Hi, [My config's at the bottom; Cyrus IMAP 2.2.12; censored email addresses and look-alikes purely against harvesters; timestamps and '[imapd]' trimmed from loglines] I've two questions relating to mapping userids. I've read documentation, searched the wiki, googled, and tried this at various times over the space of a few days, so it's probably not a temporary local blindness issue. ;^) The first issue relates to Kerberos and the second to TLS+EXTERNAL with client certs. Kerberos: From: Lars Kellogg-Stedman <lars@xxxxxxxxxx> Subject: Authenticating (with cyradm) using an alternate Kerberos instance? Date: Sun, 6 Nov 2005 23:23:27 -0500 Message-ID: <c27faacf0511062023yb8a9fdai432a6115a82b518f@xxxxxxxxxxxxxx> Nobody answered Lars then and I'm seeing the same issue; on the off-chance that I'm hitting a lighter spot in your schedules: can anyone please explain how to configure Cyrus so that a KerberosV /admin principal can be treated as a Cyrus admin user? I've tried inserting various entries into sasldb to back this up, putting things into /etc/krb5.equiv as well as various values for "admins:" and I'm stumped. Help! Please? badlogin: domus.home.globnix.net [192.168.1.101] GSSAPI [SASL(-13): authentication failure: bad userid authenticated] Trying to get TLS with client certificates and SASL EXTERNAL working, I find that when connecting to IMAPS on port 993, the client cert is ignored: starttls: TLSv1 with cipher AES256-SHA (256/256 bits new) no authentication When connecting on 143 and using STARTTLS, the client cert is not ignored; anyone know why this might be? When the client cert is used, then I can get EXTERNAL offered and used, but I can't see how to persuade Cyrus to map this to a regular user. Is this where I need to be using ptloader and LDAP? If so, does anyone have sample configs and LDIF entries for how they manage this, please? Common: subject=/C=NL/.../CN=Phil Pennock/emailAddress=censored@xxxxxxxxxx starttls: TLSv1 with cipher AES256-SHA (256/256 bits new) authenticated as Phil Pennock Supplying the same usercode as exists in emailAddress: badlogin: domus.home.globnix.net [192.168.1.101] EXTERNAL [SASL(-13): authentication failure: user phil pennock is not allowed to proxy] Supplying no authz: login: domus.home.globnix.net [192.168.1.101] phil pennock EXTERNAL+TLS User logged in >>> a3 CAPABILITY <<< * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=GSSAPI AUTH=CRAM-MD5 AUTH=DIGEST-MD5 AUTH=EXTERNAL SASL-IR LISTEXT LIST-SUBSCRIBED X-NETSCAPE <<< a3 OK Completed >>> a4 AUTHENTICATE EXTERNAL Y2Vuc29yZWQ= <<< a4 NO authentication failure Also, can someone please explain why imtest(1) sends "=C:" as the id when no authzid is provided? Where does this value come from? If it is some kind of CN decode indicator, are there other legal values? That's what I see with: ----------------------------8< cut here >8------------------------------ $ imtest -m EXTERNAL -t ~/.mutt/email-client.pair.pem domus [...] TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits) C: C01 CAPABILITY S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=GSSAPI AUTH=CRAM-MD5 AUTH=DIGEST-MD5 AUTH=EXTERNAL SASL-IR LISTEXT LIST-SUBSCRIBED X-NETSCAPE S: C01 OK Completed C: A01 AUTHENTICATE EXTERNAL =C: S: A01 OK Success (tls protection) Authenticated. Security strength factor: 256 ----------------------------8< cut here >8------------------------------ Here's the config; I know that keytab's not actually used with GSSAPI, but I leave it in as harmless -- I set $KRB5_KTNAME in the rc startup config, which works with Heimdal: ----------------------------8< cut here >8------------------------------ configdirectory: /home/imap/configs partition-default: /home/imap/mail sievedir: /home/imap/configs/sieve tls_cert_file: /etc/cyrusimapd/domus-imapserver.crt.pem tls_key_file: /etc/cyrusimapd/domus-imapserver.key.pem tls_ca_path: /etc/ssl/certs/ tls_ca_file: /usr/share/ca-certificates/globnix/globnixCA.pem tls_cipher_list: ALL:!ADH:!EXP:+HIGH:+MEDIUM:!SSLv2:@STRENGTH admins: cyrus xxx-admin xxx/admin xxx/admin@xxxxxxxxx umask: 027 hashimapspool: yes allowanonymouslogin: no allowplaintext: no mboxlist_db: skiplist seenstate_db: flat unixhierarchysep: yes sasl_minimum_layer: 0 sasl_mech_list: external gssapi digest-md5 cram-md5 keytab: /etc/kerberos/tabs/imapd.keytab altnamespace: yes userprefix: Other Users sharedprefix: Shared Folders ----------------------------8< cut here >8------------------------------ cyrus.conf SERVICES lines for IMAP are: imap cmd="imapd" listen="imap2" prefork=0 imaps cmd="imapd -s" listen="imaps" prefork=2 # value 71 chosen to match that used by LDAP, in LDAP_PVT_SASL_LOCAL_SSF imapi cmd="imapd -p 71" listen="/var/run/imapd.sock" prefork=0 maxchild=32 Thank you for any help which you can provide, -- "Everything has three factors: politics, money, and the right way to do it. In that order." -- Gary Donahue ---- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
