Re: LDAP auth, and Cyrus mailboxes..
On Fri, Sep 03, 2004 at 12:32:07AM +1200, Mike Beattie wrote: > + if (strchr(auth_identity, '.') || strlen(auth_identity)+6 >= > sizeof(inboxname)) return 0; ... > + if (strchr(auth_identity, '.') || strlen(auth_identity)+6 >= > sizeof(inboxname)) return 0; It occurred to me that I'd not found something better to do above, rather than return 0. This particular line was copied verbatim from acl_ok() from imapd.c (mainly because config.c had it's own acl_ok(), or I would have just called the function instead of mucking around creating inboxname for mboxlist_lookup() ). I guess something better here would probably be SASL_BADAUTH ? Mike. -- Mike Beattie <[EMAIL PROTECTED]> UNIX Systems Engineer, ITS Ph: +64 3 479 8597 Fax: +64 3 479 5080 Cell: +64 27 44 80386 * Opinions expressed are my own, not those of the University of Otago * --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: LDAP auth, and Cyrus mailboxes..
On Wed, Jun 16, 2004 at 11:59:08AM -0400, Rob Siemborski wrote:
> >Ok, well, it's known behaviour, perhaps I'll need to think up another
> >solution. (an ugly patch to cyrus that adds a "loginrequiresinbox:"
> >option?)
>
> This is not unreasonable. I'd probably implement it as part of the
> PROXY_POLICY callbacks to sasl (e.g. mysasl_proxy_policy).
>
> Note that you want to be sure to not exclude admins (who shouldn't have a
> mailbox) when you do this.
Ok, I've finally gotten around to doing this, since we deleted around 6.5k
student accounts last week, and some have been wondering why all their mail
was deleted... (since they can still log into horde/imp, and see an
'inbox').
Patch is attached... took me a while to figure out that imapd has its own
PROXY_POLICY callback, where the others all use the one in config.c
It's hackish, but it's a concept, and it Works For Me(tm). It may be a
starting point for something more robust.
Mike.
--
Mike Beattie <[EMAIL PROTECTED]> UNIX Systems Engineer, ITS
Ph: +64 3 479 8597 Fax: +64 3 479 5080 Cell: +64 27 44 80386
* Opinions expressed are my own, not those of the University of Otago *
diff -urN cyrus21-imapd-2.1.16.orig/debian/imapd.conf
cyrus21-imapd-2.1.16/debian/imapd.conf
--- cyrus21-imapd-2.1.16.orig/debian/imapd.conf Thu Sep 2 17:00:08 2004
+++ cyrus21-imapd-2.1.16/debian/imapd.conf Thu Sep 2 16:59:22 2004
@@ -71,6 +71,9 @@
# No anonymous logins
allowanonymouslogin: no
+# Login requires an inbox (admins excluded)
+#loginrequiresinbox: no
+
# Minimum time between POP mail fetches in minutes
popminpoll: 1
diff -urN cyrus21-imapd-2.1.16.orig/imap/config.c cyrus21-imapd-2.1.16/imap/config.c
--- cyrus21-imapd-2.1.16.orig/imap/config.c Thu Sep 2 16:59:58 2004
+++ cyrus21-imapd-2.1.16/imap/config.c Fri Sep 3 00:22:57 2004
@@ -521,6 +521,19 @@
return SASL_OK;
}
+if (config_getswitch("loginrequiresinbox", 0) && !userisadmin) {
+ char inboxname[1024];
+
+ if (strchr(auth_identity, '.') || strlen(auth_identity)+6 >=
sizeof(inboxname)) return 0;
+ strcpy(inboxname, "user.");
+ strcat(inboxname, auth_identity);
+
+ if (mboxlist_lookup(inboxname, NULL, NULL, NULL)) {
+ sasl_seterror(conn, 0, "No inbox for user %s", auth_identity);
+ return SASL_BADAUTH;
+ }
+}
+
if (alen != rlen || strncmp(auth_identity, requested_user, alen)) {
/* we want to authenticate as a different user; we'll allow this
if we're an admin or if we've allowed ACL proxy logins */
diff -urN cyrus21-imapd-2.1.16.orig/imap/imapd.c cyrus21-imapd-2.1.16/imap/imapd.c
--- cyrus21-imapd-2.1.16.orig/imap/imapd.c Wed Mar 17 09:39:58 2004
+++ cyrus21-imapd-2.1.16/imap/imapd.c Fri Sep 3 00:19:48 2004
@@ -343,6 +343,19 @@
/* ok, is auth_identity an admin? */
imapd_userisadmin = authisa(imapd_authstate, "imap", "admins");
+if (config_getswitch("loginrequiresinbox", 0) && !imapd_userisadmin) {
+ char inboxname[1024];
+
+ if (strchr(auth_identity, '.') || strlen(auth_identity)+6 >=
sizeof(inboxname)) return 0;
+ strcpy(inboxname, "user.");
+ strcat(inboxname, auth_identity);
+
+ if (mboxlist_lookup(inboxname, NULL, NULL, NULL)) {
+ sasl_seterror(conn, 0, "No inbox for user %s", auth_identity);
+ return SASL_BADAUTH;
+ }
+}
+
if (alen != rlen || strncmp(auth_identity, requested_user, alen)) {
/* we want to authenticate as a different user; we'll allow this
if we're an admin or if we've allowed ACL proxy logins */
Re: unable to login
On Wed, Jul 07, 2004 at 10:47:39AM -0700, Wil Cooley wrote: > No, saslauthd runs as root--it's role is to provide authentication > services, often for PAM or shadow authentication, which requires root > access. It's a much better solution than creating a 'shadow' group and > making /etc/shadow readable by it and putting cyrus into that group. And I hate to point out, but then, if a malicious user manages to find a flaw in cyrus they could hypothetically use that flaw to get a copy of /etc/shadow. (If I'm mistaken, *please* correct me) Only the second worst thing after actually getting a root shell, IMO. Mike. -- Mike Beattie <[EMAIL PROTECTED]> UNIX Systems Engineer, ITS Ph: +64 3 479 8597 Fax: +64 3 479 5080 Cell: +64 27 44 80386 * Opinions expressed are my own, not those of the University of Otago * --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: unable to login
On Wed, Jul 07, 2004 at 07:19:11PM +0200, Dudi Goldenberg wrote: > Thank you all people! > > The problem was that /etc/default/saslauthd was reset to default values > after a apt-get update. > > Once I noticed that saslauthd was not running it didn't take much to > find & fix it. Speaking with my Debian hat on, that's a bug - please file one! (If you're using the official Debian packages, that is). Mike. -- Mike Beattie <[EMAIL PROTECTED]> UNIX Systems Engineer, ITS Ph: +64 3 479 8597 Fax: +64 3 479 5080 Cell: +64 27 44 80386 * Opinions expressed are my own, not those of the University of Otago * --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: LDAP auth, and Cyrus mailboxes..
On Tue, Jun 15, 2004 at 09:27:46PM -0700, Carl P. Corliss wrote: > >Erp. well, that's not possible, since the LDAP directory contains nothing > >other than dn: and userPassword:. > > Your directory structure contains only two attributes for each user..? Correct. The directory is there for authentication, and authentication only. Authorisation is another story, and is maintained via other methods from our provisioning system. > >Ok, well, it's known behaviour, perhaps I'll need to think up another > >solution. (an ugly patch to cyrus that adds a "loginrequiresinbox:" > >option?) > > Cyrus is not the problem - your ldap configuration apparently is. > Reconfigure your schema such that you have something to filter on for > real accounts. Depending on your setup, you could filter on maildrop > (which, again, depends on your setup and whether or not you use the > maildrop attribute and, if you do, if it is only populated for 'real' > accounts). Then you could use something akin to: I'm aware of this, but for this situation some configuration toggle makes more sense (in our environment) - cyrus is in this case, responsible for the authorisation component of our student email system. I'll think of something... Thanks anyway, Mike. -- Mike Beattie <[EMAIL PROTECTED]> UNIX Systems Engineer, ITS Ph: +64 3 479 8597 Fax: +64 3 479 5080 Cell: +64 27 44 80386 * Opinions expressed are my own, not those of the University of Otago * --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: LDAP auth, and Cyrus mailboxes..
On Wed, Jun 16, 2004 at 12:13:02AM -0300, Henrique de Moraes Holschuh wrote: > On Wed, 16 Jun 2004, Mike Beattie wrote: > > Is this possible, and if so, any pointers to documentation? > > Teach saslauthd (or the LDAP auxprop method) to filter out accounts that > should not log into Cyrus, by using a proper filter/LDAP URI. Erp. well, that's not possible, since the LDAP directory contains nothing other than dn: and userPassword:. Ok, well, it's known behaviour, perhaps I'll need to think up another solution. (an ugly patch to cyrus that adds a "loginrequiresinbox:" option?) Mike. -- Mike Beattie <[EMAIL PROTECTED]> UNIX Systems Engineer, ITS Ph: +64 3 479 8597 Fax: +64 3 479 5080 Cell: +64 27 44 80386 * Opinions expressed are my own, not those of the University of Otago * --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
LDAP auth, and Cyrus mailboxes..
Hi folks...
I've just discovered some behaviour from our cyrus installation, which
serves ~17000 student accounts, that I don't want.
We have a centralised LDAP directory containing all user accounts that have
ever existed, which I have saslauthd authenticating against. The problem I'm
having is this:
A user account that exists in LDAP, but not as a Cyrus mailbox, can be used
to login.. The following should show this:
mailserver:~# testsaslauthd -u auser -p rightpassword
0: OK "Success."
mailserver:~# testsaslauthd -u auser -p wrongpassword
0: NO "authentication failed"
mailserver:~# su -c "/usr/sbin/ctl_mboxlist -d" cyrus | \
grep -q auser && echo "exists" || echo "doesn't exist"
doesn't exist
mailserver:~# echo ". logout" | imtest -a auser -w rightpassword localhost
...
C: L01 LOGIN auser {..}
S: + go ahead
C:
S: L01 OK User logged in
Authenticated.
...
mailserver:~# echo ". logout" | imtest -a auser -w wrongpassword localhost
...
C: L01 LOGIN auser {..}
S: + go ahead
C:
S: L01 NO Login failed: user not found
Authentication failed. generic failure
...
Ok, I can accept that this is logical, in that a user doesn't need to have a
mailbox to log in - they could conceivably be logging in to a server that
requires authentication, purely to read a shared mailbox.
But, for our environment, we do actually want the situation when the user
doesn't have a mailbox, their login attempts will fail.
Is this possible, and if so, any pointers to documentation?
I've googled for about the last half hour, and found nothing that seems to
match what I'm seeing here. If there is something, and I'm stupid, please
point me in the direction I need to go... :)
Cheers,
Mike.
--
Mike Beattie <[EMAIL PROTECTED]> UNIX Systems Engineer, ITS
Ph: +64 3 479 8597 Fax: +64 3 479 5080 Cell: +64 27 44 80386
* Opinions expressed are my own, not those of the University of Otago *
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
