Re: LDAP auth, and Cyrus mailboxes..
On Wed, Jun 16, 2004 at 11:59:08AM -0400, Rob Siemborski wrote: Ok, well, it's known behaviour, perhaps I'll need to think up another solution. (an ugly patch to cyrus that adds a loginrequiresinbox: option?) This is not unreasonable. I'd probably implement it as part of the PROXY_POLICY callbacks to sasl (e.g. mysasl_proxy_policy). Note that you want to be sure to not exclude admins (who shouldn't have a mailbox) when you do this. Ok, I've finally gotten around to doing this, since we deleted around 6.5k student accounts last week, and some have been wondering why all their mail was deleted... (since they can still log into horde/imp, and see an 'inbox'). Patch is attached... took me a while to figure out that imapd has its own PROXY_POLICY callback, where the others all use the one in config.c It's hackish, but it's a concept, and it Works For Me(tm). It may be a starting point for something more robust. Mike. -- Mike Beattie [EMAIL PROTECTED] UNIX Systems Engineer, ITS Ph: +64 3 479 8597 Fax: +64 3 479 5080 Cell: +64 27 44 80386 * Opinions expressed are my own, not those of the University of Otago * diff -urN cyrus21-imapd-2.1.16.orig/debian/imapd.conf cyrus21-imapd-2.1.16/debian/imapd.conf --- cyrus21-imapd-2.1.16.orig/debian/imapd.conf Thu Sep 2 17:00:08 2004 +++ cyrus21-imapd-2.1.16/debian/imapd.conf Thu Sep 2 16:59:22 2004 @@ -71,6 +71,9 @@ # No anonymous logins allowanonymouslogin: no +# Login requires an inbox (admins excluded) +#loginrequiresinbox: no + # Minimum time between POP mail fetches in minutes popminpoll: 1 diff -urN cyrus21-imapd-2.1.16.orig/imap/config.c cyrus21-imapd-2.1.16/imap/config.c --- cyrus21-imapd-2.1.16.orig/imap/config.c Thu Sep 2 16:59:58 2004 +++ cyrus21-imapd-2.1.16/imap/config.c Fri Sep 3 00:22:57 2004 @@ -521,6 +521,19 @@ return SASL_OK; } +if (config_getswitch(loginrequiresinbox, 0) !userisadmin) { + char inboxname[1024]; + + if (strchr(auth_identity, '.') || strlen(auth_identity)+6 = sizeof(inboxname)) return 0; + strcpy(inboxname, user.); + strcat(inboxname, auth_identity); + + if (mboxlist_lookup(inboxname, NULL, NULL, NULL)) { + sasl_seterror(conn, 0, No inbox for user %s, auth_identity); + return SASL_BADAUTH; + } +} + if (alen != rlen || strncmp(auth_identity, requested_user, alen)) { /* we want to authenticate as a different user; we'll allow this if we're an admin or if we've allowed ACL proxy logins */ diff -urN cyrus21-imapd-2.1.16.orig/imap/imapd.c cyrus21-imapd-2.1.16/imap/imapd.c --- cyrus21-imapd-2.1.16.orig/imap/imapd.c Wed Mar 17 09:39:58 2004 +++ cyrus21-imapd-2.1.16/imap/imapd.c Fri Sep 3 00:19:48 2004 @@ -343,6 +343,19 @@ /* ok, is auth_identity an admin? */ imapd_userisadmin = authisa(imapd_authstate, imap, admins); +if (config_getswitch(loginrequiresinbox, 0) !imapd_userisadmin) { + char inboxname[1024]; + + if (strchr(auth_identity, '.') || strlen(auth_identity)+6 = sizeof(inboxname)) return 0; + strcpy(inboxname, user.); + strcat(inboxname, auth_identity); + + if (mboxlist_lookup(inboxname, NULL, NULL, NULL)) { + sasl_seterror(conn, 0, No inbox for user %s, auth_identity); + return SASL_BADAUTH; + } +} + if (alen != rlen || strncmp(auth_identity, requested_user, alen)) { /* we want to authenticate as a different user; we'll allow this if we're an admin or if we've allowed ACL proxy logins */
Re: LDAP auth, and Cyrus mailboxes..
On Fri, Sep 03, 2004 at 12:32:07AM +1200, Mike Beattie wrote: + if (strchr(auth_identity, '.') || strlen(auth_identity)+6 = sizeof(inboxname)) return 0; ... + if (strchr(auth_identity, '.') || strlen(auth_identity)+6 = sizeof(inboxname)) return 0; It occurred to me that I'd not found something better to do above, rather than return 0. This particular line was copied verbatim from acl_ok() from imapd.c (mainly because config.c had it's own acl_ok(), or I would have just called the function instead of mucking around creating inboxname for mboxlist_lookup() ). I guess something better here would probably be SASL_BADAUTH ? Mike. -- Mike Beattie [EMAIL PROTECTED] UNIX Systems Engineer, ITS Ph: +64 3 479 8597 Fax: +64 3 479 5080 Cell: +64 27 44 80386 * Opinions expressed are my own, not those of the University of Otago * --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: LDAP auth, and Cyrus mailboxes..
On Wed, 16 Jun 2004, Mike Beattie wrote: Ok, well, it's known behaviour, perhaps I'll need to think up another solution. (an ugly patch to cyrus that adds a loginrequiresinbox: option?) This is not unreasonable. I'd probably implement it as part of the PROXY_POLICY callbacks to sasl (e.g. mysasl_proxy_policy). Note that you want to be sure to not exclude admins (who shouldn't have a mailbox) when you do this. -Rob -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 Research Systems Programmer * /usr/contributed Gatekeeper --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
LDAP auth, and Cyrus mailboxes..
Hi folks... I've just discovered some behaviour from our cyrus installation, which serves ~17000 student accounts, that I don't want. We have a centralised LDAP directory containing all user accounts that have ever existed, which I have saslauthd authenticating against. The problem I'm having is this: A user account that exists in LDAP, but not as a Cyrus mailbox, can be used to login.. The following should show this: mailserver:~# testsaslauthd -u auser -p rightpassword 0: OK Success. mailserver:~# testsaslauthd -u auser -p wrongpassword 0: NO authentication failed mailserver:~# su -c /usr/sbin/ctl_mboxlist -d cyrus | \ grep -q auser echo exists || echo doesn't exist doesn't exist mailserver:~# echo . logout | imtest -a auser -w rightpassword localhost ... C: L01 LOGIN auser {..} S: + go ahead C: omitted S: L01 OK User logged in Authenticated. ... mailserver:~# echo . logout | imtest -a auser -w wrongpassword localhost ... C: L01 LOGIN auser {..} S: + go ahead C: omitted S: L01 NO Login failed: user not found Authentication failed. generic failure ... Ok, I can accept that this is logical, in that a user doesn't need to have a mailbox to log in - they could conceivably be logging in to a server that requires authentication, purely to read a shared mailbox. But, for our environment, we do actually want the situation when the user doesn't have a mailbox, their login attempts will fail. Is this possible, and if so, any pointers to documentation? I've googled for about the last half hour, and found nothing that seems to match what I'm seeing here. If there is something, and I'm stupid, please point me in the direction I need to go... :) Cheers, Mike. -- Mike Beattie [EMAIL PROTECTED] UNIX Systems Engineer, ITS Ph: +64 3 479 8597 Fax: +64 3 479 5080 Cell: +64 27 44 80386 * Opinions expressed are my own, not those of the University of Otago * --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: LDAP auth, and Cyrus mailboxes..
On Wed, 16 Jun 2004, Mike Beattie wrote: Is this possible, and if so, any pointers to documentation? Teach saslauthd (or the LDAP auxprop method) to filter out accounts that should not log into Cyrus, by using a proper filter/LDAP URI. -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: LDAP auth, and Cyrus mailboxes..
On Wed, Jun 16, 2004 at 12:13:02AM -0300, Henrique de Moraes Holschuh wrote: On Wed, 16 Jun 2004, Mike Beattie wrote: Is this possible, and if so, any pointers to documentation? Teach saslauthd (or the LDAP auxprop method) to filter out accounts that should not log into Cyrus, by using a proper filter/LDAP URI. Erp. well, that's not possible, since the LDAP directory contains nothing other than dn: and userPassword:. Ok, well, it's known behaviour, perhaps I'll need to think up another solution. (an ugly patch to cyrus that adds a loginrequiresinbox: option?) Mike. -- Mike Beattie [EMAIL PROTECTED] UNIX Systems Engineer, ITS Ph: +64 3 479 8597 Fax: +64 3 479 5080 Cell: +64 27 44 80386 * Opinions expressed are my own, not those of the University of Otago * --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: LDAP auth, and Cyrus mailboxes..
Mike Beattie wrote: [snip] Erp. well, that's not possible, since the LDAP directory contains nothing other than dn: and userPassword:. Your directory structure contains only two attributes for each user..? Ok, well, it's known behaviour, perhaps I'll need to think up another solution. (an ugly patch to cyrus that adds a loginrequiresinbox: option?) Cyrus is not the problem - your ldap configuration apparently is. Reconfigure your schema such that you have something to filter on for real accounts. Depending on your setup, you could filter on maildrop (which, again, depends on your setup and whether or not you use the maildrop attribute and, if you do, if it is only populated for 'real' accounts). Then you could use something akin to: ldap_filter: ([EMAIL PROTECTED]) -- Carl P. Corliss System Administrator / Developer http://www.xaraya.com/ --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: LDAP auth, and Cyrus mailboxes..
On Tue, Jun 15, 2004 at 09:27:46PM -0700, Carl P. Corliss wrote: Erp. well, that's not possible, since the LDAP directory contains nothing other than dn: and userPassword:. Your directory structure contains only two attributes for each user..? Correct. The directory is there for authentication, and authentication only. Authorisation is another story, and is maintained via other methods from our provisioning system. Ok, well, it's known behaviour, perhaps I'll need to think up another solution. (an ugly patch to cyrus that adds a loginrequiresinbox: option?) Cyrus is not the problem - your ldap configuration apparently is. Reconfigure your schema such that you have something to filter on for real accounts. Depending on your setup, you could filter on maildrop (which, again, depends on your setup and whether or not you use the maildrop attribute and, if you do, if it is only populated for 'real' accounts). Then you could use something akin to: I'm aware of this, but for this situation some configuration toggle makes more sense (in our environment) - cyrus is in this case, responsible for the authorisation component of our student email system. I'll think of something... Thanks anyway, Mike. -- Mike Beattie [EMAIL PROTECTED] UNIX Systems Engineer, ITS Ph: +64 3 479 8597 Fax: +64 3 479 5080 Cell: +64 27 44 80386 * Opinions expressed are my own, not those of the University of Otago * --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html