Re: Modifying existing setup to use Cyrus Murder
On 20 Aug 2009, at 19:03, Alexander wrote: > Also, I see that there is a warning at the beginning of the document > about "Murder is still relatively young". Is this still the case, or > is this just a leftover warning from years ago? Can it be considered > reasonably stable and ready for usage? It's hardly young. While I'd describe vanilla murder as stable, there's not much code to stop you from doing something really stupid. The worst case scenario is that you will inadvertently instruct ctl_mboxlist to remove all of the mail from your live backend. So, don't do that. Always make sure that it's going to do what you expect before committing. Also, unified murder *is* young, and I would not describe it as currently stable. It's getting close, tho. :wes Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Modifying existing setup to use Cyrus Murder
Hello All, I've inherited a working Cyrus installation (a pair of servers behind a Perdition proxy), and I'd like to modify the existing setup to make use of the Cyrus Murder. I've found the following documentation: http://cyrusimap.web.cmu.edu/imapd/install-murder.html But the reason I'm writing is to ask for general advice before I start. The document is a little short on specific detail; have any of you done the same? Have you run into any traps, or non-obvious issues? Anything to watch out for, or general advice? Also, I see that there is a warning at the beginning of the document about "Murder is still relatively young". Is this still the case, or is this just a leftover warning from years ago? Can it be considered reasonably stable and ready for usage? Thank you very much, Alexander Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Ptloader configuration in Cyrus IMAP
Oops, about the slowness : it is really fast. The pts information is cached. Actually, you will likely use ptexpire a lot when setting your groups at first, to reset the cache. On 8 20, 2009 8:10 PM, "Wil Cooley" wrote: On Wed, 2009-08-19 at 15:33 +0300, Evgeniy Arbatov wrote: > Dear list, > > I want to ask your advic... Do I understand correctly from this discussion and the sparse mention of this in the documentation that the LDAP ptloader module can be used to manage group ACLs with "auth_mech=pts/pts_module=ldap", instead of "auth_mech=unix/unix_group_enable=1"? Does this solve the slowness caused by UNIX groups in LDAP? Does "auth_mech" affect anything else? I have heretofore ignored mention of the pts/ptloader stuff because I was under the impression that it was entirely AFS-related, which I have no infrastructure for, but if this is the way to enable groups in LDAP without the slowness, then I need to look more closely at this. Wil -- Wil Cooley Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Ptloader configuration in Cyrus IMAP
Hi, I stumbled onto this before. What is not clearly stated in the doc is that if you use auth_mech: pts , every user need to exist in the pts database (ldap in your case). Well, maybe it is clearly stated, but I overlooked it ;-) That said, you do not need AFS to use pts, though it seems to be very AFS oriented. Kind regards, Clement Hermann P.S. : Sorry about the top posting : blame the stupid android gmail client... On 8 20, 2009 8:10 PM, "Wil Cooley" wrote: On Wed, 2009-08-19 at 15:33 +0300, Evgeniy Arbatov wrote: > Dear list, > > I want to ask your advic... Do I understand correctly from this discussion and the sparse mention of this in the documentation that the LDAP ptloader module can be used to manage group ACLs with "auth_mech=pts/pts_module=ldap", instead of "auth_mech=unix/unix_group_enable=1"? Does this solve the slowness caused by UNIX groups in LDAP? Does "auth_mech" affect anything else? I have heretofore ignored mention of the pts/ptloader stuff because I was under the impression that it was entirely AFS-related, which I have no infrastructure for, but if this is the way to enable groups in LDAP without the slowness, then I need to look more closely at this. Wil -- Wil Cooley Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Removing the "Web Changes Notification Service" from the wiki
Wil Cooley wrote: > Having long been annoyed by the monstrous block of text called the "Web > Changes Notification Service" on the wiki, I finally decided to try to > edit a page and see if it could be easily removed. Turns out it's just > this line: > > %INCLUDE{"_default.WebNotify"}% > > Does anyone mind if this is removed from the Cyrus/WebHome page on the > wiki (and possibly any other pages where I find it)? Not at all. It looks much nicer now. Thanks! Dave -- Dave McMurtrie, SPE Email Systems Team Leader Carnegie Mellon University, Computing Services Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Removing the "Web Changes Notification Service" from the wiki
Having long been annoyed by the monstrous block of text called the "Web Changes Notification Service" on the wiki, I finally decided to try to edit a page and see if it could be easily removed. Turns out it's just this line: %INCLUDE{"_default.WebNotify"}% Does anyone mind if this is removed from the Cyrus/WebHome page on the wiki (and possibly any other pages where I find it)? Wil -- Wil Cooley signature.asc Description: This is a digitally signed message part Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Ptloader configuration in Cyrus IMAP
On Wed, 2009-08-19 at 15:33 +0300, Evgeniy Arbatov wrote: > Dear list, > > I want to ask your advice on the use of ptloader for LDAP-based > authorization in Cyrus IMAP. Do I understand correctly from this discussion and the sparse mention of this in the documentation that the LDAP ptloader module can be used to manage group ACLs with "auth_mech=pts/pts_module=ldap", instead of "auth_mech=unix/unix_group_enable=1"? Does this solve the slowness caused by UNIX groups in LDAP? Does "auth_mech" affect anything else? I have heretofore ignored mention of the pts/ptloader stuff because I was under the impression that it was entirely AFS-related, which I have no infrastructure for, but if this is the way to enable groups in LDAP without the slowness, then I need to look more closely at this. Wil -- Wil Cooley signature.asc Description: This is a digitally signed message part Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Cyrus SASL 2.1.24 RC1 Released
I'd like to announce the release of Cyrus SASL 2.1.24 RC1 on ftp.andrew.cmu.edu. This release candidate includes numerous bugfixes and several minor feature enhancements. For a complete list, look at the NEWS file in the distribution. I'd like to get some independent testing of this code before I make a final release. Please send any feedback either to cyrus-s...@lists.andrew.cmu.edu (public list) or to cyrus-b...@andrew.cmu.edu. Download at: ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-sasl-2.1.24rc1.tar.gz -- Kenneth Murchison Systems Programmer Carnegie Mellon University Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Ptloader configuration in Cyrus IMAP
Hi, Evgeniy Arbatov schrieb: > Thank you for your suggestions! They helped me a great deal. > The situation is better now, in a sense that ptloader connects to LDAP > and finds something. OK. :) > After corrections my imapd.conf: This ist what I have. auth_mech: pts pts_module: ldap ptloader_sock: /var/lib/imap/socket/ptclient sasl_mech_list: PLAIN DIGEST-MD5 CRAM-MD5 LOGIN sasl_log_level: 5 sasl_pwcheck_method: auxprop sasl_auxprop_plugin: ldapdb sasl_ldapdb_uri: ldap://tfas099.foo sasl_ldapdb_id: xxx sasl_ldapdb_pw: sasl_ldapdb_mech: PLAIN DIGEST-MD5 CRAM-MD5 LOGIN allowplaintext: yes sasl_minimum_layer: 0 sasl_ldapdb_starttls: Demand sasl_ldap_search_base: ou=humans,ou=foo sasl_ldap_search_filter: maildrop=%U lmtp_overquota_perm_failure: no maxmessagesize: 2500 ldap_id: ldap_sasl: 1 ldap_password: ldap_uri: ldap://tfas099.foo ldap_mech: PLAIN DIGEST-MD5 CRAM-MD5 LOGIN ldap_tls_cacert_file: /opt/mail/etc/openldap/ssl/ca2006.pem ldap_tls_cert: /opt/mail/etc/openldap/ssl/cert2006.pem ldap_tls_key: /opt/mail/etc/openldap/ssl/key2006.pem ldap_base: ou=humans,ou=foo ldap_group_base: ou=gruppen,ou=humans,ou=foo ldap_group_filter: ou=%U ldap_member_attribute: member ldap_group_scope: sub ldap_member_method: attribute > The LDAP now looks as following: I use group like you did before. Marc Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Ptloader configuration in Cyrus IMAP
Thank you for your suggestions! They helped me a great deal. The situation is better now, in a sense that ptloader connects to LDAP and finds something. After corrections my imapd.conf: auth_mech: pts pts_module: ldap ptloader_sock: /var/lib/imap/socket/ptsock ldap_uri: ldaps://ldap.example.com:636 ldap_sasl: 0 ldap_size_limit: 20 ldap_filter: (uid=%U) ldap_group_filter: (cn=%u) ldap_member_method: filter ldap_member_filter: (memberUid=%u) ldap_member_attribute: cn ldap_base: dc=example,dc=com ldap_group_base: ou=groups,ou=people,dc=example,dc=com ldap_member_base: ou=groups,ou=people,dc=example,dc=com The LDAP now looks as following: dn: cn=admins,ou=groups,ou=people,dc=example,dc=com cn: admins memberUid: earbatov memberUid: user I modified the permissions for the admins group: sam user/postmaster group:admins lrswipkxte The logs for ptloader now have: mail imaps[17540]: ptload(): pinging ptloader mail imaps[17540]: connected with no delay mail imaps[17540]: ptload(): connected mail imaps[17540]: timeout_select: sock = 17, rp = 0x0, wp = 0x4aa71af0, sec = 30 mail imaps[17540]: timeout_select exiting. r = 1; errno = 0 mail ptloader[17538]: accepted connection mail imaps[17540]: ptload sent data mail imaps[17540]: timeout_select: sock = 17, rp = 0x4aa71b70, wp = 0x0, sec = 30 mail imaps[17540]: timeout_select exiting. r = 1; errno = 0 mail imaps[17540]: ptload read data back mail imaps[17540]: ptload(): empty response from ptloader server mail master[17508]: process 17538 exited, signaled to death by 11 mail master[17508]: service ptloader pid 17538 in READY state: terminated abnormally mail imaps[17540]: No data available at all from ptload() mail imaps[17540]: ptload completely failed: unable to canonify identifier: earbatov mail imaps[17540]: badlogin: net.example.com [192.168.0.78] plaintext earbatov invalid user mail master[17613]: about to exec /usr/lib/cyrus-imapd/ptloader mail ptloader[17613]: executed mail ptloader[17613]: starting: $Id: ptloader.c,v 1.32.2.9 2005/02/25 07:19:06 shadow Exp $ The LDAP logs show this: ldap slapd[30259]: conn=20 op=2 SRCH base="ou=groups,ou=people,dc=example,dc=com" scope=2 deref=0 filter="(memberUid=earbatov)" ldap slapd[30259]: conn=20 op=2 SRCH attr=cn ldap slapd[30259]: conn=20 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= And the ptdump tells: user: admins time: 1250751529 groups: 0 user: cyrusimap time: 1250751556 groups: 0 user: group:admins time: 1250751780 groups: 0 user: postmaster time: 1250751701 groups: 0 Needless to say, the authorization fails, without even giving me access to usual, not shared mailboxes. >> EA> pts_module: ldap >> >> This module is currently very difficult to configure, IMHO. > That's true. :) But it's doable. I would be glad not to use this pts_module, but if I leave it to defaults I see: mail ptloader[18396]: starting: $Id: ptloader.c,v 1.32.2.9 2005/02/25 07:19:06 shadow Exp $ mail ptloader[18396]: PTS module afskrb not supported mail master[18364]: process 18428 exited, status 75 mail master[18364]: service ptloader pid 18428 in READY state: terminated abnormally Please refer me to any instructions on pts_module, if I do need to make changes. One more question: I am confused about the role of ldap_group_filter and ldap_group_base. Isn't ldap_member* enough? Evgeniy Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html