Re: Ptloader configuration in Cyrus IMAP

2009-08-20 Thread Evgeniy Arbatov 
Thank you for your suggestions! They helped me a great deal.
The situation is better now, in a sense that ptloader connects to LDAP
and finds something.

After corrections my imapd.conf:

auth_mech: pts
pts_module: ldap
ptloader_sock: /var/lib/imap/socket/ptsock
ldap_uri: ldaps://ldap.example.com:636
ldap_sasl: 0
ldap_size_limit: 20
ldap_filter: (uid=%U)
ldap_group_filter: (cn=%u)
ldap_member_method: filter
ldap_member_filter: (memberUid=%u)
ldap_member_attribute: cn
ldap_base: dc=example,dc=com
ldap_group_base: ou=groups,ou=people,dc=example,dc=com
ldap_member_base: ou=groups,ou=people,dc=example,dc=com

The LDAP now looks as following:

dn: cn=admins,ou=groups,ou=people,dc=example,dc=com
cn: admins
memberUid: earbatov
memberUid: user

I modified the permissions for the admins group:

sam user/postmaster group:admins lrswipkxte

The logs for ptloader now have:

 mail imaps[17540]: ptload(): pinging ptloader
 mail imaps[17540]: connected with no delay
 mail imaps[17540]: ptload(): connected
 mail imaps[17540]: timeout_select: sock = 17, rp = 0x0, wp =
0x4aa71af0, sec = 30
 mail imaps[17540]: timeout_select exiting. r = 1; errno = 0
 mail ptloader[17538]: accepted connection
 mail imaps[17540]: ptload sent data
 mail imaps[17540]: timeout_select: sock = 17, rp = 0x4aa71b70, wp =
0x0, sec = 30
 mail imaps[17540]: timeout_select exiting. r = 1; errno = 0
 mail imaps[17540]: ptload read data back
 mail imaps[17540]: ptload(): empty response from ptloader server
 mail master[17508]: process 17538 exited, signaled to death by 11
 mail master[17508]: service ptloader pid 17538 in READY state:
terminated abnormally
 mail imaps[17540]: No data available at all from ptload()
 mail imaps[17540]: ptload completely failed: unable to canonify
identifier: earbatov
 mail imaps[17540]: badlogin: net.example.com [192.168.0.78] plaintext
earbatov invalid user
 mail master[17613]: about to exec /usr/lib/cyrus-imapd/ptloader
 mail ptloader[17613]: executed
 mail ptloader[17613]: starting: $Id: ptloader.c,v 1.32.2.9 2005/02/25
07:19:06 shadow Exp $

The LDAP logs show this:

ldap slapd[30259]: conn=20 op=2 SRCH
base=ou=groups,ou=people,dc=example,dc=com scope=2 deref=0
filter=(memberUid=earbatov)
ldap slapd[30259]: conn=20 op=2 SRCH attr=cn
ldap slapd[30259]: conn=20 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=

And the ptdump tells:

user: admins time: 1250751529 groups: 0
user: cyrusimap time: 1250751556 groups: 0
user: group:admins time: 1250751780 groups: 0
user: postmaster time: 1250751701 groups: 0

Needless to say, the authorization fails, without even giving me
access to usual, not shared mailboxes.

 EA pts_module: ldap

 This module is currently very difficult to configure, IMHO.
 That's true. :) But it's doable.

I would be glad not to use this pts_module, but if I leave it to defaults I see:

 mail ptloader[18396]: starting: $Id: ptloader.c,v 1.32.2.9 2005/02/25
07:19:06 shadow Exp $
 mail ptloader[18396]: PTS module afskrb not supported
 mail master[18364]: process 18428 exited, status 75
 mail master[18364]: service ptloader pid 18428 in READY state:
terminated abnormally

Please refer me to any instructions on pts_module, if I do need to make changes.

One more question: I am confused about the role of ldap_group_filter
and ldap_group_base. Isn't ldap_member* enough?

Evgeniy

Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: Ptloader configuration in Cyrus IMAP

2009-08-20 Thread Marc Patermann 
Hi,

Evgeniy Arbatov schrieb:
 Thank you for your suggestions! They helped me a great deal.
 The situation is better now, in a sense that ptloader connects to LDAP
 and finds something.
OK. :)

 After corrections my imapd.conf:
This ist what I have.

auth_mech: pts
pts_module: ldap
ptloader_sock: /var/lib/imap/socket/ptclient
sasl_mech_list: PLAIN DIGEST-MD5 CRAM-MD5 LOGIN
sasl_log_level: 5
sasl_pwcheck_method: auxprop
sasl_auxprop_plugin: ldapdb
sasl_ldapdb_uri: ldap://tfas099.foo
sasl_ldapdb_id: xxx
sasl_ldapdb_pw: 
sasl_ldapdb_mech:  PLAIN DIGEST-MD5 CRAM-MD5 LOGIN
allowplaintext: yes
sasl_minimum_layer: 0
sasl_ldapdb_starttls: Demand
sasl_ldap_search_base: ou=humans,ou=foo
sasl_ldap_search_filter: maildrop=%U
lmtp_overquota_perm_failure: no
maxmessagesize: 2500

ldap_id: 
ldap_sasl: 1
ldap_password: 
ldap_uri: ldap://tfas099.foo
ldap_mech: PLAIN DIGEST-MD5 CRAM-MD5 LOGIN
ldap_tls_cacert_file: /opt/mail/etc/openldap/ssl/ca2006.pem
ldap_tls_cert: /opt/mail/etc/openldap/ssl/cert2006.pem
ldap_tls_key: /opt/mail/etc/openldap/ssl/key2006.pem
ldap_base: ou=humans,ou=foo
ldap_group_base: ou=gruppen,ou=humans,ou=foo
ldap_group_filter: ou=%U
ldap_member_attribute: member
ldap_group_scope: sub
ldap_member_method: attribute


 The LDAP now looks as following:
I use group like you did before.


Marc


Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Cyrus SASL 2.1.24 RC1 Released

2009-08-20 Thread Ken Murchison 
I'd like to announce the release of Cyrus SASL 2.1.24 RC1 on
ftp.andrew.cmu.edu.  This release candidate includes numerous bugfixes 
and several minor feature enhancements.  For a complete list, look at 
the NEWS file in the distribution.  I'd like to get some independent 
testing of this code before I make a final release.

Please send any feedback either to cyrus-s...@lists.andrew.cmu.edu
(public list) or to cyrus-b...@andrew.cmu.edu.

Download at:
ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-sasl-2.1.24rc1.tar.gz

-- 
Kenneth Murchison
Systems Programmer
Carnegie Mellon University


Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: Ptloader configuration in Cyrus IMAP

2009-08-20 Thread Wil Cooley 
On Wed, 2009-08-19 at 15:33 +0300, Evgeniy Arbatov wrote:
 Dear list,
 
 I want to ask your advice on the use of ptloader for LDAP-based
 authorization in Cyrus IMAP.

Do I understand correctly from this discussion and the sparse mention of
this in the documentation that the LDAP ptloader module can be used to
manage group ACLs with auth_mech=pts/pts_module=ldap, instead of
auth_mech=unix/unix_group_enable=1?

Does this solve the slowness caused by UNIX groups in LDAP?

Does auth_mech affect anything else?

I have heretofore ignored mention of the pts/ptloader stuff because I
was under the impression that it was entirely AFS-related, which I have
no infrastructure for, but if this is the way to enable groups in LDAP
without the slowness, then I need to look more closely at this.

Wil
-- 
Wil Cooley wcoo...@nakedape.cc


signature.asc
Description: This is a digitally signed message part

Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Removing the Web Changes Notification Service from the wiki

2009-08-20 Thread Wil Cooley 

Having long been annoyed by the monstrous block of text called the Web
Changes Notification Service on the wiki, I finally decided to try to
edit a page and see if it could be easily removed. Turns out it's just
this line:

  %INCLUDE{_default.WebNotify}%

Does anyone mind if this is removed from the Cyrus/WebHome page on the
wiki (and possibly any other pages where I find it)?

Wil
-- 
Wil Cooley wcoo...@nakedape.cc


signature.asc
Description: This is a digitally signed message part

Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: Removing the Web Changes Notification Service from the wiki

2009-08-20 Thread Dave McMurtrie 
Wil Cooley wrote:
 Having long been annoyed by the monstrous block of text called the Web
 Changes Notification Service on the wiki, I finally decided to try to
 edit a page and see if it could be easily removed. Turns out it's just
 this line:
 
   %INCLUDE{_default.WebNotify}%
 
 Does anyone mind if this is removed from the Cyrus/WebHome page on the
 wiki (and possibly any other pages where I find it)?

Not at all.  It looks much nicer now.

Thanks!

Dave
-- 
Dave McMurtrie, SPE
Email Systems Team Leader
Carnegie Mellon University,
Computing Services

Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: Ptloader configuration in Cyrus IMAP

2009-08-20 Thread nodens 
Hi,

I stumbled onto this before. What is not clearly stated in the doc is that
if you use auth_mech: pts , every user need to exist in the pts database
(ldap in your case). Well, maybe it is clearly stated, but I overlooked it
;-)

That said, you do not need AFS to use pts, though it seems to be very AFS
oriented.

Kind regards,

Clement Hermann
P.S. : Sorry about the top posting : blame the stupid android gmail
client...

On 8 20, 2009 8:10 PM, Wil Cooley wcoo...@nakedape.cc wrote:

On Wed, 2009-08-19 at 15:33 +0300, Evgeniy Arbatov wrote:  Dear list,   I
want to ask your advic...
Do I understand correctly from this discussion and the sparse mention of
this in the documentation that the LDAP ptloader module can be used to
manage group ACLs with auth_mech=pts/pts_module=ldap, instead of
auth_mech=unix/unix_group_enable=1?

Does this solve the slowness caused by UNIX groups in LDAP?

Does auth_mech affect anything else?

I have heretofore ignored mention of the pts/ptloader stuff because I
was under the impression that it was entirely AFS-related, which I have
no infrastructure for, but if this is the way to enable groups in LDAP
without the slowness, then I need to look more closely at this.

Wil
--
Wil Cooley wcoo...@nakedape.cc


Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: Ptloader configuration in Cyrus IMAP

2009-08-20 Thread nodens 
Oops, about the slowness : it is really fast. The pts information is cached.
Actually, you will likely use ptexpire a lot when setting your groups at
first, to reset the cache.

On 8 20, 2009 8:10 PM, Wil Cooley wcoo...@nakedape.cc wrote:

On Wed, 2009-08-19 at 15:33 +0300, Evgeniy Arbatov wrote:  Dear list,   I
want to ask your advic...
Do I understand correctly from this discussion and the sparse mention of
this in the documentation that the LDAP ptloader module can be used to
manage group ACLs with auth_mech=pts/pts_module=ldap, instead of
auth_mech=unix/unix_group_enable=1?

Does this solve the slowness caused by UNIX groups in LDAP?

Does auth_mech affect anything else?

I have heretofore ignored mention of the pts/ptloader stuff because I
was under the impression that it was entirely AFS-related, which I have
no infrastructure for, but if this is the way to enable groups in LDAP
without the slowness, then I need to look more closely at this.

Wil
--
Wil Cooley wcoo...@nakedape.cc


Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Modifying existing setup to use Cyrus Murder

2009-08-20 Thread Alexander 
Hello All,

I've inherited a working Cyrus installation (a pair of servers behind
a Perdition proxy), and I'd like to modify the existing setup to make
use of the Cyrus Murder.

I've found the following documentation:

http://cyrusimap.web.cmu.edu/imapd/install-murder.html

But the reason I'm writing is to ask for general advice before I
start.  The document is a little short on specific detail;  have any
of you done the same?  Have you run into any traps, or non-obvious
issues?  Anything to watch out for, or general advice?

Also, I see that there is a warning at the beginning of the document
about Murder is still relatively young.  Is this still the case, or
is this just a leftover warning from years ago?  Can it be considered
reasonably stable and ready for usage?

Thank you very much,
Alexander

Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: Modifying existing setup to use Cyrus Murder

2009-08-20 Thread Wesley Craig 
On 20 Aug 2009, at 19:03, Alexander wrote:
 Also, I see that there is a warning at the beginning of the document
 about Murder is still relatively young.  Is this still the case, or
 is this just a leftover warning from years ago?  Can it be considered
 reasonably stable and ready for usage?

It's hardly young.  While I'd describe vanilla murder as stable,  
there's not much code to stop you from doing something really  
stupid.  The worst case scenario is that you will inadvertently  
instruct ctl_mboxlist to remove all of the mail from your live  
backend.  So, don't do that.  Always make sure that it's going to do  
what you expect before committing.

Also, unified murder *is* young, and I would not describe it as  
currently stable.  It's getting close, tho.

:wes

Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html