Thank you Dieter and Quanah! But I am not trying to set up OTP or 2FA here.
The set-up I want to achieve is just a plain and simple cyrus-imaps-plain-login-with-hashed-user-passwords-in-openldap.
However, by looking at the source code a bit further, it looks like the sasl ldapdb auxprop module might not actually support hashed passwords (yet). sql and sasldb seem to have it implemented, but not ldapdb.
Anyhow, I haven't reached to this problem yet, actually, as ... as I could confirm by increasing ldap debug level, cyrus imapd is not even talking to the ldap so far.
Further reasoning about the code in lib/server.c quoted earlier, lead me to conclude that actually the _sasl_getcallback must be failing. And this callback probably also logs
auxpropfunc error invalid parameter supplied
. Now the error message might not be 100% accurate. By analyzing the code, it seems to more likely, that it is _missing_ _any_ parameters. The question then is, why the parameters defined in my /etc/imap-ldap.conf @included config file do not seem to arrive at that callback.
Thus I enabled the "debug_command" config option in /etc/imapd.conf - using ltrace - and ... was baffeled for an hour or so, as to why a process is started but no output /tmp file prduced, ... until i realized, that the process somehow has a "private" /tmp directory mounted by the almightly systemd that started it. Thus the outputs I was missing were in /tmp/systemd-private-xxxxx-cyrus-imap-xxxx/tmp/strace.... Ok. But the interresting part was missing, because the debugger has attached itself too late. So I removed the debug_command config again and instead put a modified ltrace command line directly into /etc/cyrus.conf. This produced the following outputs. I filtered it. The interresting part here, to me, are all the failed attempts to open a certain "/etc/*/Cyrus.conf" file, ... that I haven't seen anywhere so far.
Just for fun, I tried copying my original /etc/imap-ldap.conf to /etc/sasl2/Cyrus.conf ... and this does "something" .... the errrors in the syslog have changed. "invalid parameter supplied" no longer appears. imapd still doesn't talk to openldap though. I have to analyze further, why the files is opened and - seemingly - required, in the first place.
Anyhow ... in fact ... it seems to even work now ... but I am unsure still, as I still see no log output from openldap ...
ubuntu@nexus:~$ /usr/lib/cyrus/bin/imtest -m plain -a patrick -w patrick localhost S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS AUTH=DIGEST-MD5 AUTH=NTLM AUTH=CRAM-MD5 AUTH=PLAIN AUTH=LOGIN SASL-IR] nexus Cyrus IMAP 3.0.13-Debian-3.0.13-5 server ready C: A01 AUTHENTICATE PLAIN AHBhdHJpY2sAcGF0cmljaw== S: A01 OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxten QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SEARCH=FUZZY SORT SORT=MODSEQ SORT=DISPLAY SORT=UID THREAD=ORDEREDSUBJECT THREAD=REFERENCES THREAD=REFS ANNOTATEMORE ANNOTATE-EXPERIMENT-1 METADATA LIST-EXTENDED LIST-STATUS LIST-MYRIGHTS LIST-METADATA WITHIN QRESYNC SCAN XLIST XMOVE MOVE SPECIAL-USE CREATE-SPECIAL-USE DIGEST=SHA1 X-REPLICATION URLAUTH URLAUTH=BINARY LOGINDISABLED COMPRESS=DEFLATE X-QUOTA=STORAGE X-QUOTA=MESSAGE X-QUOTA=X-ANNOTATION-STORAGE X-QUOTA=X-NUM-FOLDERS IDLE] Success (no protection) SESSIONID=<cyrus-227127-1636233957-1-11075792745745635879> Authenticated.
... stay tuned ...
root@nexus:~# grep openat /tmp/systemd-private-de629ec62a7d415fbc116f3bb5465a8c-cyrus-imapd.service-36G1zg/tmp/strace.out 20:48:56.391199 openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 5 20:48:56.391319 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libcyrus_sieve.so.0", O_RDONLY|O_CLOEXEC) = 5 20:48:56.391568 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libcyrus_imap.so.0", O_RDONLY|O_CLOEXEC) = 5 ... snip ... 20:48:56.399329 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libkeyutils.so.1", O_RDONLY|O_CLOEXEC) = 5 20:48:56.399562 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libresolv.so.2", O_RDONLY|O_CLOEXEC) = 5 20:48:56.399837 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libicudata.so.66", O_RDONLY|O_CLOEXEC) = 5 20:48:56.405440 openat(AT_FDCWD, "/etc/imapd-local.conf", O_RDONLY) = 5 20:48:56.406009 openat(AT_FDCWD, "/var/lib/cyrus/db/skipstamp", O_RDONLY) = 5 20:48:56.406507 openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/sasl2", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 5 20:48:56.406737 openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/sasl2/libanonymous.so", O_RDONLY|O_CLOEXEC) = 10 20:48:56.407031 openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/sasl2/libldapdb.so", O_RDONLY|O_CLOEXEC) = 10 20:48:56.407266 openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 10 20:48:56.407376 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libldap_r-2.4.so.2", O_RDONLY|O_CLOEXEC) = 10 ... snip ... 20:48:56.412247 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libhx509.so.5", O_RDONLY|O_CLOEXEC) = 10 20:48:56.412520 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libcrypt.so.1", O_RDONLY|O_CLOEXEC) = 10 20:48:56.412807 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libffi.so.7", O_RDONLY|O_CLOEXEC) = 10 20:48:56.416763 openat(AT_FDCWD, "/etc/localtime", O_RDONLY|O_CLOEXEC) = 10 20:48:56.417821 openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/sasl2/libntlm.so", O_RDONLY|O_CLOEXEC) = 11 20:48:56.418231 openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/sasl2/libcrammd5.so", O_RDONLY|O_CLOEXEC) = 11 20:48:56.418525 openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/sasl2/libplain.so", O_RDONLY|O_CLOEXEC) = 11 20:48:56.418861 openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/sasl2/libsasldb.so", O_RDONLY|O_CLOEXEC) = 11 20:48:56.419110 openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 11 20:48:56.419224 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libdb-5.3.so", O_RDONLY|O_CLOEXEC) = 11 20:48:56.419796 openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/sasl2/liblogin.so", O_RDONLY|O_CLOEXEC) = 11 20:48:56.420094 openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/sasl2/libdigestmd5.so", O_RDONLY|O_CLOEXEC) = 11 20:48:56.420520 openat(AT_FDCWD, "/etc/sasl2/Cyrus.conf", O_RDONLY) = -1 ENOENT (No such file or directory) 20:48:56.420552 openat(AT_FDCWD, "/etc/sasl/Cyrus.conf", O_RDONLY) = -1 ENOENT (No such file or directory) 20:48:56.420579 openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/sasl2/Cyrus.conf", O_RDONLY) = -1 ENOENT (No such file or directory) 20:48:56.420608 openat(AT_FDCWD, "/usr/lib/sasl2/Cyrus.conf", O_RDONLY) = -1 ENOENT (No such file or directory) 20:48:56.420640 openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/sasl2", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 5 20:48:56.421646 openat(AT_FDCWD, "/var/lib/cyrus/mailboxes.db", O_RDWR) = 5 20:48:56.421926 openat(AT_FDCWD, "/var/lib/cyrus/user_deny.db", O_RDWR) = 11 20:48:56.422256 openat(AT_FDCWD, "/var/lib/cyrus/annotations.db", O_RDWR) = 13 20:48:56.422509 openat(AT_FDCWD, "/var/lib/cyrus/socket/imaplocal-0.lock", O_RDWR|O_CREAT, 0600) = 14 20:48:56.423104 openat(AT_FDCWD, "/etc/hosts.allow", O_RDONLY) = 16
