Parameters password in Cleartext using ldap as backend for for authentication
Hello, I have a mail cluster with cyrus murder (imap agreggator ) . In some machines "imapd.conf " has some passwords parameters in "clear text" . mail1_password: secret mail2_password: secret mupdate_password: topsecret ... I use ldap as backend for cyrus sasl and I have "murder user" and "backends users" defined in ldap. Exist anyway to encrypt this parameters ?? In my architeture actually is inpossible to use kerberos :-( Thanks in advance Lucas Zinato Carraro DATAPREV Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Cyrus administration problem
Hello,
Did you read by any chance my post date 31.07.2009 22:03 with subject
"Re: Architectural mistake in cyrus ?"
Denis
Nybbles2Byte a écrit :
> Hello ,
>
> I'm getting a little desperate here so I'm hoping someone can answer
> these two question for me. I originally asked them as "How to use global
> admin. & virtual domains?" but no-one responded and I have no answers
> myself, so please, even if this seems like a stupid question because I
> am missing the obvious, please let me know!
>
> In essence, I'm trying to use a global admin. with virtual domains and
> it doesn't seem to be working. With domain admins. there is no problem.
>
> From what I can see, part of the documentation says that with virtual
> hosting that every user must have a domain and another part says when
> using virtual domains use a user without a domain to create a global domain.
>
> Could someone please tell/show me what I am missing here in my attempts
> to make a global admin. work with virtual domains.
>
> To see what I am experiencing, here's the results of two different ways
> of using cyradm I have tried:
>
>
> *Scenario 1:
> *
>>cyradm -u root
> cyradm> lm *...@seowebsales.com
> listmailbox: no connection to server
> cyradm>
>
> Doesn't look up the SQL Database for authentication hence the response
> "no connection to server".
>
>
> *Scenario 2:
> *
>>cyradm -u root domain1.com
> Password:
> IMAP Password:
> Login failed: authentication failure at
> /usr/lib/perl5/vendor_perl/5.10.0/x86_64-linux-thread-multi/Cyrus/IMAP/Admin.pm
> line 119
> cyradm: cannot authenticate to server with as root
>
> Here it does try to authenticate however, when watching the MySQL query
> log it chooses a virtual domain at random from the virtual domains from
> Apache or my local DNS server. If it happens to use the domain that I
> want to administrate, then it succeeds instead of fails as it did in the
> case above.
>
>
>
> Other than wanting to know how to get a global admin. working with
> virtual domains I would really appreciate someone helping me understand
> this issue of it randomly picking a virtual domain from Apache or my DNS
> (not sure which) to try and authenticate with.
>
> Thanks so much to anyone who sheds some light on this!
>
> Reggie.
>
>
> Here is my imap.conf file:
>
> # OS OpenSuSE 11.0
> # Cyrus IMAPD 2.3.11
> # Cyrus-SASL 2.1.22
>
> #
> # Cyrus-SASL options
> #
> sasl_auxprop_plugin: sql
> sasl_log_level: 7
> sasl_mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
> sasl_pwcheck_method: auxprop
> sasl_sql_hostnames: localhost
> sasl_sql_user: cyrus
> sasl_sql_passwd: **
> sasl_sql_database: system_mail
> sasl_sql_select: SELECT `password` FROM `accounts` WHERE `user`='%u' AND
> `realm`='%r' AND `virtual` != 0
> sasl_sql_insert: INSERT INTO `accounts` (`user`, `realm`, `password`)
> VALUES ('%u', '%r', '%v')
> sasl_sql_update: UPDATE `accounts` SET
> `user`='%u',`realm`='%r',`password`='%v' WHERE `user`='%u' AND `realm`='%r'
>
> #
> # Cyrus-IMAP Options
> #
> admins: cyrus root r...@domain1.com r...@domain2.com r...@domain3.com
> allowplaintext: 1
> altnamespace: 1
> anyoneuseracl: 0
> auth_mech: unix
> configdirectory: /var/lib/imap
> defaultdomain: localhost
> drachost: localhost
> dracinterval: 0
> duplicatesuppression: 0
> foolstupidclients: 1
> hashimapspool: 1
> improved_mboxlist_sort: 1
> lmtp_downcase_rcpt: 1
> lmtp_strict_quota: 1
> logtimestamps: 1
> partition-default: /var/mail/cyrus
> popsubfolders: 1
> poptimeout: 10
> sendmail: /usr/sbin/sendmail
> sievedir: /var/mail/sieve
> unixhierarchysep: 1
> virtdomains: 1
>
>
>
>
>
> Cyrus Home Page: http://cyrusimap.web.cmu.edu/
> Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Cyrus administration problem
I get it, I know what you are saying but, perhaps this was just a typo but I was responding to this as you wrote it: virtdomains: 1 (don´t query DNS) virtdomains: userid (do DNS query) In fact, if you read the manual, the way it works is: virtdomains: 1 (do DNS query if no realm is specified in userid - see excerpt I included in previous email) virtdomains: userid (never do a DNS query, i.e.: only use userid - and the part that is not mentioned but I can see for myself in the queries - if no realm is specified in user id then use [the short] server name for the realm... and that gives me something consistent which is all I needed. As a bonus there is no chance of costly DNS lookups which there can be if I leave virtdomains set at 1.) I have yet to find ldap_default_realm in the html manual but perhaps it is only in the man pages (or I just haven't seen it even though it is there). In any case, I will certainly look further with your information provided but at it stands, the solution of changing virtdomains to userid was a good one for my needs. Thank you for your kind help. Reggie. Thursday, August 6, 2009, 1:25:13 PM, you wrote: > On Thu, Aug 6, 2009 at 3:34 PM, > Nybbles2Byte wrote: >> Thanks but I am not sure how you are getting that conclusion from this >> wording in the manual. As far as I can see it almost (but not quite) the >> reverse of what you are saying. > # man imapd.conf > virtdomains: off > Enable virtual domain support. If enabled, the user’s domain > will be determined by splitting a fully qualified userid at the last > �...@’ or ’%’ symbol. > userid refer to "login" user not reverse DNS. > fully qualified userid => john...@example.org (no dns lookup) > unqualified userid => johndoe (no dns lookup if > sasl_ldap_default_domain* or sasl_ldap_default_realm* and > defaultdomain is set) > * without sasl_ prefix at saslauthd.conf . > With saslauthd.conf: > ldap_default_realm: default.example.org > ldap_filter: (&(objectClass=inetOrgPerson)(mail...@%d)) > Login with unqualified userid root makes query to > (&(objectClass=inetOrgPerson)(mail=r...@default.example.org)) > With "admins: root" root become global admin. > This example is to salsauthd with LDAP backhend. >> -- >> Configuring Virtual Domains >> Introduction >> Virtual domains is the practice of hosting a service for more than one >> domain on one server. Cyrus IMAP has the ability to host IMAP/POP mailboxes >> for multiple domains (e.g. t...@example.com and t...@example.net) on a >> single server or Murder. >> In order to accomplish this, Cyrus needs to know which domain to look in >> when a mailbox is accessed. There are two ways in which Cyrus can determine >> the domain: >> * Fully qualified userid - the client logs in with a userid containing >> the domain in which the user belongs (e.g t...@example.com or >> test%example.net) >> * IP address - the server looks up the domain based on the IP address of >> the receiving interface (useful for servers with multiple NICs or using IP >> aliasing) >> Both of these methods are active if the virtdomains option is set to on (or >> yes, 1, true) and can be used in conjunction with one another. If the >> virtdomains option is set to userid, then only the first method is used. >> Note that a fully qualified userid takes precedence over a domain obtained >> from the IP address. >> -- -- Nybbles2Bytemailto:nybbles2b...@gmail.com Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Cyrus administration problem
On Thu, Aug 6, 2009 at 3:34 PM, Nybbles2Byte wrote: > Thanks but I am not sure how you are getting that conclusion from this > wording in the manual. As far as I can see it almost (but not quite) the > reverse of what you are saying. > # man imapd.conf virtdomains: off Enable virtual domain support. If enabled, the user’s domain will be determined by splitting a fully qualified userid at the last �...@’ or ’%’ symbol. userid refer to "login" user not reverse DNS. fully qualified userid => john...@example.org (no dns lookup) unqualified userid => johndoe (no dns lookup if sasl_ldap_default_domain* or sasl_ldap_default_realm* and defaultdomain is set) * without sasl_ prefix at saslauthd.conf . With saslauthd.conf: ldap_default_realm: default.example.org ldap_filter: (&(objectClass=inetOrgPerson)(mail...@%d)) Login with unqualified userid root makes query to (&(objectClass=inetOrgPerson)(mail=r...@default.example.org)) With "admins: root" root become global admin. This example is to salsauthd with LDAP backhend. > -- > Configuring Virtual Domains > Introduction > > Virtual domains is the practice of hosting a service for more than one > domain on one server. Cyrus IMAP has the ability to host IMAP/POP mailboxes > for multiple domains (e.g. t...@example.com and t...@example.net) on a > single server or Murder. > > In order to accomplish this, Cyrus needs to know which domain to look in > when a mailbox is accessed. There are two ways in which Cyrus can determine > the domain: > > * Fully qualified userid - the client logs in with a userid containing > the domain in which the user belongs (e.g t...@example.com or > test%example.net) > * IP address - the server looks up the domain based on the IP address of > the receiving interface (useful for servers with multiple NICs or using IP > aliasing) > > Both of these methods are active if the virtdomains option is set to on (or > yes, 1, true) and can be used in conjunction with one another. If the > virtdomains option is set to userid, then only the first method is used. > Note that a fully qualified userid takes precedence over a domain obtained > from the IP address. > -- > -- Reinaldo de Carvalho http://korreio.sf.net http://python-cyrus.sf.net "Don't try to adapt the software to the way you work, but rather yourself to the way the software works" (myself) Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Cyrus administration problem
Thanks but I am not sure how you are getting that conclusion from this wording in the manual. As far as I can see it almost (but not quite) the reverse of what you are saying. -- Configuring Virtual Domains Introduction Virtual domains is the practice of hosting a service for more than one domain on one server. Cyrus IMAP has the ability to host IMAP/POP mailboxes for multiple domains (e.g. t...@example.com and t...@example.net) on a single server or Murder. In order to accomplish this, Cyrus needs to know which domain to look in when a mailbox is accessed. There are two ways in which Cyrus can determine the domain: * Fully qualified userid - the client logs in with a userid containing the domain in which the user belongs (e.g t...@example.com or test%example.net) * IP address - the server looks up the domain based on the IP address of the receiving interface (useful for servers with multiple NICs or using IP aliasing) Both of these methods are active if the virtdomains option is set to on (or yes, 1, true) and can be used in conjunction with one another. If the virtdomains option is set to userid, then only the first method is used. Note that a fully qualified userid takes precedence over a domain obtained from the IP address. -- Thursday, August 6, 2009, 11:12:24 AM, you wrote: > On Thu, Aug 6, 2009 at 3:09 PM, > Nybbles2Byte wrote: >> Avoiding DNS lookups that in my particular setup have no purpose is a good >> thing so I certainly want to keep this setting. However, if there is more >> that I can do to make the setup better, great! What man pages (man ???) and >> what should I be looking for? > virtdomains: 1(don´t query DNS) > virtdomains: userid(do DNS query) >> Thursday, August 6, 2009, 4:24:22 AM, you wrote: >>> On Thu, Aug 6, 2009 at 1:08 AM, >>> Nybbles2Byte wrote: That was it! Well, close enough. I couldn't find any ldap_default_realm in the latest version but I was able to Google it and found someone else who has a similar question. The key in this version (downloaded a month ago) is to change "virtdomains: 1" to "virtdomains: userid". This prevents Cyrus from doing a reverse DNS and then it just uses the servers short name for the realm - consistently (instead of the randomness I was getting from the reverse DNS - although now that I think about it it was probably the DNS server handing out r-lookups in a round robin order). >>> I guess no. You really don´t need "virtdomains: userid" (read manpage >>> again). > With ldap beckhend the secret is sasl_ldap_default_realm (or > ldap_default_realm in saslauthd.conf) this is the domain to no-domain > user like "root" (login with no-domain user is the global admin). > sasl_ldap_default_realm should be equal defaultdomain to work like a > cham. > ;) > I don't know if sasl_sql_default_realm exist. >> -- >> Nybbles2Bytemailto:nybbles2b...@gmail.com -- Nybbles2Bytemailto:nybbles2b...@gmail.com Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
