subject:"imapd \+ sasl \+ ldapdb problems"

Re: imapd + sasl + ldapdb problems

2014-02-06 Thread Peter Erickson

I got it working so thanks for clarifying the setup for the ldapdb  
auxprop module. I needed to add an additional authz-regexp option to  
the openldap config to map an email address to its proper ldap entry.  
Once that was added, everything started working. Thanks again for the  
help.

On Wed Feb  5 12:07:58 2014, Dan White dwh...@olp.net wrote:
 On 02/05/14 11:15 -0600, Peter Erickson wrote:
 virtdomains: userid
 defaultdomain: example.com

 Other than that, your config looks reasonable. Include an 'ldapdb_mech'
 option to reduce confusion. sasl_ldapdb_canon_attr may need to be 'uid'
 instead, since example.com is the default domain. This command should
 succeed, and return the DN of the test user if your config is good:

 Just to make sure that I'm understanding the options right, is there a
 good explanation for what sasl_ldapdb_canon_attr does? I'm not quite
 sure that I understand its purpose.

 sasl_ldapdb_canon_attr will be the resolved identity that sasl hands back
 to cyrus. The identity will be used to find the user's INBOX. Having a
 default domain complicates things a bit (and you may have to experiment. I
 don't define a default domain). Basically, the sasl_ldapdb_canon_attr
 should equal the user portion of their INBOX name. It's handy in scenarios
 where the authentication identity differs from the mailbox name (name
 change, for instance).

 Based on the following, its possible that my problem isn't with cyrus
 imapd/sasl, but a misunderstanding of the ldap proxy authorization
 process and I need to recheck my ldap config. I'm more accustomed to
 using ldap filters and a base instead of the proxy authorization.

 # ldapwhoami -Y digest-md5 -U imapd-user -w password -X u:tuser -Z
 SASL/DIGEST-MD5 authentication started
 SASL username: u:tuser
 SASL SSF: 128
 SASL data security layer installed.
 dn:cn=test user,o=hosted_domain,ou=hosting,dc=example.com

 This looks good.

 # ldapwhoami -Y digest-md5 -U imapd-user -w password -X   
 u:tu...@example.com -Z
 SASL/DIGEST-MD5 authentication started
 ldap_sasl_interactive_bind_s: Insufficient access (50)
  additional info: SASL(-14): authorization failure: not authorized

 You may need a different or better authz-regexp rule here, or you may need
 to adjust your authzto/authzfrom rules. See:

 http://www.openldap.org/doc/admin24/sasl.html#SASL Proxy Authorization



Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

Re: imapd + sasl + ldapdb problems

2014-02-05 Thread Dan White

On 02/04/14 20:15 -0600, Peter Erickson wrote:
I'm trying to configure imapd to authenticate against an ldap
directory using ldapdb and am running into problems. I provide hosting
services (i.e. ftp, svn, mail, etc) for several people where user
account information is stored in an openldap directory. In addition to
having a username/password, each user also has a primary email account
and a list of services that they are authorized to use. I've got
authentication working using the a user's uid, but I need to change
this so that users are only allowed access using their email address.
I believe I need this to happen as well since I'm using the Cyrus'
virtdomains option. Once that is done, I'll attempt to restrict access
based on the existence of the proper authorizedService attribute.

In hopes of requiring users login using their email address I set
sasl_ldapdb_canon_attr, however that resulted in the following syslog
messages (These same messages occur if comment out the canonuser_attr
options in imapd.conf as well):
imtest: ldapdb_canonuser_plug_init() failed in
sasl_canonuser_add_plugin(): invalid parameter supplied
imap[16385]: SQL engine 'mysql' not supported
imap[16385]: auxpropfunc error no mechanism available
imap[16385]: unable to canonify user and get auxprops
imap[16385]: badlogin: localhost [127.0.0.1] DIGEST-MD5 [SASL(-1):
generic failure: unable to canonify user and get auxprops]

You'll need to have a Cyrus SASL version  2.1.23 installed for the ldapdb
canonuser functionality, or you'll need to patch your existing version.

Check that you have a properly installed cyrus sasl with:

~$ cat  /tmp/pluginviewer.conf  EOF
 ldapdb_uri: ldapi:///
 sql_select: select please_work from the_ether
 EOF
~$ SASL_CONF_PATH=/tmp /usr/sbin/saslpluginviewer -a
Installed and properly configured auxprop mechanisms are:
ldapdb sql sasldb
List of auxprop plugins follows
Plugin ldapdb ,   API version: 8
 supports store: yes

Plugin sql ,  API version: 8
 supports store: yes

Plugin sasldb ,   API version: 8
 supports store: yes

~$ SASL_CONF_PATH=/tmp /usr/sbin/saslpluginviewer -s | grep -i 
'cram-md5\|digest-md5'
   GSSAPI DIGEST-MD5 EXTERNAL CRAM-MD5 NTLM PLAIN LOGIN ANONYMOUS
   GSSAPI DIGEST-MD5 CRAM-MD5 NTLM PLAIN LOGIN ANONYMOUS
 SASL mechanism: DIGEST-MD5, best SSF: 128, supports setpass: no
 SASL mechanism: CRAM-MD5, best SSF: 0, supports setpass: no

~$ strings /usr/lib/x86_64-linux-gnu/sasl2/libldapdb.so.2 | grep canon
ldapdb_canonuser_plug_init
sasl_canonuser_init
ldapdb_canon_attr

rm /tmp/pluginviewer.conf

I tracked down the ldapdb_canonuser_plug_init() error to
ldapdb_config(). When the ldapdb_uri option is read, it apparently
returns a null string reference which results in the SASL_BADPARAM
being returned. Unfortunately, not fully understanding the SASL
package, I'm not really sure where to go from here nor do I know if
this will even solve my problem if it returns successfully.

Any help in configuring this would be greatly appreciated.


imapd.conf:
configdirectory: /var/cyrus/config
partition-default: /var/cyrus/spool
admin: cyrusadmin
sasl_pwcheck_method: auxprop
sasl_auxprop_plugin: ldapdb
sasl_ldapdb_uri: ldaps://localhost
sasl_ldapdb_id: imapd-user
sasl_ldapdb_pw: password
sasl_canon_user_plugin: ldapdb
sasl_ldapdb_canon_attr: mail
sasl_mech_list: cram-md5 digest-md5
virtdomains: userid
defaultdomain: example.com

Consider that the certificate returned by ldaps://localhost may fail,
unless the certificate used by localhost is named 'localhost', or is
otherwise trusted. ldapi:/// may be a better option.

Other than that, your config looks reasonable. Include an 'ldapdb_mech'
option to reduce confusion. sasl_ldapdb_canon_attr may need to be 'uid'
instead, since example.com is the default domain. This command should
succeed, and return the DN of the test user if your config is good:

ldapwhoami -Y digest-md5 -H ldaps://localhost -U imapd-user -w password -X
u:tuser (or u:tu...@example.com? not sure)

example ldap entry:
dn: cn=test user,o=hosted_domain,ou=hosting,dc=example.com
objectclass: top
objectclass: inetOrgPerson
objectclass: authorizedServiceObject
cn: test user
sn: user
uid: tuser
mail: tu...@example.com
userPassword: password
authorizedService: mail
authorizedService: svn

-- 
Dan White

Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

Re: imapd + sasl + ldapdb problems

2014-02-05 Thread Peter Erickson

Dan, thanks for the response.

On Wed, Feb 05, 2014 at 09:35:49AM -0600, Dan White wrote:
 On 02/04/14?20:15?-0600, Peter Erickson wrote:
 In hopes of requiring users login using their email address I set
 sasl_ldapdb_canon_attr, however that resulted in the following syslog
 messages (These same messages occur if comment out the canonuser_attr
 options in imapd.conf as well):
 imtest: ldapdb_canonuser_plug_init() failed in
 sasl_canonuser_add_plugin(): invalid parameter supplied
 imap[16385]: SQL engine 'mysql' not supported
 imap[16385]: auxpropfunc error no mechanism available
 imap[16385]: unable to canonify user and get auxprops
 imap[16385]: badlogin: localhost [127.0.0.1] DIGEST-MD5 [SASL(-1):
 generic failure: unable to canonify user and get auxprops]
 
 You'll need to have a Cyrus SASL version  2.1.23 installed for the ldapdb
 canonuser functionality, or you'll need to patch your existing version.

I am currently working with Cyrus SASL 2.1.26 and Cyrus imap 2.4.17
installed on FreeBSD 9-STABLE.

 Check that you have a properly installed cyrus sasl with:
 
 ~$ cat  /tmp/pluginviewer.conf  EOF
  ldapdb_uri: ldapi:///
  sql_select: select please_work from the_ether
  EOF
 ~$ SASL_CONF_PATH=/tmp /usr/sbin/saslpluginviewer -a
 Installed and properly configured auxprop mechanisms are:
 ldapdb sql sasldb
 List of auxprop plugins follows
 Plugin ldapdb ,   API version: 8
  supports store: yes
 
 Plugin sql ,  API version: 8
  supports store: yes
 
 Plugin sasldb ,   API version: 8
  supports store: yes

# pluginviewer -a
Installed and properly configured auxprop mechanisms are:
ldapdb sasldb
List of auxprop plugins follows
Plugin ldapdb ,   API version: 8
supports store: yes

Plugin sasldb ,   API version: 8
supports store: yes

 ~$ SASL_CONF_PATH=/tmp /usr/sbin/saslpluginviewer -s | grep -i 
 'cram-md5\|digest-md5'
GSSAPI DIGEST-MD5 EXTERNAL CRAM-MD5 NTLM PLAIN LOGIN ANONYMOUS
GSSAPI DIGEST-MD5 CRAM-MD5 NTLM PLAIN LOGIN ANONYMOUS
  SASL mechanism: DIGEST-MD5, best SSF: 128, supports setpass: no
  SASL mechanism: CRAM-MD5, best SSF: 0, supports setpass: no

# pluginviewer -s | grep -i 'cram-md5\|digest-md5'
  SCRAM-SHA-1 DIGEST-MD5 EXTERNAL OTP CRAM-MD5 NTLM LOGIN PLAIN ANONYMOUS
  SCRAM-SHA-1 DIGEST-MD5 CRAM-MD5 NTLM LOGIN PLAIN ANONYMOUS
SASL mechanism: DIGEST-MD5, best SSF: 128, supports setpass: no
SASL mechanism: CRAM-MD5, best SSF: 0, supports setpass: no

 ~$ strings /usr/lib/x86_64-linux-gnu/sasl2/libldapdb.so.2 | grep canon
 ldapdb_canonuser_plug_init
 sasl_canonuser_init
 ldapdb_canon_attr

#  strings /usr/local/lib/sasl2/libldapdb.so.3 | grep canon
ldapdb_canonuser_plug_init
sasl_canonuser_init
ldapdb_canon_attr

 imapd.conf:
 configdirectory: /var/cyrus/config
 partition-default: /var/cyrus/spool
 admin: cyrusadmin
 sasl_pwcheck_method: auxprop
 sasl_auxprop_plugin: ldapdb
 sasl_ldapdb_uri: ldaps://localhost
 sasl_ldapdb_id: imapd-user
 sasl_ldapdb_pw: password
 sasl_canon_user_plugin: ldapdb
 sasl_ldapdb_canon_attr: mail
 sasl_mech_list: cram-md5 digest-md5
 virtdomains: userid
 defaultdomain: example.com
 
 Consider that the certificate returned by ldaps://localhost may fail,
 unless the certificate used by localhost is named 'localhost', or is
 otherwise trusted. ldapi:/// may be a better option.

The ldap server is actually on a different system and works properly
with and without the SSL/TLS connection. I just replaced the actual
server with localhost to mask the real host.

 Other than that, your config looks reasonable. Include an 'ldapdb_mech'
 option to reduce confusion. sasl_ldapdb_canon_attr may need to be 'uid'
 instead, since example.com is the default domain. This command should
 succeed, and return the DN of the test user if your config is good:

Just to make sure that I'm understanding the options right, is there a
good explanation for what sasl_ldapdb_canon_attr does? I'm not quite
sure that I understand its purpose.

Based on the following, its possible that my problem isn't with cyrus
imapd/sasl, but a misunderstanding of the ldap proxy authorization
process and I need to recheck my ldap config. I'm more accustomed to
using ldap filters and a base instead of the proxy authorization.

# ldapwhoami -Y digest-md5 -U imapd-user -w password -X u:tuser -Z
SASL/DIGEST-MD5 authentication started
SASL username: u:tuser
SASL SSF: 128
SASL data security layer installed.
dn:cn=test user,o=hosted_domain,ou=hosting,dc=example.com

# ldapwhoami -Y digest-md5 -U imapd-user -w password -X u:tu...@example.com -Z
SASL/DIGEST-MD5 authentication started
ldap_sasl_interactive_bind_s: Insufficient access (50)
additional info: SASL(-14): authorization failure: not authorized

 example ldap entry:
 dn: cn=test user,o=hosted_domain,ou=hosting,dc=example.com
 objectclass: top
 objectclass: inetOrgPerson
 objectclass: authorizedServiceObject
 cn: test user
 sn: user
 uid: tuser
 mail:

Re: imapd + sasl + ldapdb problems

2014-02-05 Thread Dan White

On 02/05/14 11:15 -0600, Peter Erickson wrote:
 virtdomains: userid
 defaultdomain: example.com

 Other than that, your config looks reasonable. Include an 'ldapdb_mech'
 option to reduce confusion. sasl_ldapdb_canon_attr may need to be 'uid'
 instead, since example.com is the default domain. This command should
 succeed, and return the DN of the test user if your config is good:

Just to make sure that I'm understanding the options right, is there a
good explanation for what sasl_ldapdb_canon_attr does? I'm not quite
sure that I understand its purpose.

sasl_ldapdb_canon_attr will be the resolved identity that sasl hands back
to cyrus. The identity will be used to find the user's INBOX. Having a
default domain complicates things a bit (and you may have to experiment. I
don't define a default domain). Basically, the sasl_ldapdb_canon_attr
should equal the user portion of their INBOX name. It's handy in scenarios
where the authentication identity differs from the mailbox name (name
change, for instance).

Based on the following, its possible that my problem isn't with cyrus
imapd/sasl, but a misunderstanding of the ldap proxy authorization
process and I need to recheck my ldap config. I'm more accustomed to
using ldap filters and a base instead of the proxy authorization.

# ldapwhoami -Y digest-md5 -U imapd-user -w password -X u:tuser -Z
SASL/DIGEST-MD5 authentication started
SASL username: u:tuser
SASL SSF: 128
SASL data security layer installed.
dn:cn=test user,o=hosted_domain,ou=hosting,dc=example.com

This looks good.

# ldapwhoami -Y digest-md5 -U imapd-user -w password -X u:tu...@example.com -Z
SASL/DIGEST-MD5 authentication started
ldap_sasl_interactive_bind_s: Insufficient access (50)
   additional info: SASL(-14): authorization failure: not authorized

You may need a different or better authz-regexp rule here, or you may need
to adjust your authzto/authzfrom rules. See:

http://www.openldap.org/doc/admin24/sasl.html#SASL Proxy Authorization

-- 
Dan White

Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

imapd + sasl + ldapdb problems

2014-02-04 Thread Peter Erickson

I'm trying to configure imapd to authenticate against an ldap  
directory using ldapdb and am running into problems. I provide hosting  
services (i.e. ftp, svn, mail, etc) for several people where user  
account information is stored in an openldap directory. In addition to  
having a username/password, each user also has a primary email account  
and a list of services that they are authorized to use. I've got  
authentication working using the a user's uid, but I need to change  
this so that users are only allowed access using their email address.  
I believe I need this to happen as well since I'm using the Cyrus'  
virtdomains option. Once that is done, I'll attempt to restrict access  
based on the existence of the proper authorizedService attribute.

In hopes of requiring users login using their email address I set  
sasl_ldapdb_canon_attr, however that resulted in the following syslog  
messages (These same messages occur if comment out the canonuser_attr  
options in imapd.conf as well):
imtest: ldapdb_canonuser_plug_init() failed in  
sasl_canonuser_add_plugin(): invalid parameter supplied
imap[16385]: SQL engine 'mysql' not supported
imap[16385]: auxpropfunc error no mechanism available
imap[16385]: unable to canonify user and get auxprops
imap[16385]: badlogin: localhost [127.0.0.1] DIGEST-MD5 [SASL(-1):  
generic failure: unable to canonify user and get auxprops]

I tracked down the ldapdb_canonuser_plug_init() error to  
ldapdb_config(). When the ldapdb_uri option is read, it apparently  
returns a null string reference which results in the SASL_BADPARAM  
being returned. Unfortunately, not fully understanding the SASL  
package, I'm not really sure where to go from here nor do I know if  
this will even solve my problem if it returns successfully.

Any help in configuring this would be greatly appreciated.


imapd.conf:
configdirectory: /var/cyrus/config
partition-default: /var/cyrus/spool
admin: cyrusadmin
sasl_pwcheck_method: auxprop
sasl_auxprop_plugin: ldapdb
sasl_ldapdb_uri: ldaps://localhost
sasl_ldapdb_id: imapd-user
sasl_ldapdb_pw: password
sasl_canon_user_plugin: ldapdb
sasl_ldapdb_canon_attr: mail
sasl_mech_list: cram-md5 digest-md5
virtdomains: userid
defaultdomain: example.com

example ldap entry:
dn: cn=test user,o=hosted_domain,ou=hosting,dc=example.com
objectclass: top
objectclass: inetOrgPerson
objectclass: authorizedServiceObject
cn: test user
sn: user
uid: tuser
mail: tu...@example.com
userPassword: password
authorizedService: mail
authorizedService: svn

-- 
Peter Erickson
redlam...@gmail.com

Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

Re: imapd + sasl + ldapdb problems

Re: imapd + sasl + ldapdb problems

Re: imapd + sasl + ldapdb problems

Re: imapd + sasl + ldapdb problems

imapd + sasl + ldapdb problems

5 matches

Site Navigation

Mail list logo

Footer information