Re: alternative login names

2013-02-04 Thread Charles Bradshaw 
Gentelman

Sorry to but into this thread at so late a stage. Indeed SASL does not support
encrypted pass words because it can't!

SASL CRAM-MD5 and DIGEST-MD5 do not transmit the pass word over the link, as a
consequence both the client and the server need knowledge of the clear text.

It is possible to store encrypted passwords in some kind of database provided
that the lookup mechanism is capable doing the de-crypt. Mysql AES is one
possibility.

Both MD5 and SHA are a one way hashing functions! Pass word verification
against either requires knowledge of the clear text!

Charles Bradshaw

On: Mon, 4 Feb 2013 18:44:48 +0100, Marc Paterman wrote:

> Wolfgang
> 
> Wolfgang Rosenauer schrieb (04.02.2013 18:03 Uhr):
> 
> > I played around some more with openldap's SASL and ran exactly into the 
> > issue that SASL seems to explicitely _not_ support CRYPT userPasswords.
> > So yes, keeping saslauthd using PAM would help with that.
> What did you test? (I did not do it myself.)
> Like an ldapsearch with "-Y cram-md5" or "-Y plain" both do not work 
> against an object where userPassword is encrypted with CRYPT?
> And both do work while it is encrypted with like SHA or unencrypted?
> 
> Marc

Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

Re: alternative login names

2013-02-04 Thread Wolfgang Rosenauer 
On Mon, Feb 4, 2013 at 6:44 PM, Marc Patermann <
hans.mo...@ofd-z.niedersachsen.de> wrote:

> Wolfgang
>
> Wolfgang Rosenauer schrieb (04.02.2013 18:03 Uhr):
>
>
>  I played around some more with openldap's SASL and ran exactly into the
>> issue that SASL seems to explicitely _not_ support CRYPT userPasswords.
>> So yes, keeping saslauthd using PAM would help with that.
>>
> What did you test? (I did not do it myself.)
> Like an ldapsearch with "-Y cram-md5" or "-Y plain" both do not work
> against an object where userPassword is encrypted with CRYPT?
> And both do work while it is encrypted with like SHA or unencrypted?
>

DIGEST-MD5 did not work (as expected) and PLAIN also failed with

slap_ap_lookup: str2ad(cmusaslsecretPLAIN): attribute type undefined
SASL [conn=1004] Failure: Password verification failed

When I googled for that issue I found statements that SASL cannot handle
CRYPT passwords and tries to fall back to cmusaslsecret what I do not have.
I haven't tried plain passwords since I have no test setup at the moment
and didn't want to kill the production mail server.

Wolfgang

Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

Re: alternative login names

2013-02-04 Thread Marc Patermann 
Wolfgang

Wolfgang Rosenauer schrieb (04.02.2013 18:03 Uhr):

> I played around some more with openldap's SASL and ran exactly into the 
> issue that SASL seems to explicitely _not_ support CRYPT userPasswords.
> So yes, keeping saslauthd using PAM would help with that.
What did you test? (I did not do it myself.)
Like an ldapsearch with "-Y cram-md5" or "-Y plain" both do not work 
against an object where userPassword is encrypted with CRYPT?
And both do work while it is encrypted with like SHA or unencrypted?


Marc

Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

Re: alternative login names

2013-02-04 Thread Wolfgang Rosenauer 
On Mon, Feb 4, 2013 at 3:27 PM, Dan White  wrote:

> On 02/04/13 09:08 -0500, Adam Tauno Williams wrote:
> >On Mon, 2013-02-04 at 14:25 +0100, Wolfgang Rosenauer wrote:
> >> I actually needed a pointer into the right direction and I guess that
> >> is one.
> >> I've never used sasl ldapdb though and I have a hard time figuring out
> >> how and what to do.
> >
> >I have some examples for using ldapdb @
> >
> >
> >> From the documentation I found it's also not clear to me if a crypted
> >> userPassword as I use in my LDAP can be used in that setup.
> >
> >H.  I can't recall off the top of my head.  I believe it SHOULD be
> >possible to do LOGIN/PLAIN auth via ldapdb.
>
> It should be possible to continue to use saslauthd for authentication (with
> crypted passwords) and then use ldapdb just as a canonicalization plugin.
>

I played around some more with openldap's SASL and ran exactly into the
issue that SASL seems to explicitely _not_ support CRYPT userPasswords.
So yes, keeping saslauthd using PAM would help with that.
But now after reading quite some stuff about ldapdb I still have no idea
how a "use ldapdb just as a canonicalization plugin" would look like. Any
pointers to documentation which shows how that comes together starting from
imapd.conf.

I found some snippets for example here:
http://comments.gmane.org/gmane.mail.imap.cyrus/29985

But this is the other way round as I'd like it to behave. I have "simple"
login names but want to allow people to login with their email address.
As I understand the canonicalization feature it would return any attribute
from an ldap entry but I'd need to search for the mail attribute and return
the uid.
Or does it do the same sasl_regexp stuff so I could create a search from a
sasl request?


Wolfgang

Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

Re: alternative login names

2013-02-04 Thread Dan White 
On 02/03/13 20:29 +0100, Wolfgang Rosenauer wrote:
>Hi,
>
>I'm running Cyrus imapd 2.3.x since quite some time for a group of users.
>My setup is LDAP based using saslauthd to pam_ldap currently and works just
>fine. But now I want to allow access to the mailboxes using the email
>address as an alternative to the system username.
>
>I have no real idea where to start how I could achieve that w/o changing
>the whole architecture of the system.
>Someone got a hint for me what to look at?

To allow users to login using a different username than the name of the
mailbox, use a canonicalization plugin, such as ldapdb.

-- 
Dan White

Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

Re: alternative login names

2013-02-04 Thread Dan White 
On 02/04/13 09:08 -0500, Adam Tauno Williams wrote:
>On Mon, 2013-02-04 at 14:25 +0100, Wolfgang Rosenauer wrote:
>> I actually needed a pointer into the right direction and I guess that
>> is one.
>> I've never used sasl ldapdb though and I have a hard time figuring out
>> how and what to do.
>
>I have some examples for using ldapdb @
>
>
>> From the documentation I found it's also not clear to me if a crypted
>> userPassword as I use in my LDAP can be used in that setup.
>
>H.  I can't recall off the top of my head.  I believe it SHOULD be
>possible to do LOGIN/PLAIN auth via ldapdb.

It should be possible to continue to use saslauthd for authentication (with
crypted passwords) and then use ldapdb just as a canonicalization plugin.

>> If I understand correctly all the hard work to match usernames in done
>> via some regexp which should be powerful enough to let me search the
>> login name in uid and mail attributes?
>
>Yes, the matching regex is key.  And confusing, at first.
>
>> Or did you actually refer to a different mapping in LDAP?
>> Is there some sort of HOWTO somewhere or is all the information really
>> spread in openldap, sasl and imapd documentation only?
>
>Maybe the above PDF will help?

-- 
Dan White

Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

Re: alternative login names

2013-02-04 Thread Adam Tauno Williams 
On Mon, 2013-02-04 at 14:25 +0100, Wolfgang Rosenauer wrote:
> I actually needed a pointer into the right direction and I guess that
> is one.
> I've never used sasl ldapdb though and I have a hard time figuring out
> how and what to do.

I have some examples for using ldapdb @


> From the documentation I found it's also not clear to me if a crypted
> userPassword as I use in my LDAP can be used in that setup.

H.  I can't recall off the top of my head.  I believe it SHOULD be
possible to do LOGIN/PLAIN auth via ldapdb.

> If I understand correctly all the hard work to match usernames in done
> via some regexp which should be powerful enough to let me search the
> login name in uid and mail attributes?

Yes, the matching regex is key.  And confusing, at first.

> Or did you actually refer to a different mapping in LDAP?
> Is there some sort of HOWTO somewhere or is all the information really
> spread in openldap, sasl and imapd documentation only?

Maybe the above PDF will help?


-- 
Adam Tauno Williams  GPG D95ED383
Systems Administrator, Python Developer, LPI / NCLA


Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

Re: alternative login names

2013-02-04 Thread Marc Patermann 
Wolfgang,

Wolfgang Rosenauer schrieb (04.02.2013 14:25 Uhr):
> On Mon, Feb 4, 2013 at 10:07 AM, Marc Patermann 
>  > wrote:
> 
> Wolfgang Rosenauer schrieb (03.02.2013 20
> :29 Uhr):
> 
> 
> I'm running Cyrus imapd 2.3.x since quite some time for a group
> of users.
> My setup is LDAP based using saslauthd to pam_ldap currently and
> works just fine. But now I want to allow access to the mailboxes
> using the email address as an alternative to the system username.
> 
> I have no real idea where to start how I could achieve that w/o
> changing the whole architecture of the system.
> Someone got a hint for me what to look at?
> 
> I don't know much about pam_ldap, but as you have all the data in
> LDAP, why not switch to auxprop ldapdb and configure your LDAP to
> map the existing logins and mail address to the same object?
> 
> 
> I actually needed a pointer into the right direction and I guess that is 
> one.
> I've never used sasl ldapdb though and I have a hard time figuring out 
> how and what to do.
There are not too much options specific to ldapdb in SASL: 
http://cyrusimap.org/docs/cyrus-sasl/2.1.25/options.php

Mine is somewhat like that:
sasl_mech_list: PLAIN DIGEST-MD5 CRAM-MD5 LOGIN
sasl_log_level: 5
sasl_pwcheck_method: auxprop
sasl_auxprop_plugin: ldapdb
sasl_ldapdb_uri: ldap://server.name
sasl_ldapdb_id: adminuser
sasl_ldapdb_pw: adminusersPW
sasl_ldapdb_mech:  PLAIN DIGEST-MD5 CRAM-MD5 LOGIN
sasl_minimum_layer: 0
sasl_ldapdb_starttls: demand

There are a few threads in the archive here.
http://asg.andrew.cmu.edu/archive/index.php?mailbox=archive.info-cyrus

>  From the documentation I found it's also not clear to me if a crypted 
> userPassword as I use in my LDAP can be used in that setup.
Look at this thread:
http://asg.andrew.cmu.edu/archive/message.php?mailbox=archive.info-cyrus&searchterm=auxprop%20ldap&msg=54167

> If I understand correctly all the hard work to match usernames in done 
> via some regexp which should be powerful enough to let me search the 
> login name in uid and mail attributes?
You have openLDAP, right?

Mostly yes. You need regex for "Mapping Authentication Identities"
http://www.openldap.org/doc/admin24/sasl.html#Mapping%20Authentication%20Identities
You may need "SASL Proxy Authorization" to switch from your ldapdb_id to 
the authenticating user.

> Or did you actually refer to a different mapping in LDAP?
> 
> Is there some sort of HOWTO somewhere or is all the information really 
> spread in openldap, sasl and imapd documentation only?
These are the tools involved. :)
But the least is IMAPd, SASL is few and most is openLDAP mapping.


Marc

Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

Re: alternative login names

2013-02-04 Thread Wolfgang Rosenauer 
Thanks Marc,


On Mon, Feb 4, 2013 at 10:07 AM, Marc Patermann <
hans.mo...@ofd-z.niedersachsen.de> wrote:

> Wolfgang Rosenauer schrieb (03.02.2013 20:29 Uhr):
>
>
>  I'm running Cyrus imapd 2.3.x since quite some time for a group of users.
>> My setup is LDAP based using saslauthd to pam_ldap currently and works
>> just fine. But now I want to allow access to the mailboxes using the email
>> address as an alternative to the system username.
>>
>> I have no real idea where to start how I could achieve that w/o changing
>> the whole architecture of the system.
>> Someone got a hint for me what to look at?
>>
> I don't know much about pam_ldap, but as you have all the data in LDAP,
> why not switch to auxprop ldapdb and configure your LDAP to map the
> existing logins and mail address to the same object?
>

I actually needed a pointer into the right direction and I guess that is
one.
I've never used sasl ldapdb though and I have a hard time figuring out how
and what to do.
>From the documentation I found it's also not clear to me if a crypted
userPassword as I use in my LDAP can be used in that setup.

If I understand correctly all the hard work to match usernames in done via
some regexp which should be powerful enough to let me search the login name
in uid and mail attributes?

Or did you actually refer to a different mapping in LDAP?

Is there some sort of HOWTO somewhere or is all the information really
spread in openldap, sasl and imapd documentation only?


Thanks,
 Wolfgang

Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

Re: alternative login names

2013-02-04 Thread Marc Patermann 
Wolfgang,

Wolfgang Rosenauer schrieb (03.02.2013 20:29 Uhr):

> I'm running Cyrus imapd 2.3.x since quite some time for a group of users.
> My setup is LDAP based using saslauthd to pam_ldap currently and works 
> just fine. But now I want to allow access to the mailboxes using the 
> email address as an alternative to the system username.
> 
> I have no real idea where to start how I could achieve that w/o changing 
> the whole architecture of the system.
> Someone got a hint for me what to look at?
I don't know much about pam_ldap, but as you have all the data in LDAP, 
why not switch to auxprop ldapdb and configure your LDAP to map the 
existing logins and mail address to the same object?


Marc

Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus