Hello Patrick, I cannot help you very much further, since I have no LDAP setup with Cyrus SASL. If your LDAP-setup works with PLAIN, but does not work with DIGEST-MD5, then you have to disable DIGEST-MD5 and likely also CRAM-MD5 and (possibly) the SCRAM* mechanisms. If it does not work with PLAIN, I suggest you enable just the PLAIN mechanism and try to get your system working, then possibly enable more mechanisms. I have used in the past pam_ldap and then run `saslauthd -a pam`, combined with `pwcheck_method: saslauthd`. PAM allows to store the password on different places and queue them in a row (and have many different password for the same user). Greetings Дилян On Fri, 2021-11-05 at 14:02 +0100, Patrick Pfeifer via SASL wrote: > Hello Дилян > > Thank you for the suggestion. This makes sense. > > So, I had the "sasldb" authprop plugin working before, for the > "ldaplocal" configuration. Only there I have the administrative user > "cyrus" enabled - and that worked. > > Now I have also added a simple mailbox (using cyradm "addmailbox > user.patrick") to cyrus and to the sasldb (using saslpasswd2) and > this > works now as well. > > I tested with imtest and fetchmail from a "remote" machine (the macos > host where the vm runs). > > But ldapdb doesn't. > > One "challenge" probably is, that I would like the mailboxes and > usernames of ldap users to be their full mail address, e.g. > "patrick@xxxxxxxxxxxxxxxxxx". I might give up on that... it seems it > would be possible by changin the "separator" in imapd.conf from "." > to > "/", but while for mailboxes it kind of makes sense and would match > my > current setup (w/ dovecot), for caldav/carddav accounts, it probably > makes less sense and in my current setup (w/ apple calendarserver) > the > ldap users are identified with their "uid" only as well. As cyrus > combines imap/pop and caldav/carddav, i will have to make a choice > here > anyway. Not a big deal - I think I am going to go with "uid" > mailboxes > as well then. Althought "email" would certainly be more scalable (the > box is acting as MTA and MUA for a handful of domains). > > Another "challange" is plaintext passwords. "DIGEST-MD5 requires that > the server stores the password in plain text." I was not aware of > that. > > For the "PLAIN" SASL Mechanism, this is not required though, right? I > certainly do _not_ want to store plaintext passwords in the ldap. No > way. > > And a final question: Am I right, that the "auxprop-hashed" "pwcheck" > mmethods can authenticate users against hashed ldap "userPassord" > entries? > > What are the restrictions with this method? So obviously DIGEST-MD5 > will > not work. Right? Will "PLAIN" work when? And how can I conigure the > server to only advertise those mechanisms that work??? (It would have > been really nice, if that would not need to be configured. (I am just > asking for the information though and not the feature! ;-) I might > give > it a shot one day to implement, but am almost certain that I do not > yet > understand the problem well enough.) > > Thank you! > > Cheers > > Patrick > > > On 2021-11-4 06:46, Дилян Палаузов wrote: > > Hello Patrick, > > > > I propose you make first a working setup with sasldb-backend. This > > is > > a local database with username@domain:password. Once it works, your > > system is set up correctly and only the authentication need to be > > tweaked. > > > > DIGEST-MD5 requires that the server stores the password in plain > > text. > > It does work with sasldb, but e.g. with Kerberos it does not work. > > You > > have to tell the server explicitly not to advertise DIGEST-MD5 in > > such > > cases. > > > > Greetings > > Дилян > > > > On Wed, 2021-11-03 at 18:22 -0400, patrick via SASL wrote: > > > Hallo all > > > > > > I am trying to set up cyrus-imap in order to - ultimately - use > > > it as > > > a caldav/carddav server on a private server. > > > > > > I have an openldap instance running in a standard configuration > > > and > > > would like to use the "auxprop-hashed" pwcheck method along with > > > the > > > "ldapdb" sasl module. > > > > > > This seems not to be as simple as it sounds. Most probably, I am > > > doing something wrong. > > > > > > Is there any chance, somebody could have a look and suggest fixes > > > or > > > - actually even preferred - point me to a working example of such > > > a > > > configuration? > > > > > > I have search near and far and read hundreads of documentation > > > and > > > source files, but I fail to make sense of those log lines: > > > > > > badlogin: nexus [fec0::5054:ff:fe12:3456] DIGEST-MD5 [SASL(-4): > > > no > > > mechanism available: unable to canonify user and get auxprops] > > > > > > and (or) > > > > > > badlogin: nexus [fec0::5054:ff:fe12:3456] PLAIN [SASL(-4): no > > > mechanism available: Password verification failed] > > > > > > > > > I do not understand, how, why and by which process they are > > > exactly > > > logged. And, most importantly, can not figure out, what the > > > underlying problem is, actually? :-) I have tried many tweaks to > > > the > > > config. Plain password, "auxprop" instead of "auxprop-hashed" > > > pwcheck, and more, all to no avail. > > > > > > This is an up-to-date internet-connected ubuntu-20.04-minimal- > > > cloudimg-amd64.img currently running in a quemu-vm on MacOS 11.6 > > > (BigSur, 2nd-latest). > > > > > > Any help is much appreciated. > > > > > > Patrick > > > > > > So far, I have: > > > ubuntu@nexus:~$ egrep -v '^\s*(#|$)' /etc/cyrus.conf > > > START { > > > recover cmd="/usr/sbin/cyrus ctl_cyrusdb -r" > > > delprune cmd="/usr/sbin/cyrus expire -E 3" > > > tlsprune cmd="/usr/sbin/cyrus tls_prune" > > > } > > > SERVICES { > > > imaps cmd="imapd -s -U 30" listen="nexus:imaps" > > > prefork=0 maxchild=100 > > > imaplocal cmd="imapd -C /etc/imapd-local.conf -U 30" > > > listen="localhost:imap" prefork=0 maxchild=100 > > > https cmd="httpd -s -U 30" listen="8443" prefork=0 > > > maxchild=100 > > > lmtpunix cmd="lmtpd" listen="/run/cyrus/socket/lmtp" > > > prefork=0 maxchild=20 > > > sieve cmd="timsieved" listen="localhost:sieve" > > > prefork=0 maxchild=100 > > > notify cmd="notifyd" > > > listen="/run/cyrus/socket/notify" proto="udp" prefork=1 > > > } > > > EVENTS { > > > checkpoint cmd="/usr/sbin/cyrus ctl_cyrusdb -c" > > > period=30 > > > delprune cmd="/usr/sbin/cyrus expire -E 3" at=0401 > > > tlsprune cmd="/usr/sbin/cyrus tls_prune" at=0401 > > > deleteprune cmd="/usr/sbin/cyrus expire -E 4 -D 28" > > > at=0430 > > > expungeprune cmd="/usr/sbin/cyrus expire -E 4 -X 28" > > > at=0445 > > > } > > > > > > ubuntu@nexus:~$ egrep -v '^\s*(#|$)' /etc/imapd.conf > > > configdirectory: /var/lib/cyrus > > > proc_path: /run/cyrus/proc > > > mboxname_lockpath: /run/cyrus/lock > > > defaultpartition: default > > > partition-default: /var/spool/cyrus/mail > > > partition-news: /var/spool/cyrus/news > > > newsspool: /var/spool/news > > > altnamespace: no > > > unixhierarchysep: no > > > lmtp_downcase_rcpt: yes > > > allowanonymouslogin: no > > > popminpoll: 1 > > > autocreate_quota: 0 > > > umask: 077 > > > sieveusehomedir: false > > > sievedir: /var/spool/sieve > > > httpmodules: caldav carddav > > > hashimapspool: true > > > allowplaintext: yes > > > sasl_pwcheck_method: auxprop-hashed > > > sasl_auxprop_plugin: ldapdb > > > @include: /etc/imapd-ldap.conf > > > sasl_auto_transition: no > > > tls_server_cert: /etc/ssl/certs/ssl-cert-snakeoil.pem > > > tls_server_key: /etc/ssl/private/ssl-cert-snakeoil.key > > > tls_client_ca_dir: /etc/ssl/certs > > > tls_session_timeout: 1440 > > > lmtpsocket: /run/cyrus/socket/lmtp > > > idlesocket: /run/cyrus/socket/idle > > > notifysocket: /run/cyrus/socket/notify > > > syslog_prefix: cyrus > > > > > > ubuntu@nexus:~$ egrep -v '^\s*(#|$)' /etc/imapd-ldap.conf > > > ldap_base: ou=people,dc=patrickpfeifer,dc=net > > > ldap_bind_dn: cn=admin,dc=patrickpfeifer,dc=net > > > ldap_filter: (mail=%u) > > > ldap_password: xxxx > > > ldap_scope: one > > > ldap_uri: ldapi:/// > > > ldap_version: 3 > > > > > > And: > > > $ ldapsearch -H ldapi:/// -D cn=admin,dc=patrickpfeifer,dc=net -w > > > xxxx -b 'ou=people,dc=patrickpfeifer,dc=net' > > > '(mail=patrick@xxxxxxxxxxxxxxxxxx)' > > > # extended LDIF > > > # > > > # LDAPv3 > > > # base <ou=people,dc=patrickpfeifer,dc=net> with scope subtree > > > # filter: (mail=patrick@xxxxxxxxxxxxxxxxxx) > > > # requesting: ALL > > > # > > > # patrick, people, patrickpfeifer.net > > > dn: uid=patrick,ou=people,dc=patrickpfeifer,dc=net > > > cn: Patrick Pfeifer > > > objectClass: inetOrgPerson > > > objectClass: top > > > objectClass: person > > > uid: patrick > > > mail: patrick@xxxxxxxxxxxxxxxxxx > > > sn: Pfeifer > > > userPassword:: e1NTSXXXXXXXXXXXXXXXc9PQ= > > > # search result > > > search: 2 > > > result: 0 Success > > > > > > # numResponses: 2 > > > # numEntries: 1 > > > > > > > > > However: > > > $ /usr/lib/cyrus/bin/imtest -s -u patrick@xxxxxxxxxxxxxxxxxx -w > > > xxxxx > > > nexus > > > verify error:num=18:self signed certificate > > > TLS connection established: TLSv1.3 with cipher > > > TLS_AES_256_GCM_SHA384 (256/256 bits) > > > S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE AUTH=DIGEST-MD5 > > > AUTH=NTLM AUTH=CRAM-MD5 AUTH=PLAIN AUTH=LOGIN SASL-IR] nexus > > > Cyrus > > > IMAP 3.0.13-Debian-3.0.13-5 server ready > > > C: A01 AUTHENTICATE DIGEST-MD5 > > > S: + > > > bm9uY2U9IjQ0M3Y3d2R4d0dTNlV1bzFTcFpSTk9JcjFFdHNGL0VkcnU1Q0QzR09PM > > > Xc9I > > > ixyZWFsbT0ibmV4dXMiLHFvcD0iYXV0aCIsbWF4YnVmPTQwOTYsY2hhcnNldD11dG > > > YtOC > > > xhbGdvcml0aG09bWQ1LXNlc3M= > > > C: > > > dXNlcm5hbWU9InVidW50dSIscmVhbG09Im5leHVzIixhdXRoemlkPSJwYXRyaWNrQ > > > HBhd > > > HJpY2twZmVpZmVyLm5ldCIsbm9uY2U9IjQ0M3Y3d2R4d0dTNlV1bzFTcFpSTk9Jcj > > > FFdH > > > NGL0VkcnU1Q0QzR09PMXc9Iixjbm9uY2U9IlM2Yzh4WXJUZXFtcXB3dHYrWGJ2aGk > > > 3cTV > > > HM1dKby8xUWJlSkZZbGM5K289IixuYz0wMDAwMDAwMSxxb3A9YXV0aCxtYXhidWY9 > > > MTAy > > > NCxkaWdlc3QtdXJpPSJpbWFwL25leHVzIixyZXNwb25zZT1iZjBmNjVkYmFiMWZhN > > > jg3M > > > mRjYjBhNDk0MmJhYzA0OA== > > > S: A01 NO no mechanism available > > > Authentication failed. generic failure > > > Security strength factor: 256 > > > ^CC: Q01 LOGOUT > > > Connection closed. > > > > > > And: > > > ubuntu@nexus:~$ journalctl -f > > > -- Logs begin at Mon 2020-12-28 21:20:09 UTC. -- > > > > > > ... > > > > > > Nov 03 21:55:08 nexus sudo[9147]: ubuntu : TTY=pts/0 ; > > > PWD=/home/ubuntu ; USER=root ; COMMAND=/usr/sbin/service cyrus- > > > imapd > > > start > > > Nov 03 21:55:08 nexus sudo[9147]: pam_unix(sudo:session): session > > > opened for user root by ubuntu(uid=0) > > > Nov 03 21:55:09 nexus systemd[1]: Started Cyrus IMAP/POP3 > > > daemons. > > > Nov 03 21:55:09 nexus sudo[9147]: pam_unix(sudo:session): session > > > closed for user root > > > Nov 03 21:55:09 nexus cyrus/ctl_cyrusdb[9157]: skiplist: clean > > > shutdown file missing, updating recovery stamp > > > Nov 03 21:55:09 nexus cyrus/ctl_cyrusdb[9157]: recovering cyrus > > > databases > > > Nov 03 21:55:09 nexus cyrus/ctl_cyrusdb[9157]: done recovering > > > cyrus > > > databases > > > Nov 03 21:55:09 nexus cyrus/cyr_expire[9160]: ldapdb > > > Nov 03 21:55:09 nexus cyrus/cyr_expire[9160]: Expired 0 and > > > expunged > > > 0 out of 0 messages from 2 mailboxes > > > Nov 03 21:55:09 nexus cyrus/cyr_expire[9160]: duplicate_prune: > > > pruning back 3.00 days > > > Nov 03 21:55:09 nexus cyrus/cyr_expire[9160]: duplicate_prune: > > > purged > > > 0 out of 0 entries > > > Nov 03 21:55:09 nexus cyrus/tls_prune[9163]: tls_prune: purged 0 > > > out > > > of 38 entries > > > Nov 03 21:55:09 nexus cyrus/master[9156]: unable to bind to > > > imaps/ipv6 socket: Invalid argument > > > Nov 03 21:55:09 nexus cyrus/ctl_cyrusdb[9166]: checkpointing > > > cyrus > > > databases > > > Nov 03 21:55:09 nexus cyrus/ctl_cyrusdb[9166]: done checkpointing > > > cyrus databases > > > > > > Nov 03 21:55:14 nexus imtest[9170]: ldapdb > > > Nov 03 21:55:14 nexus imtest[9170]: _sasl_plugin_load failed on > > > sasl_canonuser_init > > > Nov 03 21:55:14 nexus cyrus/imaps[9171]: ldapdb > > > Nov 03 21:55:14 nexus cyrus/imaps[9171]: auxpropfunc error > > > invalid > > > parameter supplied > > > Nov 03 21:55:14 nexus cyrus/imaps[9171]: ldapdb > > > Nov 03 21:55:14 nexus cyrus/imaps[9171]: inittls: Loading hard- > > > coded > > > DH parameters > > > Nov 03 21:55:14 nexus cyrus/imaps[9171]: TLS server engine: No > > > client > > > CA certs specified. Client side certs may not work > > > Nov 03 21:55:14 nexus cyrus/imaps[9171]: starttls: TLSv1.3 with > > > cipher TLS_AES_256_GCM_SHA384 (256/256 bits new) no > > > authentication > > > Nov 03 21:55:14 nexus imtest[9170]: DIGEST-MD5 client step 2 > > > Nov 03 21:55:14 nexus imtest[9170]: DIGEST-MD5 > > > parse_server_challenge() > > > Nov 03 21:55:14 nexus imtest[9170]: DIGEST-MD5 ask_user_info() > > > Nov 03 21:55:14 nexus imtest[9170]: DIGEST-MD5 client step 2 > > > Nov 03 21:55:14 nexus imtest[9170]: DIGEST-MD5 ask_user_info() > > > Nov 03 21:55:14 nexus imtest[9170]: DIGEST-MD5 > > > make_client_response() > > > Nov 03 21:55:14 nexus cyrus/imaps[9171]: SASL unable to canonify > > > user > > > and get auxprops > > > Nov 03 21:55:14 nexus cyrus/imaps[9171]: badlogin: nexus > > > [fec0::5054:ff:fe12:3456] DIGEST-MD5 [SASL(-4): no mechanism > > > available: unable to canonify user and get auxprops] > > > > > > If I change the "imtest" command line to use then PLAIN mech, I > > > get: > > > $ /usr/lib/cyrus/bin/imtest -s -m PLAIN -u > > > patrick@xxxxxxxxxxxxxxxxxx > > > -w xxxxx nexus > > > > > > Nov 03 22:14:45 nexus imtest[9303]: ldapdb > > > Nov 03 22:14:45 nexus imtest[9303]: _sasl_plugin_load failed on > > > sasl_canonuser_init > > > Nov 03 22:14:45 nexus cyrus/imaps[9304]: ldapdb > > > Nov 03 22:14:45 nexus cyrus/imaps[9304]: auxpropfunc error > > > invalid > > > parameter supplied > > > Nov 03 22:14:45 nexus cyrus/imaps[9304]: ldapdb > > > Nov 03 22:14:45 nexus cyrus/imaps[9304]: inittls: Loading hard- > > > coded > > > DH parameters > > > Nov 03 22:14:45 nexus cyrus/imaps[9304]: TLS server engine: No > > > client > > > CA certs specified. Client side certs may not work > > > Nov 03 22:14:45 nexus cyrus/imaps[9304]: starttls: TLSv1.3 with > > > cipher TLS_AES_256_GCM_SHA384 (256/256 bits new) no > > > authentication > > > Nov 03 22:14:45 nexus cyrus/imaps[9304]: SASL unknown password > > > verifier(s) auxprop-hashed > > > Nov 03 22:14:45 nexus cyrus/imaps[9304]: SASL Password > > > verification > > > failed > > > Nov 03 22:14:45 nexus cyrus/imaps[9304]: badlogin: nexus > > > [fec0::5054:ff:fe12:3456] PLAIN [SASL(-4): no mechanism > > > available: > > > Password verification failed] > > > > > > > > > > > > More Info: > > > ubuntu@nexus:~$ lsb_release -a > > > No LSB modules are available. > > > Distributor ID: Ubuntu > > > Description: Ubuntu 20.04.3 LTS > > > Release: 20.04 > > > Codename: focal > > > > > > ubuntu@nexus:~$ dpkg -l | grep cyru\\\|sasl > > > ii cyrus-admin 3.0.13-5 > > > ii cyrus-caldav 3.0.13-5 > > > ii cyrus-clients 3.0.13-5 > > > ii cyrus-common 3.0.13-5 > > > ii cyrus-imapd 3.0.13-5 > > > ii libcyrus-imap-perl:amd64 3.0.13-5 > > > ii libsasl2-2:amd64 2.1.27+dfsg-2 > > > ii libsasl2-modules:amd64 2.1.27+dfsg-2 > > > ii libsasl2-modules-db:amd64 2.1.27+dfsg-2 > > > ii libsasl2-modules-ldap:amd64 2.1.27+dfsg-2 > > > ii sasl2-bin 2.1.27+dfsg-2 > > > > > > > > > Cyrus / SASL / seediscussions +participants > > > +delivery optionsPermalink > > ------------------------------------------ > > Cyrus: SASL > > Permalink: > > https://cyrus.topicbox.com/groups/sasl/T2c60ca246b64197b-M10276cceecc5033d0cbff41e > > Delivery options: > > https://cyrus.topicbox.com/groups/sasl/subscription ------------------------------------------ Cyrus: SASL Permalink: https://cyrus.topicbox.com/groups/sasl/T2c60ca246b64197b-Mca0709b7c3ddb3e3bb8688b4 Delivery options: https://cyrus.topicbox.com/groups/sasl/subscription