Problems testing cyrus imap server (cyrus sasl + ldapdb plugin)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi all

I configured cyrus-imapd to authenticate through cyrus-sasl with ldapdb auxprop.
I did all tests suggested on cyrus-imap, cyrus-sasl, and openldap documentacions
but  when trying with telnet command I got this error


firewall:/usr/lib/sasl2 # telnet localhost imap
Trying ::1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID LOGINDISABLED AUTH=CRAM-MD5 AUTH=DIGEST-MD5 SASL-IR COMPRESS=DEFLATE] firewall Cyrus IMAP v2.3.16 server ready
LOGIN test secret1
LOGIN BAD Please login first

I saw all logs, but only showed these lines
Nov 25 18:29:52 firewall master[10454]: about to exec /usr/lib/cyrus/bin/imapd
Nov 25 18:29:52 firewall imap[10454]: executed
Nov 25 18:29:52 firewall imap[10454]: IOERROR: opening /var/lib/imap/user_deny.db: No such file or directory
Nov 25 18:29:52 firewall imap[10454]: accepted connection


it seems that cyrus-imapd isn't authenticating at all with cyrus-sasl

I tested imtest, cyradm, pluginviewer and I got espected results (please see TESTS section below)

I also tested my openldap configurations (proxy configurations) with ldapwhoami command with no problem (please see TESTS section below)
At the bottom of this mail are all the software used and its config files

I don't know what else to do to solve it, please any hint will be appreciated

Fernando

                        INSTALLED SOFTWARE
OPENSUSE 11.3
cyrus-sasl-gssapi-2.1.23-11.1.i586
cyrus-sasl-ldap-auxprop-2.1.23-11.2.i586
cyrus-sasl-saslauthd-2.1.23-11.2.i586
cyrus-sasl-2.1.23-11.1.i586
cyrus-sasl-plain-2.1.23-11.1.i586
cyrus-sasl-digestmd5-2.1.23-11.1.i586
perl-Cyrus-SIEVE-managesieve-2.3.16-7.2.i586
cyrus-imapd-2.3.16-7.2.i586
cyrus-sasl-crammd5-2.1.23-11.1.i586
perl-Cyrus-IMAP-2.3.16-7.2.i586
openldap2-2.4.21-9.1.i586



                        TESTS

firewall:/var/log # imtest -m digest-md5 -a cyrus -u fernandito -v localhost

S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID LOGINDISABLED AUTH=CRAM-MD5 AUTH=DIGEST-MD5 SASL-IR COMPRESS=DEFLATE] firewall Cyrus IMAP v2.3.16 server ready
C: A01 AUTHENTICATE DIGEST-MD5
S: + bm9uY2U9IkhxQU93ZWlTb0p2eUNIUzRaREs1NG80YWRQRnJGUFl5NjdiSVVaVW1jcjQ9IixyZWFsbT0iZmlyZXdhbGwiLHFvcD0iYXV0aCxhdXRoLWludCxhdXRoLWNvbmYiLGNpcGhlcj0icmM0LTQwLHJjNC01NixyYzQsZGVzLDNkZXMiLG1heGJ1Zj00MDk2LGNoYXJzZXQ9dXRmLTgsYWxnb3JpdGhtPW1kNS1zZXNz
Please enter your password: {cyrus-password}
C: dXNlcm5hbWU9ImN5cnVzIixyZWFsbT0iZmlyZXdhbGwiLGF1dGh6aWQ9ImZlcm5hbmRpdG8iLG5vbmNlPSJIcUFPd2VpU29KdnlDSFM0WkRLNTRvNGFkUEZyRlBZeTY3YklVWlVtY3I0PSIsY25vbmNlPSJ5WW02VHpxMmxJMDlrUlM4NVZ0RlV1M1BWTThnQjZUUGRsRVZjSzlQYnU4PSIsbmM9MDAwMDAwMDEscW9wPWF1dGgtY29uZixjaXBoZXI9cmM0LG1heGJ1Zj0xMDI0LGRpZ2VzdC11cmk9ImltYXAvbG9jYWxob3N0IixyZXNwb25zZT1hZWYyNDAwNDZkOGJmZWYxZmEzMWU5MzQwNmFkOGMwZg==
S: + cnNwYXV0aD1iMjE4MjcxNmZjOTFkNjU2ZDI3ZTQ5NmRmNzljYzRhNw==
C:
S: A01 OK Success (privacy protection)
Authenticated.
Security strength factor: 128
Asking for capabilities again since they might have changed
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID LOGINDISABLED AUTH=CRAM-MD5 AUTH=DIGEST-MD5 COMPRESS=DEFLATE ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE SCAN IDLE X-NETSCAPE URLAUTH
S: C01 OK Completed

firewall:/usr/lib/sasl2 # pluginviewer -a
Installed auxprop mechanisms are:
ldapdb sasldb
List of auxprop plugins follows
Plugin "ldapdb" ,       API version: 4
        supports store: yes

Plugin "sasldb" ,       API version: 4
        supports store: yes



firewall:/var/log # cyradm  --user cyrus --authz fernandito --auth digest-md5 localhost
Password:{cyrus password}
localhost> lm
INBOX (\HasNoChildren)


firewall:/usr/lib/sasl2 # ldapwhoami -U cyrus -X u:test -Y digest-md5
SASL/DIGEST-MD5 authentication started
Please enter your password: {cyrus-password}
SASL username: u:test
SASL SSF: 128
SASL data security layer installed.
dn:uid=test,ou=people,dc=plainjoe,dc=org

                    CONFIG FILES

        /etc/imapd.conf
configdirectory: /var/lib/imap
partition-default: /var/spool/imap
sievedir: /var/lib/sieve
admins: cyrus proxyuser
allowanonymouslogin: no
autocreatequota: 10000
reject8bit: no
quotawarn: 90
timeout: 30
poptimeout: 10
dracinterval: 0
drachost: localhost
unixhierarchysep: 1
virtdomains: yes
defaultdomain: plainjoe.org

#este es con saslauthd
#sasl_pwcheck_method: saslauthd
#sasl_saslauthd_path: /var/run/sasl2/mux

# esta seccion es para la autenticacion via plugin auxiliar: ldapdb
sasl_log_level: 7
sasl_mech_list: DIGEST-MD5 PLAIN LOGIN CRAM-MD5 EXTERNAL
sasl_pwcheck_method: auxprop
sasl_auxprop_plugin: ldapdb
sasl_ldapdb_uri: ldap://localhost
sasl_ldapdb_id: cyrus
sasl_ldapdb_pw: secret
sasl_ldapdb_mech: DIGEST-MD5
sasl_auto_transition: no
lmtp_overquota_perm_failure: no
lmtp_downcase_rcpt: yes
#
# if you want TLS, you have to generate certificates and keys
#
#tls_cert_file: /usr/ssl/certs/cert.pem
#tls_key_file: /usr/ssl/certs/skey.pem
#tls_ca_file: /usr/ssl/CA/CAcert.pem
#tls_ca_path: /usr/ssl/CA
firewall:/usr/lib/sasl2 #


            /etc/cyrus.conf
# standard standalone server implementation

START {
  # do not delete this entry!
  recover       cmd="ctl_cyrusdb -r"

  # this is only necessary if using idled for IMAP IDLE
  idled         cmd="idled"
}

# UNIX sockets start with a slash and are put into /var/lib/imap/socket
SERVICES {
  # add or remove based on preferences
  imap          cmd="imapd" listen="imap" prefork=0
#  imaps                cmd="imapd -s" listen="imaps" prefork=0
  pop3          cmd="pop3d" listen="pop3" prefork=0
#  pop3s                cmd="pop3d -s" listen="pop3s" prefork=0
  sieve         cmd="timsieved" listen="sieve" prefork=0

  # at least one LMTP is required for delivery
#  lmtp         cmd="lmtpd" listen="lmtp" prefork=0
  lmtpunix      cmd="lmtpd" listen="/var/lib/imap/socket/lmtp" prefork=0

  # this is only necessary if using notifications
#  notify       cmd="notifyd" listen="/var/lib/imap/socket/notify" proto="udp" prefork=1
}

EVENTS {
  # this is required
  checkpoint    cmd="ctl_cyrusdb -c" period=30

  # this is only necessary if using duplicate delivery suppression
  delprune      cmd="cyr_expire -E 3" at=0400

  # this is only necessary if caching TLS sessions
  tlsprune      cmd="tls_prune" at=0400

  # Uncomment the next entry, if you want to automatically remove
  # old messages of EVERY user.
  # This example calls ipurge every 60 minutes and ipurge will delete
  # ALL messages older then 30 days.
  # enter 'man 8 ipurge' for more details

  # cleanup      cmd="ipurge -d 30 -f" period=60
}


            /etc/openldap/slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/rfc2307bis.schema
include         /etc/openldap/schema/yast.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org

loglevel        -1
pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args

# Load dynamic backend modules:
# modulepath    /usr/lib/openldap/modules
# moduleload    back_bdb.la
# moduleload    back_hdb.la
# moduleload    back_ldap.la

# Sample security restrictions
#       Require integrity protection (prevent hijacking)
#       Require 112-bit (3DES or better) encryption for updates
#       Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
#       Root DSE: allow anyone to read it
#       Subschema (sub)entry DSE: allow anyone to read it
#       Other DSEs:
#               Allow self write access to user password
#               Allow anonymous users to authenticate
#               Allow read access to everything else
#       Directives needed to implement policy:
#access to dn.base=""
#        by * read

#access to dn.base="cn=Subschema"
#        by * read

#access to attrs=userPassword,userPKCS12
access to attrs=userPassword
        by dn.base="uid=proxyuser,ou=people,dc=plainjoe,dc=org" manage
        by dn.base="uid=cyrus,ou=people,dc=plainjoe,dc=org" manage
        by anonymous auth
        by self write
        by users read
        by * none
#        by * auth

#access to attrs=shadowLastChange
#        by self write
#        by * read

access to *
        by * read

# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

#######################################################################
# BDB database definitions
#######################################################################

database        bdb
suffix          "dc=plainjoe,dc=org"
checkpoint      1024    5
cachesize       10000
rootdn          "cn=Manager,dc=plainjoe,dc=org"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# la clave es: secret    (en ssha)
#rootpw {MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ==
rootpw          secret1
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /var/lib/ldap
# Indices to maintain
index   objectClass         eq
index   cn,sn,mail          eq,sub
index   departmentNumber    eq

## -- master slapd --
# Specify the location of the file to append changes to.
#replogfile     /var/log/slapd.replog
## -- master slapd --
# Set the hostname and bind credentials used to propagate the changes in the
# replogfile.
#replica      host=replica1.plainjoe.org:389
#             suffix="dc=plainjoe,dc=org"
#             binddn="cn=replica,dc=plainjoe,dc=org"
#             credentials=MyPass
#             bindmethod=simple
#             tls=no

#To use secrets stored in the LDAP directory, place plaintext passwords in the userPassword attribute
password-hash {CLEARTEXT}

# haciendo un proxy de usuarios para usar sasl
authz-policy to
authz-regexp "^uid=([^,]+).*,cn=[^,]*,cn=auth$"
             "ldap:///dc=plainjoe,dc=org??sub?(uid=$1)"
#este es la opcion que funciona en apariencia, devolver a esta en el caso de que lo de arriba no funcione
#authz-regexp
#   uid=([^,]*),cn=[^,]*,cn=auth
#   uid=$1,ou=people,dc=plainjoe,dc=org

#   ldap:///dc=plainjoe,dc=org??sub?(|(uniqueIdentifier=$1)(mail=$1))
#   uid=$1,ou=people,dc=plainjoe,dc=org
#   uid=(.*),cn=.*,cn=auth
#binddn "uid=proxyuser,ou=people,dc=plainjoe,dc=org" credentials=proxyuser mode=self

#sasl-authz-policy to
#sasl-regexp
#   uid=(.*),cn=DIGEST-MD5,cn=auth
#   uid=$1,ou=people,dc=plainjoe,dc=org
#sasl-auxprops slapd
#sasl-host localhost


#sasl-secprops
# 2 intento con sasl
#sasl-regexp uid=(.*),cn=firewall,cn=DIGEST-MD5,cn=auth uid=$1,ou=People,dc=plainjoe,dc=org
firewall:/usr/lib/sasl2 #

        /etc/sasl2/slapd.conf
auxprop_plugin: slapd



DATA STORED ON OPENLDAP SERVER
firewall:/usr/lib/sasl2 # slapcat
bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
dn: dc=plainjoe,dc=org
dc: plainjoe
objectClass: dcObject
objectClass: organizationalUnit
ou: PlainJoe Dot Org
structuralObjectClass: organizationalUnit
entryUUID: 0335be26-7c73-102f-8bd2-599020d843b8
creatorsName: cn=Manager,dc=plainjoe,dc=org
createTimestamp: 20101104152159Z
entryCSN: 20101104152159.733766Z#000000#000#000000
modifiersName: cn=Manager,dc=plainjoe,dc=org
modifyTimestamp: 20101104152159Z

dn: ou=people,dc=plainjoe,dc=org
ou: people
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit
entryUUID: 033e9352-7c73-102f-8bd3-599020d843b8
creatorsName: cn=Manager,dc=plainjoe,dc=org
createTimestamp: 20101104152159Z
entryCSN: 20101105231448.878588Z#000000#000#000000
modifiersName: cn=Manager,dc=plainjoe,dc=org
modifyTimestamp: 20101105231448Z

dn: uid=proxyuser,ou=people,dc=plainjoe,dc=org
uid: proxyuser
cn: proxyuser
gidNumber: 10002
uidNumber: 10002
homeDirectory: /dev/null
objectClass: account
objectClass: posixAccount
userPassword:: c2VjcmV0
authzTo: ldap:///ou=people,dc=plainjoe,dc=org??sub?(objectClass=account)
structuralObjectClass: account
entryUUID: 4aeeb5cc-86d4-102f-9773-4f0c54ef34bf
creatorsName: cn=Manager,dc=plainjoe,dc=org
createTimestamp: 20101117202332Z
entryCSN: 20101117202332.874731Z#000000#000#000000
modifiersName: cn=Manager,dc=plainjoe,dc=org
modifyTimestamp: 20101117202332Z

dn: uid=test,ou=people,dc=plainjoe,dc=org
uid: test
cn: testeo principal
gidNumber: 10001
uidNumber: 10001
homeDirectory: /dev/null
objectClass: account
objectClass: posixAccount
userPassword:: c2VjcmV0MQ==
structuralObjectClass: account
entryUUID: 56c7ff24-86d5-102f-9775-4f0c54ef34bf
creatorsName: cn=Manager,dc=plainjoe,dc=org
createTimestamp: 20101117203102Z
entryCSN: 20101117203102.250410Z#000000#000#000000
modifiersName: cn=Manager,dc=plainjoe,dc=org
modifyTimestamp: 20101117203102Z

dn: uid=cyrus,ou=people,dc=plainjoe,dc=org
uid: cyrus
cn: cyrus
gidNumber: 10003
uidNumber: 10003
homeDirectory: /dev/bash
objectClass: account
objectClass: posixAccount
userPassword:: c2VjcmV0
authzTo: ldap:///dc=plainjoe,dc=org??sub?(objectClass=account)
structuralObjectClass: account
entryUUID: 441f0088-8cee-102f-9457-c7c68dbb10c9
creatorsName: cn=Manager,dc=plainjoe,dc=org
createTimestamp: 20101125144435Z
entryCSN: 20101125144435.338805Z#000000#000#000000
modifiersName: cn=Manager,dc=plainjoe,dc=org
modifyTimestamp: 20101125144435Z

dn: ou=policies,dc=plainjoe,dc=org
objectClass: organizationalUnit
objectClass: top
ou: policies
structuralObjectClass: organizationalUnit
entryUUID: edc640e2-8cee-102f-9458-c7c68dbb10c9
creatorsName: cn=Manager,dc=plainjoe,dc=org
createTimestamp: 20101125144919Z
entryCSN: 20101125144919.969853Z#000000#000#000000
modifiersName: cn=Manager,dc=plainjoe,dc=org
modifyTimestamp: 20101125144919Z

dn: uid=fernandito,ou=people,dc=plainjoe,dc=org
uid: fernandito
cn: Fernandito Torrez
gidNumber: 10000
uidNumber: 10000
homeDirectory: /dev/null
objectClass: account
objectClass: posixAccount
userPassword:: ZmVybmFuZGl0bw==
structuralObjectClass: account
entryUUID: 53f4b2a0-8cf3-102f-86d4-9f29e1236af7
creatorsName: cn=Manager,dc=plainjoe,dc=org
createTimestamp: 20101125152049Z
entryCSN: 20101125152049.388753Z#000000#000#000000
modifiersName: cn=Manager,dc=plainjoe,dc=org
modifyTimestamp: 20101125152049Z

----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/

[Index of Archives]     [Cyrus SASL]     [Squirrel Mail]     [Asterisk PBX]     [Video For Linux]     [Photo]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux