Re: auxprop pwcheck with sasl ldapdb and openldap backend not working

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I am just wondering _how_ this message can even appear in the log, given that ...

➜  cyrus-sasl git:(master) git status
On branch master
Your branch is behind 'origin/master' by 182 commits, and can be fast-forwarded.
  (use "git pull" to update your local branch)

nothing to commit, working tree clean
➜  cyrus-sasl git:(master) git describe HEAD
cyrus-sasl-2.1.27
➜  cyrus-sasl git:(master) grep -B2 auxprop-hashed lib/checkpw.c
struct sasl_verify_password_s _sasl_verify_password[] = {
    { "auxprop", &auxprop_verify_password },
    { "auxprop-hashed", &auxprop_verify_password_hashed },
➜  cyrus-sasl git:(master) grep -B30 "unknown password verifier" lib/server.c     if (_sasl_getcallback(conn, SASL_CB_GETOPT, (sasl_callback_ft *)&getopt, &context)
            == SASL_OK) {
        getopt(context, NULL, "pwcheck_method", &mlist, NULL);
    }

    if(!mlist) mlist = DEFAULT_CHECKPASS_MECH;

    result = SASL_NOMECH;

    mech = mlist;
    while (*mech && result != SASL_OK) {
    for (v = _sasl_verify_password; v->name; v++) {
        if(is_mech(mech, v->name)) {
        result = v->verify(conn, user, pass, service,
                   s_conn->user_realm);
        break;
        }
    }
    if (result != SASL_OK) {
        /* skip to next mech in list */
        while (*mech && !isspace((int) *mech)) mech++;
        while (*mech && isspace((int) *mech)) mech++;
    }
    else if (!is_mech(mech, "auxprop") && s_conn->sparams->transition) {
        s_conn->sparams->transition(conn, pass, passlen);
    }
    }

    if (result == SASL_NOMECH) {
    /* no mechanism available ?!? */
    _sasl_log(conn, SASL_LOG_ERR, "unknown password verifier(s) %s", mlist);

-------------

So "mlist" holds "auxprop-hashed", as doesthe second name in "_sasl_verify_password" ... but that means that the result _should_ be "_sasl_verify_password + 1", then ... shouldn't it ???

Or is that - maybe - a known bug???

-------



On 2021-11-5 14:16, Patrick Pfeifer via SASL wrote:
Btw. when I am trying to use "PLAIN" mechanism, I get a slightly different error message.... not sure why, as imapd.conf includes

allowplaintext: yes

$ /usr/lib/cyrus/bin/imtest -s -m plain -a patrick -w patrick nexus
verify error:num=18:self signed certificate
TLS connection established: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE AUTH=DIGEST-MD5 AUTH=NTLM AUTH=CRAM-MD5 AUTH=PLAIN AUTH=LOGIN SASL-IR] nexus Cyrus IMAP 3.0.13-Debian-3.0.13-5 server ready
C: A01 AUTHENTICATE PLAIN AHBhdHJpY2sAcGF0cmljaw==
S: A01 NO no mechanism available

Nov 05 13:12:26 nexus imtest[12065]: ldapdb
Nov 05 13:12:26 nexus imtest[12065]: _sasl_plugin_load failed on sasl_canonuser_init Nov 05 13:12:26 nexus cyrus/imaps2[12063]: starttls: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits new) no authentication Nov 05 13:12:26 nexus cyrus/imaps2[12063]: SASL unknown password verifier(s) auxprop-hashed Nov 05 13:12:26 nexus cyrus/imaps2[12063]: SASL Password verification failed Nov 05 13:12:26 nexus cyrus/imaps2[12063]: badlogin: nexus [fec0::5054:ff:fe12:3456] PLAIN [SASL(-4): no mechanism available: Password verification failed]


On 2021-11-4 06:46, Дилян Палаузов wrote:
Hello Patrick,

I propose you make first a working setup with sasldb-backend. This is
a local database with username@domain:password.  Once it works, your
system is set up correctly and only the authentication need to be
tweaked.

DIGEST-MD5 requires that the server stores the password in plain text.
It does work with sasldb, but e.g. with Kerberos it does not work.  You
have to tell the server explicitly not to advertise DIGEST-MD5 in such
cases.

Greetings
   Дилян

On Wed, 2021-11-03 at 18:22 -0400, patrick via SASL wrote:
Hallo all

I am trying to set up cyrus-imap in order to - ultimately - use it as
a caldav/carddav server on a private server.

I have an openldap instance running in a standard configuration and
would like to use the "auxprop-hashed" pwcheck method along with the
"ldapdb" sasl module.

This seems not to be as simple as it sounds. Most probably, I am
doing something wrong.

Is there any chance, somebody could have a look and suggest fixes or
- actually even preferred - point me to a working example of such a
configuration?

I have search near and far and read hundreads of documentation and
source files, but I fail to make sense of those log lines:

badlogin: nexus [fec0::5054:ff:fe12:3456] DIGEST-MD5 [SASL(-4): no
mechanism available: unable to canonify user and get auxprops]

and (or)

badlogin: nexus [fec0::5054:ff:fe12:3456] PLAIN [SASL(-4): no
mechanism available: Password verification failed]


I do not understand, how, why and by which process they are exactly
logged. And, most importantly, can not figure out, what the
underlying problem is, actually? :-) I have tried many tweaks to the
config. Plain password, "auxprop" instead of "auxprop-hashed"
pwcheck, and more, all to no avail.

This is an up-to-date internet-connected ubuntu-20.04-minimal-
cloudimg-amd64.img currently running in a quemu-vm on MacOS 11.6
(BigSur, 2nd-latest).

Any help is much appreciated.

Patrick

So far, I have:
ubuntu@nexus:~$ egrep -v '^\s*(#|$)' /etc/cyrus.conf
START {
       recover         cmd="/usr/sbin/cyrus ctl_cyrusdb -r"
       delprune        cmd="/usr/sbin/cyrus expire -E 3"
       tlsprune        cmd="/usr/sbin/cyrus tls_prune"
}
SERVICES {
       imaps           cmd="imapd -s -U 30" listen="nexus:imaps"
prefork=0 maxchild=100
       imaplocal       cmd="imapd -C /etc/imapd-local.conf -U 30"
listen="localhost:imap" prefork=0 maxchild=100
       https           cmd="httpd -s -U 30" listen="8443" prefork=0
maxchild=100
       lmtpunix        cmd="lmtpd" listen="/run/cyrus/socket/lmtp"
prefork=0 maxchild=20
       sieve           cmd="timsieved" listen="localhost:sieve"
prefork=0 maxchild=100
       notify          cmd="notifyd"
listen="/run/cyrus/socket/notify" proto="udp" prefork=1
}
EVENTS {
       checkpoint      cmd="/usr/sbin/cyrus ctl_cyrusdb -c"
period=30
       delprune        cmd="/usr/sbin/cyrus expire -E 3" at=0401
       tlsprune        cmd="/usr/sbin/cyrus tls_prune" at=0401
       deleteprune     cmd="/usr/sbin/cyrus expire -E 4 -D 28"
at=0430
       expungeprune    cmd="/usr/sbin/cyrus expire -E 4 -X 28"
at=0445
}

ubuntu@nexus:~$ egrep -v '^\s*(#|$)' /etc/imapd.conf
configdirectory: /var/lib/cyrus
proc_path: /run/cyrus/proc
mboxname_lockpath: /run/cyrus/lock
defaultpartition: default
partition-default: /var/spool/cyrus/mail
partition-news: /var/spool/cyrus/news
newsspool: /var/spool/news
altnamespace: no
unixhierarchysep: no
lmtp_downcase_rcpt: yes
allowanonymouslogin: no
popminpoll: 1
autocreate_quota: 0
umask: 077
sieveusehomedir: false
sievedir: /var/spool/sieve
httpmodules: caldav carddav
hashimapspool: true
allowplaintext: yes
sasl_pwcheck_method: auxprop-hashed
sasl_auxprop_plugin: ldapdb
@include: /etc/imapd-ldap.conf
sasl_auto_transition: no
tls_server_cert: /etc/ssl/certs/ssl-cert-snakeoil.pem
tls_server_key: /etc/ssl/private/ssl-cert-snakeoil.key
tls_client_ca_dir: /etc/ssl/certs
tls_session_timeout: 1440
lmtpsocket: /run/cyrus/socket/lmtp
idlesocket: /run/cyrus/socket/idle
notifysocket: /run/cyrus/socket/notify
syslog_prefix: cyrus

ubuntu@nexus:~$ egrep -v '^\s*(#|$)' /etc/imapd-ldap.conf
ldap_base: ou=people,dc=patrickpfeifer,dc=net
ldap_bind_dn: cn=admin,dc=patrickpfeifer,dc=net
ldap_filter: (mail=%u)
ldap_password: xxxx
ldap_scope: one
ldap_uri: ldapi:///
ldap_version: 3

And:
$ ldapsearch -H ldapi:/// -D cn=admin,dc=patrickpfeifer,dc=net -w
xxxx -b 'ou=people,dc=patrickpfeifer,dc=net'
'(mail=patrick@xxxxxxxxxxxxxxxxxx)'
# extended LDIF
#
# LDAPv3
# base <ou=people,dc=patrickpfeifer,dc=net> with scope subtree
# filter: (mail=patrick@xxxxxxxxxxxxxxxxxx)
# requesting: ALL
#
# patrick, people, patrickpfeifer.net
dn: uid=patrick,ou=people,dc=patrickpfeifer,dc=net
cn: Patrick Pfeifer
objectClass: inetOrgPerson
objectClass: top
objectClass: person
uid: patrick
mail: patrick@xxxxxxxxxxxxxxxxxx
sn: Pfeifer
userPassword:: e1NTSXXXXXXXXXXXXXXXc9PQ=
# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


However:
$ /usr/lib/cyrus/bin/imtest -s -u patrick@xxxxxxxxxxxxxxxxxx -w xxxxx
nexus
verify error:num=18:self signed certificate
TLS connection established: TLSv1.3 with cipher
TLS_AES_256_GCM_SHA384 (256/256 bits)
S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE AUTH=DIGEST-MD5
AUTH=NTLM AUTH=CRAM-MD5 AUTH=PLAIN AUTH=LOGIN SASL-IR] nexus Cyrus
IMAP 3.0.13-Debian-3.0.13-5 server ready
C: A01 AUTHENTICATE DIGEST-MD5
S: +
bm9uY2U9IjQ0M3Y3d2R4d0dTNlV1bzFTcFpSTk9JcjFFdHNGL0VkcnU1Q0QzR09PMXc9I
ixyZWFsbT0ibmV4dXMiLHFvcD0iYXV0aCIsbWF4YnVmPTQwOTYsY2hhcnNldD11dGYtOC
xhbGdvcml0aG09bWQ1LXNlc3M=
C:
dXNlcm5hbWU9InVidW50dSIscmVhbG09Im5leHVzIixhdXRoemlkPSJwYXRyaWNrQHBhd
HJpY2twZmVpZmVyLm5ldCIsbm9uY2U9IjQ0M3Y3d2R4d0dTNlV1bzFTcFpSTk9JcjFFdH
NGL0VkcnU1Q0QzR09PMXc9Iixjbm9uY2U9IlM2Yzh4WXJUZXFtcXB3dHYrWGJ2aGk3cTV
HM1dKby8xUWJlSkZZbGM5K289IixuYz0wMDAwMDAwMSxxb3A9YXV0aCxtYXhidWY9MTAy
NCxkaWdlc3QtdXJpPSJpbWFwL25leHVzIixyZXNwb25zZT1iZjBmNjVkYmFiMWZhNjg3M
mRjYjBhNDk0MmJhYzA0OA==
S: A01 NO no mechanism available
Authentication failed. generic failure
Security strength factor: 256
^CC: Q01 LOGOUT
Connection closed.

And:
ubuntu@nexus:~$ journalctl -f
-- Logs begin at Mon 2020-12-28 21:20:09 UTC. --

...

Nov 03 21:55:08 nexus sudo[9147]:   ubuntu : TTY=pts/0 ;
PWD=/home/ubuntu ; USER=root ; COMMAND=/usr/sbin/service cyrus-imapd
start
Nov 03 21:55:08 nexus sudo[9147]: pam_unix(sudo:session): session
opened for user root by ubuntu(uid=0)
Nov 03 21:55:09 nexus systemd[1]: Started Cyrus IMAP/POP3 daemons.
Nov 03 21:55:09 nexus sudo[9147]: pam_unix(sudo:session): session
closed for user root
Nov 03 21:55:09 nexus cyrus/ctl_cyrusdb[9157]: skiplist: clean
shutdown file missing, updating recovery stamp
Nov 03 21:55:09 nexus cyrus/ctl_cyrusdb[9157]: recovering cyrus
databases
Nov 03 21:55:09 nexus cyrus/ctl_cyrusdb[9157]: done recovering cyrus
databases
Nov 03 21:55:09 nexus cyrus/cyr_expire[9160]: ldapdb
Nov 03 21:55:09 nexus cyrus/cyr_expire[9160]: Expired 0 and expunged
0 out of 0 messages from 2 mailboxes
Nov 03 21:55:09 nexus cyrus/cyr_expire[9160]: duplicate_prune:
pruning back 3.00 days
Nov 03 21:55:09 nexus cyrus/cyr_expire[9160]: duplicate_prune: purged
0 out of 0 entries
Nov 03 21:55:09 nexus cyrus/tls_prune[9163]: tls_prune: purged 0 out
of 38 entries
Nov 03 21:55:09 nexus cyrus/master[9156]: unable to bind to
imaps/ipv6 socket: Invalid argument
Nov 03 21:55:09 nexus cyrus/ctl_cyrusdb[9166]: checkpointing cyrus
databases
Nov 03 21:55:09 nexus cyrus/ctl_cyrusdb[9166]: done checkpointing
cyrus databases

Nov 03 21:55:14 nexus imtest[9170]: ldapdb
Nov 03 21:55:14 nexus imtest[9170]: _sasl_plugin_load failed on
sasl_canonuser_init
Nov 03 21:55:14 nexus cyrus/imaps[9171]: ldapdb
Nov 03 21:55:14 nexus cyrus/imaps[9171]: auxpropfunc error invalid
parameter supplied
Nov 03 21:55:14 nexus cyrus/imaps[9171]: ldapdb
Nov 03 21:55:14 nexus cyrus/imaps[9171]: inittls: Loading hard-coded
DH parameters
Nov 03 21:55:14 nexus cyrus/imaps[9171]: TLS server engine: No client
CA certs specified. Client side certs may not work
Nov 03 21:55:14 nexus cyrus/imaps[9171]: starttls: TLSv1.3 with
cipher TLS_AES_256_GCM_SHA384 (256/256 bits new) no authentication
Nov 03 21:55:14 nexus imtest[9170]: DIGEST-MD5 client step 2
Nov 03 21:55:14 nexus imtest[9170]: DIGEST-MD5
parse_server_challenge()
Nov 03 21:55:14 nexus imtest[9170]: DIGEST-MD5 ask_user_info()
Nov 03 21:55:14 nexus imtest[9170]: DIGEST-MD5 client step 2
Nov 03 21:55:14 nexus imtest[9170]: DIGEST-MD5 ask_user_info()
Nov 03 21:55:14 nexus imtest[9170]: DIGEST-MD5 make_client_response()
Nov 03 21:55:14 nexus cyrus/imaps[9171]: SASL unable to canonify user
and get auxprops
Nov 03 21:55:14 nexus cyrus/imaps[9171]: badlogin: nexus
[fec0::5054:ff:fe12:3456] DIGEST-MD5 [SASL(-4): no mechanism
available: unable to canonify user and get auxprops]

If I change the "imtest" command line to use then PLAIN mech, I get:
$ /usr/lib/cyrus/bin/imtest -s -m PLAIN -u patrick@xxxxxxxxxxxxxxxxxx
-w xxxxx nexus

Nov 03 22:14:45 nexus imtest[9303]: ldapdb
Nov 03 22:14:45 nexus imtest[9303]: _sasl_plugin_load failed on
sasl_canonuser_init
Nov 03 22:14:45 nexus cyrus/imaps[9304]: ldapdb
Nov 03 22:14:45 nexus cyrus/imaps[9304]: auxpropfunc error invalid
parameter supplied
Nov 03 22:14:45 nexus cyrus/imaps[9304]: ldapdb
Nov 03 22:14:45 nexus cyrus/imaps[9304]: inittls: Loading hard-coded
DH parameters
Nov 03 22:14:45 nexus cyrus/imaps[9304]: TLS server engine: No client
CA certs specified. Client side certs may not work
Nov 03 22:14:45 nexus cyrus/imaps[9304]: starttls: TLSv1.3 with
cipher TLS_AES_256_GCM_SHA384 (256/256 bits new) no authentication
Nov 03 22:14:45 nexus cyrus/imaps[9304]: SASL unknown password
verifier(s) auxprop-hashed
Nov 03 22:14:45 nexus cyrus/imaps[9304]: SASL Password verification
failed
Nov 03 22:14:45 nexus cyrus/imaps[9304]: badlogin: nexus
[fec0::5054:ff:fe12:3456] PLAIN [SASL(-4): no mechanism available:
Password verification failed]



More Info:
ubuntu@nexus:~$ lsb_release -a
No LSB modules are available.
Distributor ID:       Ubuntu
Description:  Ubuntu 20.04.3 LTS
Release:      20.04
Codename:     focal

ubuntu@nexus:~$ dpkg -l | grep cyru\\\|sasl
ii  cyrus-admin                    3.0.13-5
ii  cyrus-caldav                   3.0.13-5
ii  cyrus-clients                  3.0.13-5
ii  cyrus-common                   3.0.13-5
ii  cyrus-imapd                    3.0.13-5
ii  libcyrus-imap-perl:amd64       3.0.13-5
ii  libsasl2-2:amd64               2.1.27+dfsg-2
ii  libsasl2-modules:amd64         2.1.27+dfsg-2
ii  libsasl2-modules-db:amd64      2.1.27+dfsg-2
ii  libsasl2-modules-ldap:amd64    2.1.27+dfsg-2
ii  sasl2-bin                      2.1.27+dfsg-2


Cyrus / SASL / seediscussions +participants
+delivery optionsPermalink
------------------------------------------
Cyrus: SASL
Permalink: https://cyrus.topicbox.com/groups/sasl/T2c60ca246b64197b-M10276cceecc5033d0cbff41e
Delivery options: https://cyrus.topicbox.com/groups/sasl/subscription

------------------------------------------
Cyrus: SASL
Permalink: https://cyrus.topicbox.com/groups/sasl/T2c60ca246b64197b-Mef43c0b132e13fa8276dd59e
Delivery options: https://cyrus.topicbox.com/groups/sasl/subscription




[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux