Hello Patrick,
I cannot help you very much further, since I have no LDAP setup with
Cyrus SASL. If your LDAP-setup works with PLAIN, but does not work
with DIGEST-MD5, then you have to disable DIGEST-MD5 and likely also
CRAM-MD5 and (possibly) the SCRAM* mechanisms.
If it does not work with PLAIN, I suggest you enable just the PLAIN
mechanism and try to get your system working, then possibly enable more
mechanisms.
I have used in the past pam_ldap and then run `saslauthd -a pam`,
combined with `pwcheck_method: saslauthd`. PAM allows to store the
password on different places and queue them in a row (and have many
different password for the same user).
Greetings
Дилян
On Fri, 2021-11-05 at 14:02 +0100, Patrick Pfeifer via SASL wrote:
> Hello Дилян
>
> Thank you for the suggestion. This makes sense.
>
> So, I had the "sasldb" authprop plugin working before, for the
> "ldaplocal" configuration. Only there I have the administrative user
> "cyrus" enabled - and that worked.
>
> Now I have also added a simple mailbox (using cyradm "addmailbox
> user.patrick") to cyrus and to the sasldb (using saslpasswd2) and
> this
> works now as well.
>
> I tested with imtest and fetchmail from a "remote" machine (the macos
> host where the vm runs).
>
> But ldapdb doesn't.
>
> One "challenge" probably is, that I would like the mailboxes and
> usernames of ldap users to be their full mail address, e.g.
> "patrick@xxxxxxxxxxxxxxxxxx". I might give up on that... it seems it
> would be possible by changin the "separator" in imapd.conf from "."
> to
> "/", but while for mailboxes it kind of makes sense and would match
> my
> current setup (w/ dovecot), for caldav/carddav accounts, it probably
> makes less sense and in my current setup (w/ apple calendarserver)
> the
> ldap users are identified with their "uid" only as well. As cyrus
> combines imap/pop and caldav/carddav, i will have to make a choice
> here
> anyway. Not a big deal - I think I am going to go with "uid"
> mailboxes
> as well then. Althought "email" would certainly be more scalable (the
> box is acting as MTA and MUA for a handful of domains).
>
> Another "challange" is plaintext passwords. "DIGEST-MD5 requires that
> the server stores the password in plain text." I was not aware of
> that.
>
> For the "PLAIN" SASL Mechanism, this is not required though, right? I
> certainly do _not_ want to store plaintext passwords in the ldap. No
> way.
>
> And a final question: Am I right, that the "auxprop-hashed" "pwcheck"
> mmethods can authenticate users against hashed ldap "userPassord"
> entries?
>
> What are the restrictions with this method? So obviously DIGEST-MD5
> will
> not work. Right? Will "PLAIN" work when? And how can I conigure the
> server to only advertise those mechanisms that work??? (It would have
> been really nice, if that would not need to be configured. (I am just
> asking for the information though and not the feature! ;-) I might
> give
> it a shot one day to implement, but am almost certain that I do not
> yet
> understand the problem well enough.)
>
> Thank you!
>
> Cheers
>
> Patrick
>
>
> On 2021-11-4 06:46, Дилян Палаузов wrote:
> > Hello Patrick,
> >
> > I propose you make first a working setup with sasldb-backend. This
> > is
> > a local database with username@domain:password. Once it works, your
> > system is set up correctly and only the authentication need to be
> > tweaked.
> >
> > DIGEST-MD5 requires that the server stores the password in plain
> > text.
> > It does work with sasldb, but e.g. with Kerberos it does not work.
> > You
> > have to tell the server explicitly not to advertise DIGEST-MD5 in
> > such
> > cases.
> >
> > Greetings
> > Дилян
> >
> > On Wed, 2021-11-03 at 18:22 -0400, patrick via SASL wrote:
> > > Hallo all
> > >
> > > I am trying to set up cyrus-imap in order to - ultimately - use
> > > it as
> > > a caldav/carddav server on a private server.
> > >
> > > I have an openldap instance running in a standard configuration
> > > and
> > > would like to use the "auxprop-hashed" pwcheck method along with
> > > the
> > > "ldapdb" sasl module.
> > >
> > > This seems not to be as simple as it sounds. Most probably, I am
> > > doing something wrong.
> > >
> > > Is there any chance, somebody could have a look and suggest fixes
> > > or
> > > - actually even preferred - point me to a working example of such
> > > a
> > > configuration?
> > >
> > > I have search near and far and read hundreads of documentation
> > > and
> > > source files, but I fail to make sense of those log lines:
> > >
> > > badlogin: nexus [fec0::5054:ff:fe12:3456] DIGEST-MD5 [SASL(-4):
> > > no
> > > mechanism available: unable to canonify user and get auxprops]
> > >
> > > and (or)
> > >
> > > badlogin: nexus [fec0::5054:ff:fe12:3456] PLAIN [SASL(-4): no
> > > mechanism available: Password verification failed]
> > >
> > >
> > > I do not understand, how, why and by which process they are
> > > exactly
> > > logged. And, most importantly, can not figure out, what the
> > > underlying problem is, actually? :-) I have tried many tweaks to
> > > the
> > > config. Plain password, "auxprop" instead of "auxprop-hashed"
> > > pwcheck, and more, all to no avail.
> > >
> > > This is an up-to-date internet-connected ubuntu-20.04-minimal-
> > > cloudimg-amd64.img currently running in a quemu-vm on MacOS 11.6
> > > (BigSur, 2nd-latest).
> > >
> > > Any help is much appreciated.
> > >
> > > Patrick
> > >
> > > So far, I have:
> > > ubuntu@nexus:~$ egrep -v '^\s*(#|$)' /etc/cyrus.conf
> > > START {
> > > recover cmd="/usr/sbin/cyrus ctl_cyrusdb -r"
> > > delprune cmd="/usr/sbin/cyrus expire -E 3"
> > > tlsprune cmd="/usr/sbin/cyrus tls_prune"
> > > }
> > > SERVICES {
> > > imaps cmd="imapd -s -U 30" listen="nexus:imaps"
> > > prefork=0 maxchild=100
> > > imaplocal cmd="imapd -C /etc/imapd-local.conf -U 30"
> > > listen="localhost:imap" prefork=0 maxchild=100
> > > https cmd="httpd -s -U 30" listen="8443" prefork=0
> > > maxchild=100
> > > lmtpunix cmd="lmtpd" listen="/run/cyrus/socket/lmtp"
> > > prefork=0 maxchild=20
> > > sieve cmd="timsieved" listen="localhost:sieve"
> > > prefork=0 maxchild=100
> > > notify cmd="notifyd"
> > > listen="/run/cyrus/socket/notify" proto="udp" prefork=1
> > > }
> > > EVENTS {
> > > checkpoint cmd="/usr/sbin/cyrus ctl_cyrusdb -c"
> > > period=30
> > > delprune cmd="/usr/sbin/cyrus expire -E 3" at=0401
> > > tlsprune cmd="/usr/sbin/cyrus tls_prune" at=0401
> > > deleteprune cmd="/usr/sbin/cyrus expire -E 4 -D 28"
> > > at=0430
> > > expungeprune cmd="/usr/sbin/cyrus expire -E 4 -X 28"
> > > at=0445
> > > }
> > >
> > > ubuntu@nexus:~$ egrep -v '^\s*(#|$)' /etc/imapd.conf
> > > configdirectory: /var/lib/cyrus
> > > proc_path: /run/cyrus/proc
> > > mboxname_lockpath: /run/cyrus/lock
> > > defaultpartition: default
> > > partition-default: /var/spool/cyrus/mail
> > > partition-news: /var/spool/cyrus/news
> > > newsspool: /var/spool/news
> > > altnamespace: no
> > > unixhierarchysep: no
> > > lmtp_downcase_rcpt: yes
> > > allowanonymouslogin: no
> > > popminpoll: 1
> > > autocreate_quota: 0
> > > umask: 077
> > > sieveusehomedir: false
> > > sievedir: /var/spool/sieve
> > > httpmodules: caldav carddav
> > > hashimapspool: true
> > > allowplaintext: yes
> > > sasl_pwcheck_method: auxprop-hashed
> > > sasl_auxprop_plugin: ldapdb
> > > @include: /etc/imapd-ldap.conf
> > > sasl_auto_transition: no
> > > tls_server_cert: /etc/ssl/certs/ssl-cert-snakeoil.pem
> > > tls_server_key: /etc/ssl/private/ssl-cert-snakeoil.key
> > > tls_client_ca_dir: /etc/ssl/certs
> > > tls_session_timeout: 1440
> > > lmtpsocket: /run/cyrus/socket/lmtp
> > > idlesocket: /run/cyrus/socket/idle
> > > notifysocket: /run/cyrus/socket/notify
> > > syslog_prefix: cyrus
> > >
> > > ubuntu@nexus:~$ egrep -v '^\s*(#|$)' /etc/imapd-ldap.conf
> > > ldap_base: ou=people,dc=patrickpfeifer,dc=net
> > > ldap_bind_dn: cn=admin,dc=patrickpfeifer,dc=net
> > > ldap_filter: (mail=%u)
> > > ldap_password: xxxx
> > > ldap_scope: one
> > > ldap_uri: ldapi:///
> > > ldap_version: 3
> > >
> > > And:
> > > $ ldapsearch -H ldapi:/// -D cn=admin,dc=patrickpfeifer,dc=net -w
> > > xxxx -b 'ou=people,dc=patrickpfeifer,dc=net'
> > > '(mail=patrick@xxxxxxxxxxxxxxxxxx)'
> > > # extended LDIF
> > > #
> > > # LDAPv3
> > > # base <ou=people,dc=patrickpfeifer,dc=net> with scope subtree
> > > # filter: (mail=patrick@xxxxxxxxxxxxxxxxxx)
> > > # requesting: ALL
> > > #
> > > # patrick, people, patrickpfeifer.net
> > > dn: uid=patrick,ou=people,dc=patrickpfeifer,dc=net
> > > cn: Patrick Pfeifer
> > > objectClass: inetOrgPerson
> > > objectClass: top
> > > objectClass: person
> > > uid: patrick
> > > mail: patrick@xxxxxxxxxxxxxxxxxx
> > > sn: Pfeifer
> > > userPassword:: e1NTSXXXXXXXXXXXXXXXc9PQ=
> > > # search result
> > > search: 2
> > > result: 0 Success
> > >
> > > # numResponses: 2
> > > # numEntries: 1
> > >
> > >
> > > However:
> > > $ /usr/lib/cyrus/bin/imtest -s -u patrick@xxxxxxxxxxxxxxxxxx -w
> > > xxxxx
> > > nexus
> > > verify error:num=18:self signed certificate
> > > TLS connection established: TLSv1.3 with cipher
> > > TLS_AES_256_GCM_SHA384 (256/256 bits)
> > > S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE AUTH=DIGEST-MD5
> > > AUTH=NTLM AUTH=CRAM-MD5 AUTH=PLAIN AUTH=LOGIN SASL-IR] nexus
> > > Cyrus
> > > IMAP 3.0.13-Debian-3.0.13-5 server ready
> > > C: A01 AUTHENTICATE DIGEST-MD5
> > > S: +
> > > bm9uY2U9IjQ0M3Y3d2R4d0dTNlV1bzFTcFpSTk9JcjFFdHNGL0VkcnU1Q0QzR09PM
> > > Xc9I
> > > ixyZWFsbT0ibmV4dXMiLHFvcD0iYXV0aCIsbWF4YnVmPTQwOTYsY2hhcnNldD11dG
> > > YtOC
> > > xhbGdvcml0aG09bWQ1LXNlc3M=
> > > C:
> > > dXNlcm5hbWU9InVidW50dSIscmVhbG09Im5leHVzIixhdXRoemlkPSJwYXRyaWNrQ
> > > HBhd
> > > HJpY2twZmVpZmVyLm5ldCIsbm9uY2U9IjQ0M3Y3d2R4d0dTNlV1bzFTcFpSTk9Jcj
> > > FFdH
> > > NGL0VkcnU1Q0QzR09PMXc9Iixjbm9uY2U9IlM2Yzh4WXJUZXFtcXB3dHYrWGJ2aGk
> > > 3cTV
> > > HM1dKby8xUWJlSkZZbGM5K289IixuYz0wMDAwMDAwMSxxb3A9YXV0aCxtYXhidWY9
> > > MTAy
> > > NCxkaWdlc3QtdXJpPSJpbWFwL25leHVzIixyZXNwb25zZT1iZjBmNjVkYmFiMWZhN
> > > jg3M
> > > mRjYjBhNDk0MmJhYzA0OA==
> > > S: A01 NO no mechanism available
> > > Authentication failed. generic failure
> > > Security strength factor: 256
> > > ^CC: Q01 LOGOUT
> > > Connection closed.
> > >
> > > And:
> > > ubuntu@nexus:~$ journalctl -f
> > > -- Logs begin at Mon 2020-12-28 21:20:09 UTC. --
> > >
> > > ...
> > >
> > > Nov 03 21:55:08 nexus sudo[9147]: ubuntu : TTY=pts/0 ;
> > > PWD=/home/ubuntu ; USER=root ; COMMAND=/usr/sbin/service cyrus-
> > > imapd
> > > start
> > > Nov 03 21:55:08 nexus sudo[9147]: pam_unix(sudo:session): session
> > > opened for user root by ubuntu(uid=0)
> > > Nov 03 21:55:09 nexus systemd[1]: Started Cyrus IMAP/POP3
> > > daemons.
> > > Nov 03 21:55:09 nexus sudo[9147]: pam_unix(sudo:session): session
> > > closed for user root
> > > Nov 03 21:55:09 nexus cyrus/ctl_cyrusdb[9157]: skiplist: clean
> > > shutdown file missing, updating recovery stamp
> > > Nov 03 21:55:09 nexus cyrus/ctl_cyrusdb[9157]: recovering cyrus
> > > databases
> > > Nov 03 21:55:09 nexus cyrus/ctl_cyrusdb[9157]: done recovering
> > > cyrus
> > > databases
> > > Nov 03 21:55:09 nexus cyrus/cyr_expire[9160]: ldapdb
> > > Nov 03 21:55:09 nexus cyrus/cyr_expire[9160]: Expired 0 and
> > > expunged
> > > 0 out of 0 messages from 2 mailboxes
> > > Nov 03 21:55:09 nexus cyrus/cyr_expire[9160]: duplicate_prune:
> > > pruning back 3.00 days
> > > Nov 03 21:55:09 nexus cyrus/cyr_expire[9160]: duplicate_prune:
> > > purged
> > > 0 out of 0 entries
> > > Nov 03 21:55:09 nexus cyrus/tls_prune[9163]: tls_prune: purged 0
> > > out
> > > of 38 entries
> > > Nov 03 21:55:09 nexus cyrus/master[9156]: unable to bind to
> > > imaps/ipv6 socket: Invalid argument
> > > Nov 03 21:55:09 nexus cyrus/ctl_cyrusdb[9166]: checkpointing
> > > cyrus
> > > databases
> > > Nov 03 21:55:09 nexus cyrus/ctl_cyrusdb[9166]: done checkpointing
> > > cyrus databases
> > >
> > > Nov 03 21:55:14 nexus imtest[9170]: ldapdb
> > > Nov 03 21:55:14 nexus imtest[9170]: _sasl_plugin_load failed on
> > > sasl_canonuser_init
> > > Nov 03 21:55:14 nexus cyrus/imaps[9171]: ldapdb
> > > Nov 03 21:55:14 nexus cyrus/imaps[9171]: auxpropfunc error
> > > invalid
> > > parameter supplied
> > > Nov 03 21:55:14 nexus cyrus/imaps[9171]: ldapdb
> > > Nov 03 21:55:14 nexus cyrus/imaps[9171]: inittls: Loading hard-
> > > coded
> > > DH parameters
> > > Nov 03 21:55:14 nexus cyrus/imaps[9171]: TLS server engine: No
> > > client
> > > CA certs specified. Client side certs may not work
> > > Nov 03 21:55:14 nexus cyrus/imaps[9171]: starttls: TLSv1.3 with
> > > cipher TLS_AES_256_GCM_SHA384 (256/256 bits new) no
> > > authentication
> > > Nov 03 21:55:14 nexus imtest[9170]: DIGEST-MD5 client step 2
> > > Nov 03 21:55:14 nexus imtest[9170]: DIGEST-MD5
> > > parse_server_challenge()
> > > Nov 03 21:55:14 nexus imtest[9170]: DIGEST-MD5 ask_user_info()
> > > Nov 03 21:55:14 nexus imtest[9170]: DIGEST-MD5 client step 2
> > > Nov 03 21:55:14 nexus imtest[9170]: DIGEST-MD5 ask_user_info()
> > > Nov 03 21:55:14 nexus imtest[9170]: DIGEST-MD5
> > > make_client_response()
> > > Nov 03 21:55:14 nexus cyrus/imaps[9171]: SASL unable to canonify
> > > user
> > > and get auxprops
> > > Nov 03 21:55:14 nexus cyrus/imaps[9171]: badlogin: nexus
> > > [fec0::5054:ff:fe12:3456] DIGEST-MD5 [SASL(-4): no mechanism
> > > available: unable to canonify user and get auxprops]
> > >
> > > If I change the "imtest" command line to use then PLAIN mech, I
> > > get:
> > > $ /usr/lib/cyrus/bin/imtest -s -m PLAIN -u
> > > patrick@xxxxxxxxxxxxxxxxxx
> > > -w xxxxx nexus
> > >
> > > Nov 03 22:14:45 nexus imtest[9303]: ldapdb
> > > Nov 03 22:14:45 nexus imtest[9303]: _sasl_plugin_load failed on
> > > sasl_canonuser_init
> > > Nov 03 22:14:45 nexus cyrus/imaps[9304]: ldapdb
> > > Nov 03 22:14:45 nexus cyrus/imaps[9304]: auxpropfunc error
> > > invalid
> > > parameter supplied
> > > Nov 03 22:14:45 nexus cyrus/imaps[9304]: ldapdb
> > > Nov 03 22:14:45 nexus cyrus/imaps[9304]: inittls: Loading hard-
> > > coded
> > > DH parameters
> > > Nov 03 22:14:45 nexus cyrus/imaps[9304]: TLS server engine: No
> > > client
> > > CA certs specified. Client side certs may not work
> > > Nov 03 22:14:45 nexus cyrus/imaps[9304]: starttls: TLSv1.3 with
> > > cipher TLS_AES_256_GCM_SHA384 (256/256 bits new) no
> > > authentication
> > > Nov 03 22:14:45 nexus cyrus/imaps[9304]: SASL unknown password
> > > verifier(s) auxprop-hashed
> > > Nov 03 22:14:45 nexus cyrus/imaps[9304]: SASL Password
> > > verification
> > > failed
> > > Nov 03 22:14:45 nexus cyrus/imaps[9304]: badlogin: nexus
> > > [fec0::5054:ff:fe12:3456] PLAIN [SASL(-4): no mechanism
> > > available:
> > > Password verification failed]
> > >
> > >
> > >
> > > More Info:
> > > ubuntu@nexus:~$ lsb_release -a
> > > No LSB modules are available.
> > > Distributor ID: Ubuntu
> > > Description: Ubuntu 20.04.3 LTS
> > > Release: 20.04
> > > Codename: focal
> > >
> > > ubuntu@nexus:~$ dpkg -l | grep cyru\\\|sasl
> > > ii cyrus-admin 3.0.13-5
> > > ii cyrus-caldav 3.0.13-5
> > > ii cyrus-clients 3.0.13-5
> > > ii cyrus-common 3.0.13-5
> > > ii cyrus-imapd 3.0.13-5
> > > ii libcyrus-imap-perl:amd64 3.0.13-5
> > > ii libsasl2-2:amd64 2.1.27+dfsg-2
> > > ii libsasl2-modules:amd64 2.1.27+dfsg-2
> > > ii libsasl2-modules-db:amd64 2.1.27+dfsg-2
> > > ii libsasl2-modules-ldap:amd64 2.1.27+dfsg-2
> > > ii sasl2-bin 2.1.27+dfsg-2
> > >
> > >
> > > Cyrus / SASL / seediscussions +participants
> > > +delivery optionsPermalink
> > ------------------------------------------
> > Cyrus: SASL
> > Permalink:
> > https://cyrus.topicbox.com/groups/sasl/T2c60ca246b64197b-M10276cceecc5033d0cbff41e
> > Delivery options:
> > https://cyrus.topicbox.com/groups/sasl/subscription
------------------------------------------
Cyrus: SASL
Permalink: https://cyrus.topicbox.com/groups/sasl/T2c60ca246b64197b-Mca0709b7c3ddb3e3bb8688b4
Delivery options: https://cyrus.topicbox.com/groups/sasl/subscription
