|
Hi all I configured cyrus-imapd to authenticate through cyrus-sasl with ldapdb auxprop. I did all tests suggested on cyrus-imap, cyrus-sasl, and openldap documentacions but when trying with telnet command I got this error firewall:/usr/lib/sasl2 # telnet localhost imap Trying ::1... Connected to localhost. Escape character is '^]'. * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID LOGINDISABLED AUTH=CRAM-MD5 AUTH=DIGEST-MD5 SASL-IR COMPRESS=DEFLATE] firewall Cyrus IMAP v2.3.16 server ready LOGIN test secret1 LOGIN BAD Please login first I saw all logs, but only showed these lines Nov 25 18:29:52 firewall master[10454]: about to exec /usr/lib/cyrus/bin/imapd Nov 25 18:29:52 firewall imap[10454]: executed Nov 25 18:29:52 firewall imap[10454]: IOERROR: opening /var/lib/imap/user_deny.db: No such file or directory Nov 25 18:29:52 firewall imap[10454]: accepted connection it seems that cyrus-imapd isn't authenticating at all with cyrus-sasl I tested imtest, cyradm, pluginviewer and I got espected results (please see TESTS section below) I also tested my openldap configurations (proxy configurations) with ldapwhoami command with no problem (please see TESTS section below) At the bottom of this mail are all the software used and its config files I don't know what else to do to solve it, please any hint will be appreciated Fernando INSTALLED SOFTWARE OPENSUSE 11.3 cyrus-sasl-gssapi-2.1.23-11.1.i586 cyrus-sasl-ldap-auxprop-2.1.23-11.2.i586 cyrus-sasl-saslauthd-2.1.23-11.2.i586 cyrus-sasl-2.1.23-11.1.i586 cyrus-sasl-plain-2.1.23-11.1.i586 cyrus-sasl-digestmd5-2.1.23-11.1.i586 perl-Cyrus-SIEVE-managesieve-2.3.16-7.2.i586 cyrus-imapd-2.3.16-7.2.i586 cyrus-sasl-crammd5-2.1.23-11.1.i586 perl-Cyrus-IMAP-2.3.16-7.2.i586 openldap2-2.4.21-9.1.i586 TESTS firewall:/var/log # imtest -m digest-md5 -a cyrus -u fernandito -v localhost S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID LOGINDISABLED AUTH=CRAM-MD5 AUTH=DIGEST-MD5 SASL-IR COMPRESS=DEFLATE] firewall Cyrus IMAP v2.3.16 server ready C: A01 AUTHENTICATE DIGEST-MD5 S: + bm9uY2U9IkhxQU93ZWlTb0p2eUNIUzRaREs1NG80YWRQRnJGUFl5NjdiSVVaVW1jcjQ9IixyZWFsbT0iZmlyZXdhbGwiLHFvcD0iYXV0aCxhdXRoLWludCxhdXRoLWNvbmYiLGNpcGhlcj0icmM0LTQwLHJjNC01NixyYzQsZGVzLDNkZXMiLG1heGJ1Zj00MDk2LGNoYXJzZXQ9dXRmLTgsYWxnb3JpdGhtPW1kNS1zZXNz Please enter your password: {cyrus-password} C: dXNlcm5hbWU9ImN5cnVzIixyZWFsbT0iZmlyZXdhbGwiLGF1dGh6aWQ9ImZlcm5hbmRpdG8iLG5vbmNlPSJIcUFPd2VpU29KdnlDSFM0WkRLNTRvNGFkUEZyRlBZeTY3YklVWlVtY3I0PSIsY25vbmNlPSJ5WW02VHpxMmxJMDlrUlM4NVZ0RlV1M1BWTThnQjZUUGRsRVZjSzlQYnU4PSIsbmM9MDAwMDAwMDEscW9wPWF1dGgtY29uZixjaXBoZXI9cmM0LG1heGJ1Zj0xMDI0LGRpZ2VzdC11cmk9ImltYXAvbG9jYWxob3N0IixyZXNwb25zZT1hZWYyNDAwNDZkOGJmZWYxZmEzMWU5MzQwNmFkOGMwZg== S: + cnNwYXV0aD1iMjE4MjcxNmZjOTFkNjU2ZDI3ZTQ5NmRmNzljYzRhNw== C: S: A01 OK Success (privacy protection) Authenticated. Security strength factor: 128 Asking for capabilities again since they might have changed C: C01 CAPABILITY S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID LOGINDISABLED AUTH=CRAM-MD5 AUTH=DIGEST-MD5 COMPRESS=DEFLATE ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE SCAN IDLE X-NETSCAPE URLAUTH S: C01 OK Completed firewall:/usr/lib/sasl2 # pluginviewer -a Installed auxprop mechanisms are: ldapdb sasldb List of auxprop plugins follows Plugin "ldapdb" , API version: 4 supports store: yes Plugin "sasldb" , API version: 4 supports store: yes firewall:/var/log # cyradm --user cyrus --authz fernandito --auth digest-md5 localhost Password:{cyrus password} localhost> lm INBOX (\HasNoChildren) firewall:/usr/lib/sasl2 # ldapwhoami -U cyrus -X u:test -Y digest-md5 SASL/DIGEST-MD5 authentication started Please enter your password: {cyrus-password} SASL username: u:test SASL SSF: 128 SASL data security layer installed. dn:uid=test,ou=people,dc=plainjoe,dc=org CONFIG FILES /etc/imapd.conf configdirectory: /var/lib/imap partition-default: /var/spool/imap sievedir: /var/lib/sieve admins: cyrus proxyuser allowanonymouslogin: no autocreatequota: 10000 reject8bit: no quotawarn: 90 timeout: 30 poptimeout: 10 dracinterval: 0 drachost: localhost unixhierarchysep: 1 virtdomains: yes defaultdomain: plainjoe.org #este es con saslauthd #sasl_pwcheck_method: saslauthd #sasl_saslauthd_path: /var/run/sasl2/mux # esta seccion es para la autenticacion via plugin auxiliar: ldapdb sasl_log_level: 7 sasl_mech_list: DIGEST-MD5 PLAIN LOGIN CRAM-MD5 EXTERNAL sasl_pwcheck_method: auxprop sasl_auxprop_plugin: ldapdb sasl_ldapdb_uri: ldap://localhost sasl_ldapdb_id: cyrus sasl_ldapdb_pw: secret sasl_ldapdb_mech: DIGEST-MD5 sasl_auto_transition: no lmtp_overquota_perm_failure: no lmtp_downcase_rcpt: yes # # if you want TLS, you have to generate certificates and keys # #tls_cert_file: /usr/ssl/certs/cert.pem #tls_key_file: /usr/ssl/certs/skey.pem #tls_ca_file: /usr/ssl/CA/CAcert.pem #tls_ca_path: /usr/ssl/CA firewall:/usr/lib/sasl2 # /etc/cyrus.conf # standard standalone server implementation START { # do not delete this entry! recover cmd="ctl_cyrusdb -r" # this is only necessary if using idled for IMAP IDLE idled cmd="idled" } # UNIX sockets start with a slash and are put into /var/lib/imap/socket SERVICES { # add or remove based on preferences imap cmd="imapd" listen="imap" prefork=0 # imaps cmd="imapd -s" listen="imaps" prefork=0 pop3 cmd="pop3d" listen="pop3" prefork=0 # pop3s cmd="pop3d -s" listen="pop3s" prefork=0 sieve cmd="timsieved" listen="sieve" prefork=0 # at least one LMTP is required for delivery # lmtp cmd="lmtpd" listen="lmtp" prefork=0 lmtpunix cmd="lmtpd" listen="/var/lib/imap/socket/lmtp" prefork=0 # this is only necessary if using notifications # notify cmd="notifyd" listen="/var/lib/imap/socket/notify" proto="udp" prefork=1 } EVENTS { # this is required checkpoint cmd="ctl_cyrusdb -c" period=30 # this is only necessary if using duplicate delivery suppression delprune cmd="cyr_expire -E 3" at=0400 # this is only necessary if caching TLS sessions tlsprune cmd="tls_prune" at=0400 # Uncomment the next entry, if you want to automatically remove # old messages of EVERY user. # This example calls ipurge every 60 minutes and ipurge will delete # ALL messages older then 30 days. # enter 'man 8 ipurge' for more details # cleanup cmd="ipurge -d 30 -f" period=60 } /etc/openldap/slapd.conf # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/rfc2307bis.schema include /etc/openldap/schema/yast.schema # Define global ACLs to disable default read access. # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org loglevel -1 pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args # Load dynamic backend modules: # modulepath /usr/lib/openldap/modules # moduleload back_bdb.la # moduleload back_hdb.la # moduleload back_ldap.la # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64 # Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access to user password # Allow anonymous users to authenticate # Allow read access to everything else # Directives needed to implement policy: #access to dn.base="" # by * read #access to dn.base="cn=Subschema" # by * read #access to attrs=userPassword,userPKCS12 access to attrs=userPassword by dn.base="uid=proxyuser,ou=people,dc=plainjoe,dc=org" manage by dn.base="uid=cyrus,ou=people,dc=plainjoe,dc=org" manage by anonymous auth by self write by users read by * none # by * auth #access to attrs=shadowLastChange # by self write # by * read access to * by * read # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! ####################################################################### # BDB database definitions ####################################################################### database bdb suffix "dc=plainjoe,dc=org" checkpoint 1024 5 cachesize 10000 rootdn "cn=Manager,dc=plainjoe,dc=org" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. # la clave es: secret (en ssha) #rootpw {MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ== rootpw secret1 # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap # Indices to maintain index objectClass eq index cn,sn,mail eq,sub index departmentNumber eq ## -- master slapd -- # Specify the location of the file to append changes to. #replogfile /var/log/slapd.replog ## -- master slapd -- # Set the hostname and bind credentials used to propagate the changes in the # replogfile. #replica host=replica1.plainjoe.org:389 # suffix="dc=plainjoe,dc=org" # binddn="cn=replica,dc=plainjoe,dc=org" # credentials=MyPass # bindmethod=simple # tls=no #To use secrets stored in the LDAP directory, place plaintext passwords in the userPassword attribute password-hash {CLEARTEXT} # haciendo un proxy de usuarios para usar sasl authz-policy to authz-regexp "^uid=([^,]+).*,cn=[^,]*,cn=auth$" "ldap:///dc=plainjoe,dc=org??sub?(uid=$1)" #este es la opcion que funciona en apariencia, devolver a esta en el caso de que lo de arriba no funcione #authz-regexp # uid=([^,]*),cn=[^,]*,cn=auth # uid=$1,ou=people,dc=plainjoe,dc=org # ldap:///dc=plainjoe,dc=org??sub?(|(uniqueIdentifier=$1)(mail=$1)) # uid=$1,ou=people,dc=plainjoe,dc=org # uid=(.*),cn=.*,cn=auth #binddn "uid=proxyuser,ou=people,dc=plainjoe,dc=org" credentials=proxyuser mode=self #sasl-authz-policy to #sasl-regexp # uid=(.*),cn=DIGEST-MD5,cn=auth # uid=$1,ou=people,dc=plainjoe,dc=org #sasl-auxprops slapd #sasl-host localhost #sasl-secprops # 2 intento con sasl #sasl-regexp uid=(.*),cn=firewall,cn=DIGEST-MD5,cn=auth uid=$1,ou=People,dc=plainjoe,dc=org firewall:/usr/lib/sasl2 # /etc/sasl2/slapd.conf auxprop_plugin: slapd DATA STORED ON OPENLDAP SERVER firewall:/usr/lib/sasl2 # slapcat bdb_monitor_db_open: monitoring disabled; configure monitor database to enable dn: dc=plainjoe,dc=org dc: plainjoe objectClass: dcObject objectClass: organizationalUnit ou: PlainJoe Dot Org structuralObjectClass: organizationalUnit entryUUID: 0335be26-7c73-102f-8bd2-599020d843b8 creatorsName: cn=Manager,dc=plainjoe,dc=org createTimestamp: 20101104152159Z entryCSN: 20101104152159.733766Z#000000#000#000000 modifiersName: cn=Manager,dc=plainjoe,dc=org modifyTimestamp: 20101104152159Z dn: ou=people,dc=plainjoe,dc=org ou: people objectClass: organizationalUnit structuralObjectClass: organizationalUnit entryUUID: 033e9352-7c73-102f-8bd3-599020d843b8 creatorsName: cn=Manager,dc=plainjoe,dc=org createTimestamp: 20101104152159Z entryCSN: 20101105231448.878588Z#000000#000#000000 modifiersName: cn=Manager,dc=plainjoe,dc=org modifyTimestamp: 20101105231448Z dn: uid=proxyuser,ou=people,dc=plainjoe,dc=org uid: proxyuser cn: proxyuser gidNumber: 10002 uidNumber: 10002 homeDirectory: /dev/null objectClass: account objectClass: posixAccount userPassword:: c2VjcmV0 authzTo: ldap:///ou=people,dc=plainjoe,dc=org??sub?(objectClass=account) structuralObjectClass: account entryUUID: 4aeeb5cc-86d4-102f-9773-4f0c54ef34bf creatorsName: cn=Manager,dc=plainjoe,dc=org createTimestamp: 20101117202332Z entryCSN: 20101117202332.874731Z#000000#000#000000 modifiersName: cn=Manager,dc=plainjoe,dc=org modifyTimestamp: 20101117202332Z dn: uid=test,ou=people,dc=plainjoe,dc=org uid: test cn: testeo principal gidNumber: 10001 uidNumber: 10001 homeDirectory: /dev/null objectClass: account objectClass: posixAccount userPassword:: c2VjcmV0MQ== structuralObjectClass: account entryUUID: 56c7ff24-86d5-102f-9775-4f0c54ef34bf creatorsName: cn=Manager,dc=plainjoe,dc=org createTimestamp: 20101117203102Z entryCSN: 20101117203102.250410Z#000000#000#000000 modifiersName: cn=Manager,dc=plainjoe,dc=org modifyTimestamp: 20101117203102Z dn: uid=cyrus,ou=people,dc=plainjoe,dc=org uid: cyrus cn: cyrus gidNumber: 10003 uidNumber: 10003 homeDirectory: /dev/bash objectClass: account objectClass: posixAccount userPassword:: c2VjcmV0 authzTo: ldap:///dc=plainjoe,dc=org??sub?(objectClass=account) structuralObjectClass: account entryUUID: 441f0088-8cee-102f-9457-c7c68dbb10c9 creatorsName: cn=Manager,dc=plainjoe,dc=org createTimestamp: 20101125144435Z entryCSN: 20101125144435.338805Z#000000#000#000000 modifiersName: cn=Manager,dc=plainjoe,dc=org modifyTimestamp: 20101125144435Z dn: ou=policies,dc=plainjoe,dc=org objectClass: organizationalUnit objectClass: top ou: policies structuralObjectClass: organizationalUnit entryUUID: edc640e2-8cee-102f-9458-c7c68dbb10c9 creatorsName: cn=Manager,dc=plainjoe,dc=org createTimestamp: 20101125144919Z entryCSN: 20101125144919.969853Z#000000#000#000000 modifiersName: cn=Manager,dc=plainjoe,dc=org modifyTimestamp: 20101125144919Z dn: uid=fernandito,ou=people,dc=plainjoe,dc=org uid: fernandito cn: Fernandito Torrez gidNumber: 10000 uidNumber: 10000 homeDirectory: /dev/null objectClass: account objectClass: posixAccount userPassword:: ZmVybmFuZGl0bw== structuralObjectClass: account entryUUID: 53f4b2a0-8cf3-102f-86d4-9f29e1236af7 creatorsName: cn=Manager,dc=plainjoe,dc=org createTimestamp: 20101125152049Z entryCSN: 20101125152049.388753Z#000000#000#000000 modifiersName: cn=Manager,dc=plainjoe,dc=org modifyTimestamp: 20101125152049Z |
---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
