Re: alternative login names
Wolfgang, Wolfgang Rosenauer schrieb (03.02.2013 20:29 Uhr): I'm running Cyrus imapd 2.3.x since quite some time for a group of users. My setup is LDAP based using saslauthd to pam_ldap currently and works just fine. But now I want to allow access to the mailboxes using the email address as an alternative to the system username. I have no real idea where to start how I could achieve that w/o changing the whole architecture of the system. Someone got a hint for me what to look at? I don't know much about pam_ldap, but as you have all the data in LDAP, why not switch to auxprop ldapdb and configure your LDAP to map the existing logins and mail address to the same object? Marc Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Can anyone explain localhost phenomenon?
On Sun, 2013-02-03 at 15:42 +0100, Gabor Gombas wrote: IIRC MySQL tries to use an UNIX socket instead of TCP for connecting to the server when it sees the localhost string. If e.g. sendmail runs chrooted, then it won't see the MySQL server's socket, therefore it won't be able to connect. What happens if, instead of the literal localhost, you say 127.0.0.1. Hi-jacking the localhost string seems wrong, but it might be accepted/well-known behavior at this point. And possibly buried in the MySQL library [and not in SASL; in fact, I'd wager that is true. Shortcuts and general funny-business is pretty much MySQL's primary prerogative]. Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Can anyone explain localhost phenomenon?
On: Mon, 04 Feb 2013 06:29:56 -0500, Adam wrote: On Sun, 2013-02-03 at 15:42 +0100, Gabor Gombas wrote: IIRC MySQL tries to use an UNIX socket instead of TCP for connecting to the server when it sees the localhost string. If e.g. sendmail runs chrooted, then it won't see the MySQL server's socket, therefore it won't be able to connect. What happens if, instead of the literal localhost, you say 127.0.0.1. Hi-jacking the localhost string seems wrong, but it might be accepted/well-known behavior at this point. And possibly buried in the MySQL library [and not in SASL; in fact, I'd wager that is true. Shortcuts and general funny-business is pretty much MySQL's primary prerogative]. Yes 127.0.0.1 instead of localhost works... it's down to somebodies ghost in the machine then! Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Can anyone explain localhost phenomenon?
Yes 127.0.0.1 instead of localhost works... it's down to somebodies ghost in the machine then! IPv6 enabled, but daemon listening only in IPv4 port? -Reko Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Can anyone explain localhost phenomenon?
On Mon, 2013-02-04 at 12:19 +, Charles Bradshaw wrote: On: Mon, 04 Feb 2013 06:29:56 -0500, Adam wrote: On Sun, 2013-02-03 at 15:42 +0100, Gabor Gombas wrote: IIRC MySQL tries to use an UNIX socket instead of TCP for connecting to the server when it sees the localhost string. If e.g. sendmail runs chrooted, then it won't see the MySQL server's socket, therefore it won't be able to connect. What happens if, instead of the literal localhost, you say 127.0.0.1. Hi-jacking the localhost string seems wrong, but it might be accepted/well-known behavior at this point. And possibly buried in the MySQL library [and not in SASL; in fact, I'd wager that is true. Shortcuts and general funny-business is pretty much MySQL's primary prerogative]. Yes 127.0.0.1 instead of localhost works... it's down to somebodies ghost in the machine then! rant No, don't blame the ghosts, they are innocent. This behavior is the fault of an idjit; somebody very much alive built that behavior into libmysql, believing they were being clever. This HACK has cost hours to innumerable people who assume what is in a config file means what it obviously should mean - only it doesn't. /rant -- Adam Tauno Williams GPG D95ED383 Systems Administrator, Python Developer, LPI / NCLA Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: alternative login names
Thanks Marc, On Mon, Feb 4, 2013 at 10:07 AM, Marc Patermann hans.mo...@ofd-z.niedersachsen.de wrote: Wolfgang Rosenauer schrieb (03.02.2013 20:29 Uhr): I'm running Cyrus imapd 2.3.x since quite some time for a group of users. My setup is LDAP based using saslauthd to pam_ldap currently and works just fine. But now I want to allow access to the mailboxes using the email address as an alternative to the system username. I have no real idea where to start how I could achieve that w/o changing the whole architecture of the system. Someone got a hint for me what to look at? I don't know much about pam_ldap, but as you have all the data in LDAP, why not switch to auxprop ldapdb and configure your LDAP to map the existing logins and mail address to the same object? I actually needed a pointer into the right direction and I guess that is one. I've never used sasl ldapdb though and I have a hard time figuring out how and what to do. From the documentation I found it's also not clear to me if a crypted userPassword as I use in my LDAP can be used in that setup. If I understand correctly all the hard work to match usernames in done via some regexp which should be powerful enough to let me search the login name in uid and mail attributes? Or did you actually refer to a different mapping in LDAP? Is there some sort of HOWTO somewhere or is all the information really spread in openldap, sasl and imapd documentation only? Thanks, Wolfgang Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Need guidelines on how to migrate a Cyrus-Imapd server
Le 01/02/2013 17:03, Thibault Le Meur a écrit : Thanks for the hints, I'll go the rsync way then... pity I would have loved to understand what kind of file is to be fed to the sync_client -u -f command, in order to give it a try.. Replying to myself, According to an old thread (http://lists.andrew.cmu.edu/pipermail/info-cyrus/2007-September/026772.html), the file format is: USER $username USER $username2 It is also confirmed that the only way to have singleinstancestore preserved is to run the sync_client with the -f option so that all synchs are done in the same run. However it seems that the cache which is used to detect the duplicates is rather low (UUID cache on the server side: 1000) so that single intance deduplication may not be very efficient. Unless this has changed, I agree that the best way to initialize the replica is to use rsync and then convert the databases. I'll give it a try. Regards, Thibault Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: alternative login names
Wolfgang, Wolfgang Rosenauer schrieb (04.02.2013 14:25 Uhr): On Mon, Feb 4, 2013 at 10:07 AM, Marc Patermann hans.mo...@ofd-z.niedersachsen.de mailto:hans.mo...@ofd-z.niedersachsen.de wrote: Wolfgang Rosenauer schrieb (03.02.2013 20 tel:%2803.02.2013%2020:29 Uhr): I'm running Cyrus imapd 2.3.x since quite some time for a group of users. My setup is LDAP based using saslauthd to pam_ldap currently and works just fine. But now I want to allow access to the mailboxes using the email address as an alternative to the system username. I have no real idea where to start how I could achieve that w/o changing the whole architecture of the system. Someone got a hint for me what to look at? I don't know much about pam_ldap, but as you have all the data in LDAP, why not switch to auxprop ldapdb and configure your LDAP to map the existing logins and mail address to the same object? I actually needed a pointer into the right direction and I guess that is one. I've never used sasl ldapdb though and I have a hard time figuring out how and what to do. There are not too much options specific to ldapdb in SASL: http://cyrusimap.org/docs/cyrus-sasl/2.1.25/options.php Mine is somewhat like that: sasl_mech_list: PLAIN DIGEST-MD5 CRAM-MD5 LOGIN sasl_log_level: 5 sasl_pwcheck_method: auxprop sasl_auxprop_plugin: ldapdb sasl_ldapdb_uri: ldap://server.name sasl_ldapdb_id: adminuser sasl_ldapdb_pw: adminusersPW sasl_ldapdb_mech: PLAIN DIGEST-MD5 CRAM-MD5 LOGIN sasl_minimum_layer: 0 sasl_ldapdb_starttls: demand There are a few threads in the archive here. http://asg.andrew.cmu.edu/archive/index.php?mailbox=archive.info-cyrus From the documentation I found it's also not clear to me if a crypted userPassword as I use in my LDAP can be used in that setup. Look at this thread: http://asg.andrew.cmu.edu/archive/message.php?mailbox=archive.info-cyrussearchterm=auxprop%20ldapmsg=54167 If I understand correctly all the hard work to match usernames in done via some regexp which should be powerful enough to let me search the login name in uid and mail attributes? You have openLDAP, right? Mostly yes. You need regex for Mapping Authentication Identities http://www.openldap.org/doc/admin24/sasl.html#Mapping%20Authentication%20Identities You may need SASL Proxy Authorization to switch from your ldapdb_id to the authenticating user. Or did you actually refer to a different mapping in LDAP? Is there some sort of HOWTO somewhere or is all the information really spread in openldap, sasl and imapd documentation only? These are the tools involved. :) But the least is IMAPd, SASL is few and most is openLDAP mapping. Marc Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: alternative login names
On Mon, 2013-02-04 at 14:25 +0100, Wolfgang Rosenauer wrote: I actually needed a pointer into the right direction and I guess that is one. I've never used sasl ldapdb though and I have a hard time figuring out how and what to do. I have some examples for using ldapdb @ http://www.wmmi.net/documents/LDAP103.pdf From the documentation I found it's also not clear to me if a crypted userPassword as I use in my LDAP can be used in that setup. H. I can't recall off the top of my head. I believe it SHOULD be possible to do LOGIN/PLAIN auth via ldapdb. If I understand correctly all the hard work to match usernames in done via some regexp which should be powerful enough to let me search the login name in uid and mail attributes? Yes, the matching regex is key. And confusing, at first. Or did you actually refer to a different mapping in LDAP? Is there some sort of HOWTO somewhere or is all the information really spread in openldap, sasl and imapd documentation only? Maybe the above PDF will help? -- Adam Tauno Williams GPG D95ED383 Systems Administrator, Python Developer, LPI / NCLA Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Need guidelines on how to migrate a Cyrus-Imapd server
On Mon, 2013-02-04 at 15:01 +0100, Thibault Le Meur wrote: Le 01/02/2013 17:03, Thibault Le Meur a écrit : Thanks for the hints I'll go the rsync way then... pity I would have loved to understand what kind of file is to be fed to the sync_client -u -f command, in order to give it a try.. Replying to myself, According to an old thread (http://lists.andrew.cmu.edu/pipermail/info-cyrus/2007-September/026772.html), the file format is: USER $username USER $username2 It is also confirmed that the only way to have singleinstancestore preserved is to run the sync_client with the -f option so that all synchs are done in the same run. However it seems that the cache which is used to detect the duplicates is rather low (UUID cache on the server side: 1000) so that single intance deduplication may not be very efficient. Unless this has changed, I agree that the best way to initialize the replica is to use rsync and then convert the databases. I'll give it a try. Correct, from a thread in 2007: quote Message UUIDs are used to replicate the single instance store (see docs/text/install-replication). This won't have much effect when you first replicate a mailstore as sync_server in 2.3 only tracks the last few thousand messages that have been uploaded. It becomes much more effective when a replica has been seeded and you switch to rolling replication. /quote quote sync_server maintains a fairly modest UUID cache on the server side: 1000 messages in 2.3. A restart is negotiated after each UPLOAD command. /quote It really does seem best to seed the replica, initially, via rsync [WATCH THOSE PERMISSIONS!] then to engage rolling replication - the replica should become current. Something like - rsync \ --verbose --recursive \ --perms --owner --group --times \ --links --hard-links --delete \ $master:$root $replica:$root I also like the --numeric-ids assuming your uidNumber/gidNumber is the same between systems. That saves a lot of pointless NSS calls. -- Adam Tauno Williams GPG D95ED383 Systems Administrator, Python Developer, LPI / NCLA Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: alternative login names
On 02/04/13 09:08 -0500, Adam Tauno Williams wrote: On Mon, 2013-02-04 at 14:25 +0100, Wolfgang Rosenauer wrote: I actually needed a pointer into the right direction and I guess that is one. I've never used sasl ldapdb though and I have a hard time figuring out how and what to do. I have some examples for using ldapdb @ http://www.wmmi.net/documents/LDAP103.pdf From the documentation I found it's also not clear to me if a crypted userPassword as I use in my LDAP can be used in that setup. H. I can't recall off the top of my head. I believe it SHOULD be possible to do LOGIN/PLAIN auth via ldapdb. It should be possible to continue to use saslauthd for authentication (with crypted passwords) and then use ldapdb just as a canonicalization plugin. If I understand correctly all the hard work to match usernames in done via some regexp which should be powerful enough to let me search the login name in uid and mail attributes? Yes, the matching regex is key. And confusing, at first. Or did you actually refer to a different mapping in LDAP? Is there some sort of HOWTO somewhere or is all the information really spread in openldap, sasl and imapd documentation only? Maybe the above PDF will help? -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Need guidelines on how to migrate a Cyrus-Imapd server
Le 04/02/2013 15:20, Adam Tauno Williams a écrit : Something like - rsync \ --verbose --recursive \ --perms --owner --group --times \ --links --hard-links --delete \ $master:$root $replica:$root I also like the --numeric-ids assuming your uidNumber/gidNumber is the same between systems. That saves a lot of pointless NSS calls. Thanks for the hint on the --numeric-ids option. Regards, Thibault Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: alternative login names
On 02/03/13 20:29 +0100, Wolfgang Rosenauer wrote: Hi, I'm running Cyrus imapd 2.3.x since quite some time for a group of users. My setup is LDAP based using saslauthd to pam_ldap currently and works just fine. But now I want to allow access to the mailboxes using the email address as an alternative to the system username. I have no real idea where to start how I could achieve that w/o changing the whole architecture of the system. Someone got a hint for me what to look at? To allow users to login using a different username than the name of the mailbox, use a canonicalization plugin, such as ldapdb. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: alternative login names
On Mon, Feb 4, 2013 at 3:27 PM, Dan White dwh...@olp.net wrote: On 02/04/13 09:08 -0500, Adam Tauno Williams wrote: On Mon, 2013-02-04 at 14:25 +0100, Wolfgang Rosenauer wrote: I actually needed a pointer into the right direction and I guess that is one. I've never used sasl ldapdb though and I have a hard time figuring out how and what to do. I have some examples for using ldapdb @ http://www.wmmi.net/documents/LDAP103.pdf From the documentation I found it's also not clear to me if a crypted userPassword as I use in my LDAP can be used in that setup. H. I can't recall off the top of my head. I believe it SHOULD be possible to do LOGIN/PLAIN auth via ldapdb. It should be possible to continue to use saslauthd for authentication (with crypted passwords) and then use ldapdb just as a canonicalization plugin. I played around some more with openldap's SASL and ran exactly into the issue that SASL seems to explicitely _not_ support CRYPT userPasswords. So yes, keeping saslauthd using PAM would help with that. But now after reading quite some stuff about ldapdb I still have no idea how a use ldapdb just as a canonicalization plugin would look like. Any pointers to documentation which shows how that comes together starting from imapd.conf. I found some snippets for example here: http://comments.gmane.org/gmane.mail.imap.cyrus/29985 But this is the other way round as I'd like it to behave. I have simple login names but want to allow people to login with their email address. As I understand the canonicalization feature it would return any attribute from an ldap entry but I'd need to search for the mail attribute and return the uid. Or does it do the same sasl_regexp stuff so I could create a search from a sasl request? Wolfgang Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: alternative login names
Wolfgang Wolfgang Rosenauer schrieb (04.02.2013 18:03 Uhr): I played around some more with openldap's SASL and ran exactly into the issue that SASL seems to explicitely _not_ support CRYPT userPasswords. So yes, keeping saslauthd using PAM would help with that. What did you test? (I did not do it myself.) Like an ldapsearch with -Y cram-md5 or -Y plain both do not work against an object where userPassword is encrypted with CRYPT? And both do work while it is encrypted with like SHA or unencrypted? Marc Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: alternative login names
On Mon, Feb 4, 2013 at 6:44 PM, Marc Patermann hans.mo...@ofd-z.niedersachsen.de wrote: Wolfgang Wolfgang Rosenauer schrieb (04.02.2013 18:03 Uhr): I played around some more with openldap's SASL and ran exactly into the issue that SASL seems to explicitely _not_ support CRYPT userPasswords. So yes, keeping saslauthd using PAM would help with that. What did you test? (I did not do it myself.) Like an ldapsearch with -Y cram-md5 or -Y plain both do not work against an object where userPassword is encrypted with CRYPT? And both do work while it is encrypted with like SHA or unencrypted? DIGEST-MD5 did not work (as expected) and PLAIN also failed with slap_ap_lookup: str2ad(cmusaslsecretPLAIN): attribute type undefined SASL [conn=1004] Failure: Password verification failed When I googled for that issue I found statements that SASL cannot handle CRYPT passwords and tries to fall back to cmusaslsecret what I do not have. I haven't tried plain passwords since I have no test setup at the moment and didn't want to kill the production mail server. Wolfgang Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: alternative login names
Gentelman Sorry to but into this thread at so late a stage. Indeed SASL does not support encrypted pass words because it can't! SASL CRAM-MD5 and DIGEST-MD5 do not transmit the pass word over the link, as a consequence both the client and the server need knowledge of the clear text. It is possible to store encrypted passwords in some kind of database provided that the lookup mechanism is capable doing the de-crypt. Mysql AES is one possibility. Both MD5 and SHA are a one way hashing functions! Pass word verification against either requires knowledge of the clear text! Charles Bradshaw On: Mon, 4 Feb 2013 18:44:48 +0100, Marc Paterman wrote: Wolfgang Wolfgang Rosenauer schrieb (04.02.2013 18:03 Uhr): I played around some more with openldap's SASL and ran exactly into the issue that SASL seems to explicitely _not_ support CRYPT userPasswords. So yes, keeping saslauthd using PAM would help with that. What did you test? (I did not do it myself.) Like an ldapsearch with -Y cram-md5 or -Y plain both do not work against an object where userPassword is encrypted with CRYPT? And both do work while it is encrypted with like SHA or unencrypted? Marc Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus