Re: ldapdb auxprop configuration

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Lars Hanke wrote:
> I'm trying set up cyrus-imap using the ldapdb auxprop. I guess I've the 
> LDAP part up and running, but somehow imap does not really request for 
> authentication. So probably I still have something messed in the 
> configuration, which apparently has changed with respect to my last 
> install a couple of years ago.
>
> Any ideas for systematic troubleshooting are welcome.
> Regards,
>  - lars.
>
> This is the sasl related part of the imap configuration:
> hermod:~# grep sasl /etc/imapd.conf | grep -v '^#' | grep -v '^\s*$'
> sasl_mech_list: PLAIN DIGEST-MD5 CRAM-MD5
> sasl_pwcheck_method: auxprop
> sasl_auxprop_plugin: ldapdb
> sasl_ldapdb_uri: ldaps://hel.mgr
> sasl_ldapdb_id: mailadmin
> sasl_ldapdb_pw: *********
> sasl_ldapdb_mech: DIGEST-MD5
> sasl_auto_transition: no
>
>   

I don't see anything that sticks out.

You may want to experiment with the ldapdb_starttls and ldapdb_rc 
options (see sasl's options.html doc).  See 'man ldap.conf' for options 
that you can place in ldaprc. If you do choose to use starttls, you'll 
need to replace ldaps://hel.mgr with ldap://hel.mgr.

To make sure that the ldapdb plugin is installed correctly:

# cat > /usr/lib/sasl2/pluginview.conf

mech_list: PLAIN DIGEST-MD5 CRAM-MD5
pwcheck_method: auxprop
auxprop_plugin: ldapdb
ldapdb_uri: ldaps://hel.mgr
ldapdb_id: mailadmin
ldapdb_pw: *********
ldapdb_mech: DIGEST-MD5
auto_transition: no

# pluginviewer | grep ldapdb


> The following is running as expected:
> hermod:~# ldapwhoami -U mailadmin -X u:cyrus -W -Y DIGEST-MD5 -H 
> ldaps://hel.mgr
> Enter LDAP Password:
> SASL/DIGEST-MD5 authentication started
> SASL username: u:cyrus
> SASL SSF: 128
> SASL data security layer installed.
> dn:uid=cyrus,ou=mailbox,dc=mgr
>
> and of course:
> ldapsearch -U mailadmin -X u:cyrus -W -Y DIGEST-MD5 -b 
> "ou=mailbox,dc=mgr" "(uid=cyrus)" 
> returns the password of cyrus, which is kept as plaintext inside the 
> LDAP repositiory. ldapsearch returns the base64 encoded plain password.
>
> So apparently imapd-ldapdb connects and establishes SSL. For the rest 
> I'm unsure, but it seems like it does not talk to LDAP anymore and 
> terminates, i.e. there is no authentication happening. The result is the 
> same for trying telnet localhost imap2 and a login for cyrus.
>   

Does your /var/log/auth.log or /var/log/syslog give you anything useful?

- Dan
----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

[Index of Archives]     [Cyrus SASL]     [Squirrel Mail]     [Asterisk PBX]     [Video For Linux]     [Photo]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux