Am Thu, 04 Nov 2021 07:46:17 +0200 schrieb Дилян Палаузов <dilyan.palauzov@xxxxxxxxx>: > Hello Patrick, > > I propose you make first a working setup with sasldb-backend. This is > a local database with username@domain:password. Once it works, your > system is set up correctly and only the authentication need to be > tweaked. > > DIGEST-MD5 requires that the server stores the password in plain text. > It does work with sasldb, but e.g. with Kerberos it does not work. > You have to tell the server explicitly not to advertise DIGEST-MD5 in > such cases. Forget about sasldb in context with OpenLDAP. Alternatively you may think about TOTP: https://blog.sys4.de/totp-time-based-one-time-password-authentication-en.html I know it is quite old, and there might be more documentationh. -Dieter > Greetings > Дилян > > On Wed, 2021-11-03 at 18:22 -0400, patrick via SASL wrote: > > Hallo all > > > > I am trying to set up cyrus-imap in order to - ultimately - use it > > as a caldav/carddav server on a private server. > > > > I have an openldap instance running in a standard configuration and > > would like to use the "auxprop-hashed" pwcheck method along with the > > "ldapdb" sasl module. > > > > This seems not to be as simple as it sounds. Most probably, I am > > doing something wrong. > > > > Is there any chance, somebody could have a look and suggest fixes or > > - actually even preferred - point me to a working example of such a > > configuration? > > > > I have search near and far and read hundreads of documentation and > > source files, but I fail to make sense of those log lines: > > > > badlogin: nexus [fec0::5054:ff:fe12:3456] DIGEST-MD5 [SASL(-4): no > > mechanism available: unable to canonify user and get auxprops] > > > > and (or) > > > > badlogin: nexus [fec0::5054:ff:fe12:3456] PLAIN [SASL(-4): no > > mechanism available: Password verification failed] > > > > > > I do not understand, how, why and by which process they are exactly > > logged. And, most importantly, can not figure out, what the > > underlying problem is, actually? :-) I have tried many tweaks to the > > config. Plain password, "auxprop" instead of "auxprop-hashed" > > pwcheck, and more, all to no avail. > > > > This is an up-to-date internet-connected ubuntu-20.04-minimal- > > cloudimg-amd64.img currently running in a quemu-vm on MacOS 11.6 > > (BigSur, 2nd-latest). > > > > Any help is much appreciated. > > > > Patrick > > > > So far, I have: > > ubuntu@nexus:~$ egrep -v '^\s*(#|$)' /etc/cyrus.conf > > START { > > recover cmd="/usr/sbin/cyrus ctl_cyrusdb -r" > > delprune cmd="/usr/sbin/cyrus expire -E 3" > > tlsprune cmd="/usr/sbin/cyrus tls_prune" > > } > > SERVICES { > > imaps cmd="imapd -s -U 30" listen="nexus:imaps" > > prefork=0 maxchild=100 > > imaplocal cmd="imapd -C /etc/imapd-local.conf -U 30" > > listen="localhost:imap" prefork=0 maxchild=100 > > https cmd="httpd -s -U 30" listen="8443" prefork=0 > > maxchild=100 > > lmtpunix cmd="lmtpd" listen="/run/cyrus/socket/lmtp" > > prefork=0 maxchild=20 > > sieve cmd="timsieved" listen="localhost:sieve" > > prefork=0 maxchild=100 > > notify cmd="notifyd" > > listen="/run/cyrus/socket/notify" proto="udp" prefork=1 > > } > > EVENTS { > > checkpoint cmd="/usr/sbin/cyrus ctl_cyrusdb -c" > > period=30 > > delprune cmd="/usr/sbin/cyrus expire -E 3" at=0401 > > tlsprune cmd="/usr/sbin/cyrus tls_prune" at=0401 > > deleteprune cmd="/usr/sbin/cyrus expire -E 4 -D 28" > > at=0430 > > expungeprune cmd="/usr/sbin/cyrus expire -E 4 -X 28" > > at=0445 > > } > > > > ubuntu@nexus:~$ egrep -v '^\s*(#|$)' /etc/imapd.conf > > configdirectory: /var/lib/cyrus > > proc_path: /run/cyrus/proc > > mboxname_lockpath: /run/cyrus/lock > > defaultpartition: default > > partition-default: /var/spool/cyrus/mail > > partition-news: /var/spool/cyrus/news > > newsspool: /var/spool/news > > altnamespace: no > > unixhierarchysep: no > > lmtp_downcase_rcpt: yes > > allowanonymouslogin: no > > popminpoll: 1 > > autocreate_quota: 0 > > umask: 077 > > sieveusehomedir: false > > sievedir: /var/spool/sieve > > httpmodules: caldav carddav > > hashimapspool: true > > allowplaintext: yes > > sasl_pwcheck_method: auxprop-hashed > > sasl_auxprop_plugin: ldapdb > > @include: /etc/imapd-ldap.conf > > sasl_auto_transition: no > > tls_server_cert: /etc/ssl/certs/ssl-cert-snakeoil.pem > > tls_server_key: /etc/ssl/private/ssl-cert-snakeoil.key > > tls_client_ca_dir: /etc/ssl/certs > > tls_session_timeout: 1440 > > lmtpsocket: /run/cyrus/socket/lmtp > > idlesocket: /run/cyrus/socket/idle > > notifysocket: /run/cyrus/socket/notify > > syslog_prefix: cyrus > > > > ubuntu@nexus:~$ egrep -v '^\s*(#|$)' /etc/imapd-ldap.conf > > ldap_base: ou=people,dc=patrickpfeifer,dc=net > > ldap_bind_dn: cn=admin,dc=patrickpfeifer,dc=net > > ldap_filter: (mail=%u) > > ldap_password: xxxx > > ldap_scope: one > > ldap_uri: ldapi:/// > > ldap_version: 3 > > > > And: > > $ ldapsearch -H ldapi:/// -D cn=admin,dc=patrickpfeifer,dc=net -w > > xxxx -b 'ou=people,dc=patrickpfeifer,dc=net' > > '(mail=patrick@xxxxxxxxxxxxxxxxxx)' > > # extended LDIF > > # > > # LDAPv3 > > # base <ou=people,dc=patrickpfeifer,dc=net> with scope subtree > > # filter: (mail=patrick@xxxxxxxxxxxxxxxxxx) > > # requesting: ALL > > # > > # patrick, people, patrickpfeifer.net > > dn: uid=patrick,ou=people,dc=patrickpfeifer,dc=net > > cn: Patrick Pfeifer > > objectClass: inetOrgPerson > > objectClass: top > > objectClass: person > > uid: patrick > > mail: patrick@xxxxxxxxxxxxxxxxxx > > sn: Pfeifer > > userPassword:: e1NTSXXXXXXXXXXXXXXXc9PQ= > > # search result > > search: 2 > > result: 0 Success > > > > # numResponses: 2 > > # numEntries: 1 > > > > > > However: > > $ /usr/lib/cyrus/bin/imtest -s -u patrick@xxxxxxxxxxxxxxxxxx -w > > xxxxx nexus > > verify error:num=18:self signed certificate > > TLS connection established: TLSv1.3 with cipher > > TLS_AES_256_GCM_SHA384 (256/256 bits) > > S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE AUTH=DIGEST-MD5 > > AUTH=NTLM AUTH=CRAM-MD5 AUTH=PLAIN AUTH=LOGIN SASL-IR] nexus Cyrus > > IMAP 3.0.13-Debian-3.0.13-5 server ready > > C: A01 AUTHENTICATE DIGEST-MD5 > > S: + > > bm9uY2U9IjQ0M3Y3d2R4d0dTNlV1bzFTcFpSTk9JcjFFdHNGL0VkcnU1Q0QzR09PMXc9I > > ixyZWFsbT0ibmV4dXMiLHFvcD0iYXV0aCIsbWF4YnVmPTQwOTYsY2hhcnNldD11dGYtOC > > xhbGdvcml0aG09bWQ1LXNlc3M= > > C: > > dXNlcm5hbWU9InVidW50dSIscmVhbG09Im5leHVzIixhdXRoemlkPSJwYXRyaWNrQHBhd > > HJpY2twZmVpZmVyLm5ldCIsbm9uY2U9IjQ0M3Y3d2R4d0dTNlV1bzFTcFpSTk9JcjFFdH > > NGL0VkcnU1Q0QzR09PMXc9Iixjbm9uY2U9IlM2Yzh4WXJUZXFtcXB3dHYrWGJ2aGk3cTV > > HM1dKby8xUWJlSkZZbGM5K289IixuYz0wMDAwMDAwMSxxb3A9YXV0aCxtYXhidWY9MTAy > > NCxkaWdlc3QtdXJpPSJpbWFwL25leHVzIixyZXNwb25zZT1iZjBmNjVkYmFiMWZhNjg3M > > mRjYjBhNDk0MmJhYzA0OA== > > S: A01 NO no mechanism available > > Authentication failed. generic failure > > Security strength factor: 256 > > ^CC: Q01 LOGOUT > > Connection closed. > > > > And: > > ubuntu@nexus:~$ journalctl -f > > -- Logs begin at Mon 2020-12-28 21:20:09 UTC. -- > > > > ... > > > > Nov 03 21:55:08 nexus sudo[9147]: ubuntu : TTY=pts/0 ; > > PWD=/home/ubuntu ; USER=root ; COMMAND=/usr/sbin/service cyrus-imapd > > start > > Nov 03 21:55:08 nexus sudo[9147]: pam_unix(sudo:session): session > > opened for user root by ubuntu(uid=0) > > Nov 03 21:55:09 nexus systemd[1]: Started Cyrus IMAP/POP3 daemons. > > Nov 03 21:55:09 nexus sudo[9147]: pam_unix(sudo:session): session > > closed for user root > > Nov 03 21:55:09 nexus cyrus/ctl_cyrusdb[9157]: skiplist: clean > > shutdown file missing, updating recovery stamp > > Nov 03 21:55:09 nexus cyrus/ctl_cyrusdb[9157]: recovering cyrus > > databases > > Nov 03 21:55:09 nexus cyrus/ctl_cyrusdb[9157]: done recovering cyrus > > databases > > Nov 03 21:55:09 nexus cyrus/cyr_expire[9160]: ldapdb > > Nov 03 21:55:09 nexus cyrus/cyr_expire[9160]: Expired 0 and expunged > > 0 out of 0 messages from 2 mailboxes > > Nov 03 21:55:09 nexus cyrus/cyr_expire[9160]: duplicate_prune: > > pruning back 3.00 days > > Nov 03 21:55:09 nexus cyrus/cyr_expire[9160]: duplicate_prune: > > purged 0 out of 0 entries > > Nov 03 21:55:09 nexus cyrus/tls_prune[9163]: tls_prune: purged 0 out > > of 38 entries > > Nov 03 21:55:09 nexus cyrus/master[9156]: unable to bind to > > imaps/ipv6 socket: Invalid argument > > Nov 03 21:55:09 nexus cyrus/ctl_cyrusdb[9166]: checkpointing cyrus > > databases > > Nov 03 21:55:09 nexus cyrus/ctl_cyrusdb[9166]: done checkpointing > > cyrus databases > > > > Nov 03 21:55:14 nexus imtest[9170]: ldapdb > > Nov 03 21:55:14 nexus imtest[9170]: _sasl_plugin_load failed on > > sasl_canonuser_init > > Nov 03 21:55:14 nexus cyrus/imaps[9171]: ldapdb > > Nov 03 21:55:14 nexus cyrus/imaps[9171]: auxpropfunc error invalid > > parameter supplied > > Nov 03 21:55:14 nexus cyrus/imaps[9171]: ldapdb > > Nov 03 21:55:14 nexus cyrus/imaps[9171]: inittls: Loading hard-coded > > DH parameters > > Nov 03 21:55:14 nexus cyrus/imaps[9171]: TLS server engine: No > > client CA certs specified. Client side certs may not work > > Nov 03 21:55:14 nexus cyrus/imaps[9171]: starttls: TLSv1.3 with > > cipher TLS_AES_256_GCM_SHA384 (256/256 bits new) no authentication > > Nov 03 21:55:14 nexus imtest[9170]: DIGEST-MD5 client step 2 > > Nov 03 21:55:14 nexus imtest[9170]: DIGEST-MD5 > > parse_server_challenge() > > Nov 03 21:55:14 nexus imtest[9170]: DIGEST-MD5 ask_user_info() > > Nov 03 21:55:14 nexus imtest[9170]: DIGEST-MD5 client step 2 > > Nov 03 21:55:14 nexus imtest[9170]: DIGEST-MD5 ask_user_info() > > Nov 03 21:55:14 nexus imtest[9170]: DIGEST-MD5 > > make_client_response() Nov 03 21:55:14 nexus cyrus/imaps[9171]: > > SASL unable to canonify user and get auxprops > > Nov 03 21:55:14 nexus cyrus/imaps[9171]: badlogin: nexus > > [fec0::5054:ff:fe12:3456] DIGEST-MD5 [SASL(-4): no mechanism > > available: unable to canonify user and get auxprops] > > > > If I change the "imtest" command line to use then PLAIN mech, I get: > > $ /usr/lib/cyrus/bin/imtest -s -m PLAIN -u > > patrick@xxxxxxxxxxxxxxxxxx -w xxxxx nexus > > > > Nov 03 22:14:45 nexus imtest[9303]: ldapdb > > Nov 03 22:14:45 nexus imtest[9303]: _sasl_plugin_load failed on > > sasl_canonuser_init > > Nov 03 22:14:45 nexus cyrus/imaps[9304]: ldapdb > > Nov 03 22:14:45 nexus cyrus/imaps[9304]: auxpropfunc error invalid > > parameter supplied > > Nov 03 22:14:45 nexus cyrus/imaps[9304]: ldapdb > > Nov 03 22:14:45 nexus cyrus/imaps[9304]: inittls: Loading hard-coded > > DH parameters > > Nov 03 22:14:45 nexus cyrus/imaps[9304]: TLS server engine: No > > client CA certs specified. Client side certs may not work > > Nov 03 22:14:45 nexus cyrus/imaps[9304]: starttls: TLSv1.3 with > > cipher TLS_AES_256_GCM_SHA384 (256/256 bits new) no authentication > > Nov 03 22:14:45 nexus cyrus/imaps[9304]: SASL unknown password > > verifier(s) auxprop-hashed > > Nov 03 22:14:45 nexus cyrus/imaps[9304]: SASL Password verification > > failed > > Nov 03 22:14:45 nexus cyrus/imaps[9304]: badlogin: nexus > > [fec0::5054:ff:fe12:3456] PLAIN [SASL(-4): no mechanism available: > > Password verification failed] > > > > > > > > More Info: > > ubuntu@nexus:~$ lsb_release -a > > No LSB modules are available. > > Distributor ID: Ubuntu > > Description: Ubuntu 20.04.3 LTS > > Release: 20.04 > > Codename: focal > > > > ubuntu@nexus:~$ dpkg -l | grep cyru\\\|sasl > > ii cyrus-admin 3.0.13-5 > > ii cyrus-caldav 3.0.13-5 > > ii cyrus-clients 3.0.13-5 > > ii cyrus-common 3.0.13-5 > > ii cyrus-imapd 3.0.13-5 > > ii libcyrus-imap-perl:amd64 3.0.13-5 > > ii libsasl2-2:amd64 2.1.27+dfsg-2 > > ii libsasl2-modules:amd64 2.1.27+dfsg-2 > > ii libsasl2-modules-db:amd64 2.1.27+dfsg-2 > > ii libsasl2-modules-ldap:amd64 2.1.27+dfsg-2 > > ii sasl2-bin 2.1.27+dfsg-2 > > > > > > Cyrus / SASL / seediscussions +participants > > +delivery optionsPermalink -- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E ------------------------------------------ Cyrus: SASL Permalink: https://cyrus.topicbox.com/groups/sasl/T2c60ca246b64197b-Mbf0e13f59e26d9ebd142809b Delivery options: https://cyrus.topicbox.com/groups/sasl/subscription
