subject:"LDAP auth and ptloader"

Re: LDAP auth and ptloader

2019-06-13 Thread ellie timoney

Hi Sven,

On Thu, Jun 13, 2019, at 12:27 AM, Sven Schwedas wrote:
> Is there another way to get ptloader to spit out debug information and
> pinpoint what's not set up correctly?
> 

I remember this thing as being very noisy, let me see...

Okay, in your cyrus.conf SERVICES entry, if you add "-d1" to the ptloader line 
like this,

 ptloader cmd="ptloader -d1" listen="/path/to/some/socket" 

then ptloader will syslog every user that it's asked about...

You need "debug: 1" in imapd.conf, which will tell Cyrus to not swallow 
LOG_DEBUG level log lines, but ALSO: your syslog itself must be configured to 
log these lines (the default is often to not). We have some makeshift 
instructions here but ymmv: 
https://www.cyrusimap.org/imap/installing.html#setting-up-syslog

If you turn on the "ptloader -d1" switch and set debug:1 and *don't* start 
seeing entries in your logs like "ptloader[pid]: user [user]", then you need to 
fiddle with syslog to enable the LOG_DEBUG log level :)

Here's an example of some ptloader log output from running our test suite, for 
example:

> Jun 14 12:08:03 debian 02032301C4/ptloader[29481]: executed 
> Jun 14 12:08:03 debian 02032301C4/ptloader[29481]: starting: ptloader.c 
> 3.1.6-696-gf38559858 
> Jun 14 12:08:03 debian 02032301C4/ptloader[29481]: accepted connection 
> Jun 14 12:08:03 debian 02032301C4/ptloader[29481]: user admin 
> Jun 14 12:08:03 debian 02032301C4/ptloader[29481]: collecting all domains 
> from ou=domains,o=cyrus 
> Jun 14 12:08:03 debian 02032301C4/ptloader[29481]: Domain filter: 
> (&(objectclass=domainrelatedobject)(associateddomain=*))
> Jun 14 12:08:03 debian 02032301C4/ptloader[29481]: we have a domain internal. 
> Jun 14 12:08:03 debian 02032301C4/ptloader[29481]: ptsmodule_standard_root_dn 
> called for domain internal. 
> Jun 14 12:08:03 debian 02032301C4/ptloader[29481]: Root DN now dc= 
> Jun 14 12:08:03 debian 02032301C4/ptloader[29481]: Root DN now dc=internal 
> Jun 14 12:08:03 debian 02032301C4/ptloader[29481]: Root DN now dc=internal 
> Jun 14 12:08:03 debian 02032301C4/ptloader[29481]: Root DN now dc=internal 
> Jun 14 12:08:03 debian 02032301C4/ptloader[29481]: Found admin in dc=internal 
> Jun 14 12:08:03 debian 02032301C4/ptloader[29481]: we have found admin in 
> dc=internal

And part of another run, showing it resolving a group membership (sorry these 
lines got truncated during copy&paste, but you get the idea):

> Jun 14 13:11:47 debian 0311460101/ptloader[16345]: accepted connection 
> Jun 14 13:11:47 debian 0311460101/ptloader[16345]: user group:group co 
> Jun 14 13:11:47 debian 0311460101/ptloader[16345]: (groups) about to search 
> ou=groups,o=cy 
> Jun 14 13:11:47 debian 0311460101/imap[16344]: timeout_select exiting. r = 1; 
> errno = 0 
> Jun 14 13:11:47 debian 0311460101/imap[16344]: timeout_select: sock = 15, rp 
> = 0x7ffca95e3 
> Jun 14 13:11:47 debian 0311460101/imap[16344]: timeout_select exiting. r = 1; 
> errno = 0 
> Jun 14 13:11:47 debian 0311460101/imap[16344]: ptload read data back 
> Jun 14 13:11:47 debian 0311460101/imap[16344]: ptload returning data 
> Jun 14 13:11:47 debian 0311460101/imap[16344]: canonified group:group co -> 
> group:group co

Not sure if this is helpful, but this is the directory structure our tests are 
working with:

https://github.com/cyrusimap/cassandane/blob/master/data/directory.ldif

... ohhh,

> ldap_member_attribute: memberUid 

This kinda sounds like your groups are what I think of as "normal": a group in 
LDAP is an entry that contains a multi-valued attribute listing all the group 
members. Is that a good description of your schema?

As far as I've been able to figure out while building tests, Cyrus seems to 
expect each *user* entry to contain a multi-valued attribute listing the groups 
it is a member of (e.g. see that directory.ldif linked above). This feels 
backwards to me, but maybe it's normal somewhere?? I don't understand the 
rationale for this choice, or whether Cyrus can support a "normal" setup... 
maybe using the "ldap_member_method: filter" configuration (vs the default 
setting of "attribute") somehow??

Hopefully this is enough for you to get some useful logging out of the thing 
anyway,

Cheers,

ellie
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

Re: LDAP auth and ptloader

2019-06-12 Thread Sven Schwedas

Sorry for the delay, I was busy with other projects. :/

On 26.04.19 10:03, ellie timoney wrote:
> Hi Sven,
> 
> I don't know much about running it in a production capacity, but our
> test suite sets up the following for LDAP pts:
> 
> imapd.conf:
>    ...
>    ptloader_sock: /path/to/some/socket
>    auth_mech: pts
>    pts_module: ldap
>    ...
> 
> cyrus.conf:
>    SERVICES {
>       ...
>       ptloader cmd="ptloader" listen="/path/to/some/socket"
>       ...   
>    }
> 
> Does this get you going?

It starts now, and according to the log, ptloader is initialized, but it
doesn't find any LDAP groups, and I can't really figure out why – it
just silently fails to find any groups (so users can't access shared
folders), with no indication in the logs as to why, even with
debug/chatty both enabled.

Groups *do* work with pts disabled and libpam-winbind resolving them as
native groups, so they *should* be set up correctly, I think.

Relevant settings:

> # These make no difference
> #debug: 1
> #chatty: 1
> 
> # Same as in sample, path correct
> #auth_mech: pts
> pts_module: ldap
> ptloader_sock: /var/run/cyrus/socket/pts
> 
> # Work, verified with s_client
> ldap_uri: ldaps://graz-dc-sem.ad.tao.at/
> ldap_ca_file: /usr/local/share/ca-certificates/tao-ad-ca.crt
> ldap_verify_peer: yes
> 
> ldap_version: 3
> ldap_sasl: 0
> ldap_bind_dn:  CN=some_user,CN=Users,DC=ad,DC=tao,DC=at
> ldap_password: some_password
> # Seems to work up to here, wrong password results in a ptloader error
> # message. Correct password results in no output?
> 
> ldap_base:CN=Users,DC=ad,DC=tao,DC=at
> ldap_group_base:  CN=Users,DC=ad,DC=tao,DC=at
> ldap_member_base: CN=Users,DC=ad,DC=tao,DC=at
> 
> # These SHOULD work, and do work with ldapsearch, but silently fail?
> ldap_group_filter: (&(|(cn=%u)(sAMAccountName=%u))(objectClass=group))
> ldap_member_attribute: memberUid
> ldap_user_attribute: uid
> ldap_filter: (uid=%u)

Is there another way to get ptloader to spit out debug information and
pinpoint what's not set up correctly?

-- 
Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas, Systemadministrator
✉ sven.schwe...@tao.at | ☎ +43 680 301 7167
TAO Digital   | Teil der TAO Beratungs- & Management GmbH
Lendplatz 45  | FN 213999f/Klagenfurt, FB-Gericht Villach
A8020 Graz| https://www.tao-digital.at



signature.asc
Description: OpenPGP digital signature

Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

Re: LDAP auth and ptloader

2019-04-26 Thread ellie timoney

Hi Sven,

I don't know much about running it in a production capacity, but our test suite 
sets up the following for LDAP pts:

imapd.conf:
 ...
 ptloader_sock: /path/to/some/socket
 auth_mech: pts
 pts_module: ldap
 ...

cyrus.conf:
 SERVICES {
 ...
 ptloader cmd="ptloader" listen="/path/to/some/socket"
 ... 
 }

Does this get you going?

Cheers,

ellie


On Tue, Apr 23, 2019, at 7:52 PM, Sven Schwedas wrote:
> I'm trying to set up direct LDAP auth via auth_meth=pts, but on start I
> always get "ptload(): can't connect to ptloader server: No such file or
> directory" as error. The directory for ptloader_sock exists and is the
> same as for all other sockets, so there shouldn't be any permission
> problems with the socket.
> 
> I suppose I need to somehow manually start up ptloader via cyrus.conf,
> but there's no documentation and nothing I can find in the mailing list
> archives as to *how*? What am I missing?
> 
> -- 
> Mit freundlichen Grüßen, / Best Regards,
> Sven Schwedas, Systemadministrator
> ✉ sven.schwe...@tao.at | ☎ +43 680 301 7167
> TAO Digital | Teil der TAO Beratungs- & Management GmbH
> Lendplatz 45 | FN 213999f/Klagenfurt, FB-Gericht Villach
> A8020 Graz | https://www.tao-digital.at
> 
> 
> 
> Cyrus Home Page: http://www.cyrusimap.org/
> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
> To Unsubscribe:
> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
> 
> *Attachments:*
>  * signature.asc

Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

Re: LDAP auth and ptloader

2019-04-23 Thread Sven Schwedas

This has nothing to do with my problem. Please stop spamming.

On 23.04.19 13:56, Willem Offermans wrote:
> Dear Cyrus friends and Sven,
> 
> A reason to look for authentication by radius.
> But maybe this should go to feature request.
> 
> 
> Wiel Offermans
> wil...@offermans.rompen.nl 
> 
> 
> 
> 
>> On 23 Apr 2019, at 13:50, Sven Schwedas > > wrote:
>>
>> On 23.04.19 13:43, Willem Offermans wrote:
>>> Dear Cyrus Friends and Sven,
>>>
>>> I don’t know if this is of any help.
>>>
>>> I have setup saslauthd to do LDAP authentication of Cyrus.
>>
>> That's what I want to get away from, because saslauthd cannot handle
>> groups, and I need to maintain PAM LDAP auth in parallel just to handle
>> that.
>>
>> -- 
>> Mit freundlichen Grüßen, / Best Regards,
>> Sven Schwedas, Systemadministrator
>> ✉ sven.schwe...@tao.at  | ☎ +43 680 301 7167
>> TAO Digital   | Teil der TAO Beratungs- & Management GmbH
>> Lendplatz 45  | FN 213999f/Klagenfurt, FB-Gericht Villach
>> A8020 Graz    | https://www.tao-digital.at
>>
> 

-- 
Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas, Systemadministrator
✉ sven.schwe...@tao.at | ☎ +43 680 301 7167
TAO Digital   | Teil der TAO Beratungs- & Management GmbH
Lendplatz 45  | FN 213999f/Klagenfurt, FB-Gericht Villach
A8020 Graz| https://www.tao-digital.at



signature.asc
Description: OpenPGP digital signature

Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

Re: LDAP auth and ptloader

2019-04-23 Thread Willem Offermans

Dear Cyrus friends and Sven,

A reason to look for authentication by radius.
But maybe this should go to feature request.


Wiel Offermans
wil...@offermans.rompen.nl




> On 23 Apr 2019, at 13:50, Sven Schwedas  wrote:
> 
> On 23.04.19 13:43, Willem Offermans wrote:
>> Dear Cyrus Friends and Sven,
>> 
>> I don’t know if this is of any help.
>> 
>> I have setup saslauthd to do LDAP authentication of Cyrus.
> 
> That's what I want to get away from, because saslauthd cannot handle
> groups, and I need to maintain PAM LDAP auth in parallel just to handle
> that.
> 
> -- 
> Mit freundlichen Grüßen, / Best Regards,
> Sven Schwedas, Systemadministrator
> ✉ sven.schwe...@tao.at | ☎ +43 680 301 7167
> TAO Digital   | Teil der TAO Beratungs- & Management GmbH
> Lendplatz 45  | FN 213999f/Klagenfurt, FB-Gericht Villach
> A8020 Graz| https://www.tao-digital.at
> 


Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

Re: LDAP auth and ptloader

2019-04-23 Thread Sven Schwedas

On 23.04.19 13:43, Willem Offermans wrote:
> Dear Cyrus Friends and Sven,
> 
> I don’t know if this is of any help.
> 
> I have setup saslauthd to do LDAP authentication of Cyrus.

That's what I want to get away from, because saslauthd cannot handle
groups, and I need to maintain PAM LDAP auth in parallel just to handle
that.

-- 
Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas, Systemadministrator
✉ sven.schwe...@tao.at | ☎ +43 680 301 7167
TAO Digital   | Teil der TAO Beratungs- & Management GmbH
Lendplatz 45  | FN 213999f/Klagenfurt, FB-Gericht Villach
A8020 Graz| https://www.tao-digital.at



signature.asc
Description: OpenPGP digital signature

Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

Re: LDAP auth and ptloader

2019-04-23 Thread Willem Offermans

Dear Cyrus Friends and Sven,

I don’t know if this is of any help.

I have setup saslauthd to do LDAP authentication of Cyrus.

Now I’m at this point. I know this is off-topic:

LDAP is a database and not developed to do authentication.
Radius is developed to do AAA (Authentication, Authorization and Accounting).
Radius can do authentication in many different ways with many different 
databases.
Is it possible to do authentication with radius, for example freeradius?



Wiel Offermans
wil...@offermans.rompen.nl




> On 23 Apr 2019, at 11:45, Sven Schwedas  wrote:
> 
> I'm trying to set up direct LDAP auth via auth_meth=pts, but on start I
> always get "ptload(): can't connect to ptloader server: No such file or
> directory" as error. The directory for ptloader_sock exists and is the
> same as for all other sockets, so there shouldn't be any permission
> problems with the socket.
> 
> I suppose I need to somehow manually start up ptloader via cyrus.conf,
> but there's no documentation and nothing I can find in the mailing list
> archives as to *how*? What am I missing?
> 
> -- 
> Mit freundlichen Grüßen, / Best Regards,
> Sven Schwedas, Systemadministrator
> ✉ sven.schwe...@tao.at | ☎ +43 680 301 7167
> TAO Digital   | Teil der TAO Beratungs- & Management GmbH
> Lendplatz 45  | FN 213999f/Klagenfurt, FB-Gericht Villach
> A8020 Graz| https://www.tao-digital.at
> 
> 
> Cyrus Home Page: http://www.cyrusimap.org/
> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
> To Unsubscribe:
> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus


Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

LDAP auth and ptloader

2019-04-23 Thread Sven Schwedas

I'm trying to set up direct LDAP auth via auth_meth=pts, but on start I
always get "ptload(): can't connect to ptloader server: No such file or
directory" as error. The directory for ptloader_sock exists and is the
same as for all other sockets, so there shouldn't be any permission
problems with the socket.

I suppose I need to somehow manually start up ptloader via cyrus.conf,
but there's no documentation and nothing I can find in the mailing list
archives as to *how*? What am I missing?

-- 
Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas, Systemadministrator
✉ sven.schwe...@tao.at | ☎ +43 680 301 7167
TAO Digital   | Teil der TAO Beratungs- & Management GmbH
Lendplatz 45  | FN 213999f/Klagenfurt, FB-Gericht Villach
A8020 Graz| https://www.tao-digital.at



signature.asc
Description: OpenPGP digital signature

Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

Re: LDAP auth and ptloader

Re: LDAP auth and ptloader

Re: LDAP auth and ptloader

Re: LDAP auth and ptloader

Re: LDAP auth and ptloader

Re: LDAP auth and ptloader

Re: LDAP auth and ptloader

LDAP auth and ptloader

8 matches

Site Navigation

Mail list logo

Footer information