Cyrus IMAPd, SASL, GSSAPI, Proxy Authorization

Sat, 13 Mar 2004 16:40:37 -0800

I'm attempting to connect to the Cyrus IMAPd mailbox "admin" on "wum.lat" as the Kerberos principal "[EMAIL PROTECTED]", using proxy authorization. The principal "imap/wum.lat" is in the realm "RUZ" - cross realm authentication is working - I can connect to the mailbox "admin" as "[EMAIL PROTECTED]". Account information is currently being successfully retrieved from an OpenLDAP server, using nss_ldap. I can currently ssh to "[EMAIL PROTECTED]" as "[EMAIL PROTECTED]", using a ".k5login" file in admin's home. I should also be able to proxy authorize to the OpenLDAP server using saslAuthzTo / From. Cyrus, however, isn't letting me in. I am unclear on what I must do to configure proxy authorization for Cyrus IMAPd, and why it is calling nss_ldap (and why nss_ldap can't, in this case, contact the LDAP server).

Can anyone help?

Thanks!

Jack

==> auth.log <==
Mar 13 15:41:10 wum krb5kdc[17432]: AS_REQ (6 etypes {18 16 23 1 3 2}) 192.168.179.43: NEEDED_PREAUTH: [EMAIL PROTECTED] for krbtgt/[EMAIL PROTECTED], Additional pre-authentication required
Mar 13 15:41:10 wum krb5kdc[17432]: AS_REQ (6 etypes {18 16 23 1 3 2}) 192.168.179.43: ISSUE: authtime 1079221270, etypes {rep=16 tkt=16 ses=16}, [EMAIL PROTECTED] for krbtgt/[EMAIL PROTECTED]
Mar 13 15:41:53 wum krb5kdc[17432]: TGS_REQ (6 etypes {18 16 23 1 3 2}) 192.168.179.43: ISSUE: authtime 1079221270, etypes {rep=16 tkt=16 ses=16}, [EMAIL PROTECTED] for krbtgt/[EMAIL PROTECTED]
Mar 13 15:41:53 wum krb5kdc[17432]: TGS_REQ (5 etypes {16 23 1 3 2}) 192.168.179.43: ISSUE: authtime 1079221270, etypes {rep=16 tkt=16 ses=16}, [EMAIL PROTECTED] for imap/[EMAIL PROTECTED]

==> mail.log <==
Mar 13 15:41:53 wum cyrus/imapd[18603]: accepted connection

==> auth.log <==
Mar 13 15:41:54 wum cyrus/imapd[18603]: user jablko is not allowed to proxy

==> mail.log <==
Mar 13 15:41:54 wum cyrus/imapd[18603]: nss_ldap: could not connect to any LDAP server as (null) - Can't contact LDAP server
Mar 13 15:41:54 wum cyrus/imapd[18603]: badlogin: fis.lat[192.168.179.43] GSSAPI [SASL(-13): authentication failure: user jablko is not allowed to proxy]

---
Home Page: http://asg.web.cmu.edu/cyrus
Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Reply via email to