Hi, I'm trying to follow your suggestion.
So, first I changed openldap configuration with "sasl-secprops none" to have also plain auth enabled.
Running pluginviewer to see the plugins:
Sonicle XStream Server (XStreamOS/illumos) SunOS 5.11 xs_153 Apr 2014
sonicle@www:~$ pluginviewer -m PLAIN
Installed and properly configured auxprop mechanisms are:
sasldb
List of auxprop plugins follows
Plugin "sasldb" , API version: 8
supports store: yes
Installed and properly configured SASL (server side) mechanisms are:
SCRAM-SHA-1 GS2-IAKERB GS2-KRB5 GSSAPI DIGEST-MD5 EXTERNAL OTP CRAM-MD5 PLAIN ANONYMOUS
Available SASL (server side) mechanisms matching your criteria are:
PLAIN
List of server plugins follows
Plugin "plain" [loaded], API version: 4
SASL mechanism: PLAIN, best SSF: 0, supports setpass: no
security flags: NO_ANONYMOUS|PASS_CREDENTIALS
features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
Installed and properly configured SASL (client side) mechanisms are:
SCRAM-SHA-1 GS2-IAKERB GS2-KRB5 GSSAPI DIGEST-MD5 EXTERNAL OTP CRAM-MD5 PLAIN ANONYMOUS
Available SASL (client side) mechanisms matching your criteria are:
SCRAM-SHA-1 GS2-IAKERB GS2-KRB5 GSSAPI DIGEST-MD5 EXTERNAL OTP CRAM-MD5 PLAIN ANONYMOUS
List of client plugins follows
Plugin "plain" [loaded], API version: 4
SASL mechanism: PLAIN, best SSF: 0
security flags: NO_ANONYMOUS|PASS_CREDENTIALS
features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
Now running a search of SASL mechs:
sonicle@www:~$ ldapsearch -xLLLH 'ldap://localhost/' -s base -b '' 'supportedSASLMechanisms'
dn:
supportedSASLMechanisms: SCRAM-SHA-1
supportedSASLMechanisms: GS2-IAKERB
supportedSASLMechanisms: GS2-KRB5
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: OTP
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: ANONYMOUS
Now, try plain auth doing a earch of an existing user:
sonicle@www:~$ ldapsearch -Y PLAIN -U test.user@xxxxxxxxxxx -H ldap://localhost -W
Enter LDAP Password:
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL(-4): no mechanism available: No worthy mechs found
Can't find a reason for ldapsearch not finding the plain mech.
Also, slapd has been built with sasl:
sonicle@www:~$ ldd /sonicle/libexec/slapd
libdb-4.8.so => /sonicle/lib/libdb-4.8.so
libpthread.so.1 => /lib/libpthread.so.1
libsasl2.so.2 => /sonicle/lib/libsasl2.so.2
libdl.so.1 => /lib/libdl.so.1
libssl.so.0.9.8 => /lib/libssl.so.0.9.8
libcrypto.so.0.9.8 => /lib/libcrypto.so.0.9.8
libresolv.so.2 => /lib/libresolv.so.2
libgen.so.1 => /lib/libgen.so.1
libnsl.so.1 => /lib/libnsl.so.1
libsocket.so.1 => /lib/libsocket.so.1
libc.so.1 => /lib/libc.so.1
libgcc_s.so.1 => /usr/sfw/lib/libgcc_s.so.1
libmd.so.1 => /lib/libmd.so.1
libmp.so.2 => /lib/libmp.so.2
libm.so.2 => /lib/libm.so.2
Any clue? Or...any simpler way to let saslauthd do multiple search base takes?...or maybe let it choose the correct search base
depending on the number of dc arguments determined?
Thanks for your help!
Gabriele.
----------------------------------------------------------------------------------
Da: Dan White <dwhite@xxxxxxx>
A: Willy Offermans <Willy@xxxxxxxxxxxxxxxxxxx>
Cc: Gabriele Bulfon <gbulfon@xxxxxxxxxxx> Raffaele Fullone <raffaele.fullone@xxxxxxxxxxx> info-cyrus@xxxxxxxxxxxxxxxxxxxx
Data: 23 dicembre 2014 16.52.46 CET
Oggetto: Re: saslauthd and multiple dc levels
So, first I changed openldap configuration with "sasl-secprops none" to have also plain auth enabled.
Running pluginviewer to see the plugins:
Sonicle XStream Server (XStreamOS/illumos) SunOS 5.11 xs_153 Apr 2014
sonicle@www:~$ pluginviewer -m PLAIN
Installed and properly configured auxprop mechanisms are:
sasldb
List of auxprop plugins follows
Plugin "sasldb" , API version: 8
supports store: yes
Installed and properly configured SASL (server side) mechanisms are:
SCRAM-SHA-1 GS2-IAKERB GS2-KRB5 GSSAPI DIGEST-MD5 EXTERNAL OTP CRAM-MD5 PLAIN ANONYMOUS
Available SASL (server side) mechanisms matching your criteria are:
PLAIN
List of server plugins follows
Plugin "plain" [loaded], API version: 4
SASL mechanism: PLAIN, best SSF: 0, supports setpass: no
security flags: NO_ANONYMOUS|PASS_CREDENTIALS
features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
Installed and properly configured SASL (client side) mechanisms are:
SCRAM-SHA-1 GS2-IAKERB GS2-KRB5 GSSAPI DIGEST-MD5 EXTERNAL OTP CRAM-MD5 PLAIN ANONYMOUS
Available SASL (client side) mechanisms matching your criteria are:
SCRAM-SHA-1 GS2-IAKERB GS2-KRB5 GSSAPI DIGEST-MD5 EXTERNAL OTP CRAM-MD5 PLAIN ANONYMOUS
List of client plugins follows
Plugin "plain" [loaded], API version: 4
SASL mechanism: PLAIN, best SSF: 0
security flags: NO_ANONYMOUS|PASS_CREDENTIALS
features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
Now running a search of SASL mechs:
sonicle@www:~$ ldapsearch -xLLLH 'ldap://localhost/' -s base -b '' 'supportedSASLMechanisms'
dn:
supportedSASLMechanisms: SCRAM-SHA-1
supportedSASLMechanisms: GS2-IAKERB
supportedSASLMechanisms: GS2-KRB5
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: OTP
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: ANONYMOUS
Now, try plain auth doing a earch of an existing user:
sonicle@www:~$ ldapsearch -Y PLAIN -U test.user@xxxxxxxxxxx -H ldap://localhost -W
Enter LDAP Password:
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL(-4): no mechanism available: No worthy mechs found
Can't find a reason for ldapsearch not finding the plain mech.
Also, slapd has been built with sasl:
sonicle@www:~$ ldd /sonicle/libexec/slapd
libdb-4.8.so => /sonicle/lib/libdb-4.8.so
libpthread.so.1 => /lib/libpthread.so.1
libsasl2.so.2 => /sonicle/lib/libsasl2.so.2
libdl.so.1 => /lib/libdl.so.1
libssl.so.0.9.8 => /lib/libssl.so.0.9.8
libcrypto.so.0.9.8 => /lib/libcrypto.so.0.9.8
libresolv.so.2 => /lib/libresolv.so.2
libgen.so.1 => /lib/libgen.so.1
libnsl.so.1 => /lib/libnsl.so.1
libsocket.so.1 => /lib/libsocket.so.1
libc.so.1 => /lib/libc.so.1
libgcc_s.so.1 => /usr/sfw/lib/libgcc_s.so.1
libmd.so.1 => /lib/libmd.so.1
libmp.so.2 => /lib/libmp.so.2
libm.so.2 => /lib/libm.so.2
Any clue? Or...any simpler way to let saslauthd do multiple search base takes?...or maybe let it choose the correct search base
depending on the number of dc arguments determined?
Thanks for your help!
Gabriele.
----------------------------------------------------------------------------------
Da: Dan White <dwhite@xxxxxxx>
A: Willy Offermans <Willy@xxxxxxxxxxxxxxxxxxx>
Cc: Gabriele Bulfon <gbulfon@xxxxxxxxxxx> Raffaele Fullone <raffaele.fullone@xxxxxxxxxxx> info-cyrus@xxxxxxxxxxxxxxxxxxxx
Data: 23 dicembre 2014 16.52.46 CET
Oggetto: Re: saslauthd and multiple dc levels
On 12/23/14 16:07 +0100, Willy Offermans wrote:
>Hello Dan,
>
>On Tue, Dec 23, 2014 at 08:50:07AM -0600, Dan White wrote:
>> On 12/23/14 15:22 +0100, Gabriele Bulfon wrote:
>> >How can I let saslauthd support both configurations?
>>
>> Is the server OpenLDAP? If so, using olcAuthzRegexp would be a far more
>> flexible way to handle this scenario. Within saslauthd's ldap config, use
>> 'ldap_use_sasl' without specifying a search filter or base.
>>
>> Within slapd, your regex rules could perform a subtree search, or a simple
>> string replacement for each domain. See
>> http://www.openldap.org/doc/admin24/sasl.html and slapd-config(5).
>
>I don't understand how this works.
>
>ldap_use_sasl in saslauthd.conf tells saslauthd to contact OpenLDAP server
>via sasl protocol directly. Is this correct?
Correct. The ldap backend to saslauthd itself performs sasl authentication.
>And what happens then? How do saslauthd and slapd communicate and how is
>authentication performed?
The communication between Cyrus IMAP and saslauthd would not change. imapd
would still communicate with saslauthd in the same manor, by submitting a
username and password via the saslauthd mux.
The ldap backend to saslauthd can be configured to perform SASL over LDAP
authentication to slapd (not to be confused with SASL over IMAP
authentication). slapd would simply return a successful bind code back to
the saslauthd backend, which in turn would respond with an 'OK' to cyrus
IMAP.
Using SASL within the LDAP saslauthd backend is a much simpler
configuration. i.e.:
ldap_servers: ldap://ldap.example.com
ldap_use_sasl: yes
ldap_mech: PLAIN
(This may require you to configure olcSaslSecProps)
The '-r' option to saslauthd may be necessary, if you're not already using
it.
Use ldapwhoami to test your slapd config:
ldapsearch -Y PLAIN -U jsmith@xxxxxxxxxxx -H ldap://ldap.example.com \
-W
And if that works, verify your saslauthd configuration with:
testsaslauthd -u jsmith@xxxxxxxxxxx -p password
--
Dan White
---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
