonify user and get auxprops]

and (or)

badlogin: nexus [fec0::5054:ff:fe12:3456] PLAIN [SASL(-4): no
mechanism available: Password verification failed]


I do not understand, how, why and by which process they are exactly
logged. And, most importantly, can not figure out, what the
underlying problem is, actually? :-) I have tried many tweaks to the
config. Plain password, "auxprop" instead of "auxprop-hashed"
pwcheck, and more, all to no avail.

This is an up-to-date internet-connected ubuntu-20.04-minimal-
cloudimg-amd64.img currently running in a quemu-vm on MacOS 11.6
(BigSur, 2nd-latest).

Any help is much appreciated.

Patrick

So far, I have:
ubuntu@nexus:~$ egrep -v '^\s*(#|$)' /etc/cyrus.conf
START {
recover cmd="/usr/sbin/cyrus ctl_cyrusdb -r"
delprune cmd="/usr/sbin/cyrus expire -E 3"
tlsprune cmd="/usr/sbin/cyrus tls_prune"
}
SERVICES {
imaps cmd="imapd -s -U 30" listen="nexus:imaps"
prefork=0 maxchild=100
imaplocal cmd="imapd -C /etc/imapd-local.conf -U 30"
listen="localhost:imap" prefork=0 maxchild=100
https cmd="httpd -s -U 30" listen="8443" prefork=0
maxchild=100
lmtpunix cmd="lmtpd" listen="/run/cyrus/socket/lmtp"
prefork=0 maxchild=20
   sieve cmd="timsieved" listen="localhost:sieve"
prefork=0 maxchild=100
notify cmd="notifyd"
listen="/run/cyrus/socket/notify" proto="udp" prefork=1
}
EVENTS {
checkpoint cmd="/usr/sbin/cyrus ctl_cyrusdb -c"
period=30
delprune cmd="/usr/sbin/cyrus expire -E 3" at=0401
tlsprune cmd="/usr/sbin/cyrus tls_prune" at=0401
deleteprune cmd="/usr/sbin/cyrus expire -E 4 -D 28"
at=0430
expungeprune cmd="/usr/sbin/cyrus expire -E 4 -X 28"
at=0445
}

ubuntu@nexus:~$ egrep -v '^\s*(#|$)' /etc/imapd.conf
configdirectory: /var/lib/cyrus
proc_path: /run/cyrus/proc
mboxname_lockpath: /run/cyrus/lock
defaultpartition: default
partition-default: /var/spool/cyrus/mail
partition-news: /var/spool/cyrus/news
newsspool: /var/spool/news
altnamespace: no
unixhierarchysep: no
lmtp_downcase_rcpt: yes
allowanonymouslogin: no
popminpoll: 1
autocreate_quota: 0
umask: 077
sieveusehomedir: false
sievedir: /var/spool/sieve
httpmodules: caldav carddav
hashimapspool: true
allowplaintext: yes
sasl_pwcheck_method: auxprop-hashed
sasl_auxprop_plugin: ldapdb
@include: /etc/imapd-ldap.conf
sasl_auto_transition: no
tls_server_cert: /etc/ssl/certs/ssl-cert-snakeoil.pem
tls_server_key: /etc/ssl/private/ssl-cert-snakeoil.key
tls_client_ca_dir: /etc/ssl/certs
tls_session_timeout: 1440
lmtpsocket: /run/cyrus/socket/lmtp
idlesocket: /run/cyrus/socket/idle
notifysocket: /run/cyrus/socket/notify
syslog_prefix: cyrus

ubuntu@nexus:~$ egrep -v '^\s*(#|$)' /etc/imapd-ldap.conf
ldap_base: ou=people,dc=patrickpfeifer,dc=net
ldap_bind_dn: cn=admin,dc=patrickpfeifer,dc=net
ldap_filter: (mail=%u)
ldap_password: xxxx
ldap_scope: one
ldap_uri: ldapi:///
ldap_version: 3

And:
$ ldapsearch -H ldapi:/// -D cn=admin,dc=patrickpfeifer,dc=net -w
xxxx -b 'ou=people,dc=patrickpfeifer,dc=net'
'(mail=patrick@xxxxxxxxxxxxxxxxxx)'
# extended LDIF
#
# LDAPv3
# base <ou=people,dc=patrickpfeifer,dc=net> with scope subtree
# filter: (mail=patrick@xxxxxxxxxxxxxxxxxx)
# requesting: ALL
#
# patrick, people, patrickpfeifer.net
dn: uid=patrick,ou=people,dc=patrickpfeifer,dc=net
cn: Patrick Pfeifer
objectClass: inetOrgPerson
objectClass: top
objectClass: person
uid: patrick
mail: patrick@xxxxxxxxxxxxxxxxxx
sn: Pfeifer
userPassword:: e1NTSXXXXXXXXXXXXXXXc9PQ=
# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


However:
$ /usr/lib/cyrus/bin/imtest -s -u patrick@xxxxxxxxxxxxxxxxxx -w xxxxx
nexus
verify error:num=18:self signed certificate
TLS connection established: TLSv1.3 with cipher
TLS_AES_256_GCM_SHA384 (256/256 bits)
S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE AUTH=DIGEST-MD5
AUTH=NTLM AUTH=CRAM-MD5 AUTH=PLAIN AUTH=LOGIN SASL-IR] nexus Cyrus
IMAP 3.0.13-Debian-3.0.13-5 server ready
C: A01 AUTHENTICATE DIGEST-MD5
S: +
bm9uY2U9IjQ0M3Y3d2R4d0dTNlV1bzFTcFpSTk9JcjFFdHNGL0VkcnU1Q0QzR09PMXc9I
ixyZWFsbT0ibmV4dXMiLHFvcD0iYXV0aCIsbWF4YnVmPTQwOTYsY2hhcnNldD11dGYtOC
xhbGdvcml0aG09bWQ1LXNlc3M=
C:
dXNlcm5hbWU9InVidW50dSIscmVhbG09Im5leHVzIixhdXRoemlkPSJwYXRyaWNrQHBhd
HJpY2twZmVpZmVyLm5ldCIsbm9uY2U9IjQ0M3Y3d2R4d0dTNlV1bzFTcFpSTk9JcjFFdH
NGL0VkcnU1Q0QzR09PMXc9Iixjbm9uY2U9IlM2Yzh4WXJUZXFtcXB3dHYrWGJ2aGk3cTV
HM1dKby8xUWJlSkZZbGM5K289IixuYz0wMDAwMDAwMSxxb3A9YXV0aCxtYXhidWY9MTAy
NCxkaWdlc3QtdXJpPSJpbWFwL25leHVzIixyZXNwb25zZT1iZjBmNjVkYmFiMWZhNjg3M
mRjYjBhNDk0MmJhYzA0OA==
S: A01 NO no mechanism available
Authentication failed. generic failure
Security strength factor: 256
^CC: Q01 LOGOUT
Connection closed.

And:
ubuntu@nexus:~$ journalctl -f
-- Logs begin at Mon 2020-12-28 21:20:09 UTC. --

...

Nov 03 21:55:08 nexus sudo[9147]: ubuntu : TTY=pts/0 ;
PWD=/home/ubuntu ; USER=root ; COMMAND=/usr/sbin/service cyrus-imapd
start
Nov 03 21:55:08 nexus sudo[9147]: pam_unix(sudo:session): session
opened for user root by ubuntu(uid=0)
Nov 03 21:55:09 nexus systemd[1]: Started Cyrus IMAP/POP3 daemons.
Nov 03 21:55:09 nexus sudo[9147]: pam_unix(sudo:session): session
closed for user root
Nov 03 21:55:09 nexus cyrus/ctl_cyrusdb[9157]: skiplist: clean
shutdown file missing, updating recovery stamp
Nov 03 21:55:09 nexus cyrus/ctl_cyrusdb[9157]: recovering cyrus
databases
Nov 03 21:55:09 nexus cyrus/ctl_cyrusdb[9157]: done recovering cyrus
databases
Nov 03 21:55:09 nexus cyrus/cyr_expire[9160]: ldapdb
Nov 03 21:55:09 nexus cyrus/cyr_expire[9160]: Expired 0 and expunged
0 out of 0 messages from 2 mailboxes
Nov 03 21:55:09 nexus cyrus/cyr_expire[9160]: duplicate_prune:
pruning back 3.00 days
Nov 03 21:55:09 nexus cyrus/cyr_expire[9160]: duplicate_prune: purged
0 out of 0 entries
Nov 03 21:55:09 nexus cyrus/tls_prune[9163]: tls_prune: purged 0 out
of 38 entries
Nov 03 21:55:09 nexus cyrus/master[9156]: unable to bind to
imaps/ipv6 socket: Invalid argument
Nov 03 21:55:09 nexus cyrus/ctl_cyrusdb[9166]: checkpointing cyrus
databases
Nov 03 21:55:09 nexus cyrus/ctl_cyrusdb[9166]: done checkpointing
cyrus databases

Nov 03 21:55:14 nexus imtest[9170]: ldapdb
Nov 03 21:55:14 nexus imtest[9170]: _sasl_plugin_load failed on
sasl_canonuser_init
Nov 03 21:55:14 nexus cyrus/imaps[9171]: ldapdb
Nov 03 21:55:14 nexus cyrus/imaps[9171]: auxpropfunc error invalid
parameter supplied
Nov 03 21:55:14 nexus cyrus/imaps[9171]: ldapdb
Nov 03 21:55:14 nexus cyrus/imaps[9171]: inittls: Loading hard-coded
DH parameters
Nov 03 21:55:14 nexus cyrus/imaps[9171]: TLS server engine: No client
CA certs specified. Client side certs may not work
Nov 03 21:55:14 nexus cyrus/imaps[9171]: starttls: TLSv1.3 with
cipher TLS_AES_256_GCM_SHA384 (256/256 bits new) no authentication
Nov 03 21:55:14 nexus imtest[9170]: DIGEST-MD5 client step 2
Nov 03 21:55:14 nexus imtest[9170]: DIGEST-MD5
parse_server_challenge()
Nov 03 21:55:14 nexus imtest[9170]: DIGEST-MD5 ask_user_info()
Nov 03 21:55:14 nexus imtest[9170]: DIGEST-MD5 client step 2
Nov 03 21:55:14 nexus imtest[9170]: DIGEST-MD5 ask_user_info()
Nov 03 21:55:14 nexus imtest[9170]: DIGEST-MD5 make_client_response()
Nov 03 21:55:14 nexus cyrus/imaps[9171]: SASL unable to canonify user
and get auxprops
Nov 03 21:55:14 nexus cyrus/imaps[9171]: badlogin: nexus
[fec0::5054:ff:fe12:3456] DIGEST-MD5 [SASL(-4): no mechanism
available: unable to canonify user and get auxprops]

If I change the "imtest" command line to use then PLAIN mech, I get:
$ /usr/lib/cyrus/bin/imtest -s -m PLAIN -u patrick@xxxxxxxxxxxxxxxxxx
-w xxxxx nexus

Nov 03 22:14:45 nexus imtest[9303]: ldapdb
Nov 03 22:14:45 nexus imtest[9303]: _sasl_plugin_load failed on
sasl_canonuser_init
Nov 03 22:14:45 nexus cyrus/imaps[9304]: ldapdb
Nov 03 22:14:45 nexus cyrus/imaps[9304]: auxpropfunc error invalid
parameter supplied
Nov 03 22:14:45 nexus cyrus/imaps[9304]: ldapdb
Nov 03 22:14:45 nexus cyrus/imaps[9304]: inittls: Loading hard-coded
DH parameters
Nov 03 22:14:45 nexus cyrus/imaps[9304]: TLS server engine: No client
CA certs specified. Client side certs may not work
Nov 03 22:14:45 nexus cyrus/imaps[9304]: starttls: TLSv1.3 with
cipher TLS_AES_256_GCM_SHA384 (256/256 bits new) no authentication
Nov 03 22:14:45 nexus cyrus/imaps[9304]: SASL unknown password
verifier(s) auxprop-hashed
Nov 03 22:14:45 nexus cyrus/imaps[9304]: SASL Password verification
failed
Nov 03 22:14:45 nexus cyrus/imaps[9304]: badlogin: nexus
[fec0::5054:ff:fe12:3456] PLAIN [SASL(-4): no mechanism available:
Password verification failed]



More Info:
ubuntu@nexus:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.3 LTS
Release: 20.04
Codename: focal

ubuntu@nexus:~$ dpkg -l | grep cyru\\\|sasl
ii cyrus-admin 3.0.13-5
ii cyrus-caldav 3.0.13-5
ii cyrus-clients 3.0.13-5
ii cyrus-common 3.0.13-5
ii cyrus-imapd 3.0.13-5
ii libcyrus-imap-perl:amd64 3.0.13-5
ii libsasl2-2:amd64 2.1.27+dfsg-2
ii libsasl2-modules:amd64 2.1.27+dfsg-2
ii libsasl2-modules-db:amd64 2.1.27+dfsg-2
ii libsasl2-modules-ldap:amd64 2.1.27+dfsg-2
ii sasl2-bin 2.1.27+dfsg-2


Cyrus / SASL / seediscussions +participants
+delivery optionsPermalink
------------------------------------------
Cyrus: SASL
Permalink: https://cyrus.topicbox.com/groups/sasl/T2c60ca246b64197b-M10276cceecc5033d0cbff41e
Delivery options: https://cyrus.topicbox.com/groups/sasl/subscription

------------------------------------------
Cyrus: SASL
Permalink: https://cyrus.topicbox.com/groups/sasl/T2c60ca246b64197b-M029599cb2811dc81c2134c3b
Delivery options: https://cyrus.topicbox.com/groups/sasl/subscription




[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux