Re: Ptloader configuration in Cyrus IMAP
Hello, Finally I am able to get the ptloader working. In my case the major issue was that I used Cyrus IMAP 2.3.7, that has a segmentation fault when reading from LDAP. This issue was previously discussed in http://www.irbs.net/internet/info-cyrus/0608/0129.html I solved the problem by updating to Cyrus IMAP 2.3.14 + doing the above mentioned configuration changes Evgeniy Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Ptloader configuration in Cyrus IMAP
> On 8 20, 2009 8:10 PM, "Wil Cooley" wrote:
WC> Do I understand correctly [..] that the LDAP ptloader
WC> module can be used to manage group ACLs with
WC> "auth_mech=pts/pts_module=ldap", instead of
WC> "auth_mech=unix/unix_group_enable=1"?
Yes.
WC> Does this solve the slowness caused by UNIX groups in LDAP?
I haven't benchmarked it, but I wouldn't be surprised if pts ldap were
faster than unix groups + nss_ldap. Neither should be /slow/ though,
given a good underlying LDAP setup.
IMHO the advantage of pts ldap is that the groups needed for mailbox
ACLs don't leak out into the operating system, which is much more in
keeping with the Cyrus "black box" design.
WC> Does "auth_mech" affect anything else?
Clément Hermann (nodens) wrote:
CH> What is not clearly stated in the doc is that if you use
CH> auth_mech: pts , every user need to exist in the pts
CH> database (ldap in your case).
...which has advantages and disadvantages. It catches typos in user and
group names in ACLs, but it's very annoying in a Murder where
server-to-server authentication is not via LDAP.
Attached is a hack which allows pts ldap to accept a list of identifiers
as valid without actually doing an LDAP lookup. We use this to list
certificates for Murder authentication (see also client certs patch at
https://bugzilla.andrew.cmu.edu/show_bug.cgi?id=3133).
Cheers
Duncan
--
Duncan Gibb - Technical Director
Sirius Corporation plc - control through freedom
http://www.siriusit.co.uk/ || t: +44 870 608 0063
Debian Cyrus Team - https://alioth.debian.org/projects/pkg-cyrus-imapd/
#! /bin/sh /usr/share/dpatch/dpatch-run
## 96-pts_ldap_external.dpatch
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Add a config option to the LDAP pts module to supply
## DP: a list of canonical identifiers who exist externally.
## DP: Duncan Gibb, Sirius Corporation plc
@DPATCH@
diff -Nrub --exclude debian --exclude '*~' reference/lib/imapoptions
editing/lib/imapoptions
--- reference/lib/imapoptions 2009-04-23 16:40:21.0 +0100
+++ editing/lib/imapoptions 2009-05-06 11:32:46.0 +0100
@@ -365,6 +365,10 @@
{ "ldap_deref", "never", STRINGLIST("search", "find", "always", "never") }
/* Specify how aliases dereferencing is handled during search. */
+{ "ldap_external_ids", "", STRING }
+/* List of identifiers for the pts ldap module to assume are valid,
+ without actually looking at the LDAP directory. */
+
{ "ldap_filter", "(uid=%u)", STRING }
/* Specify a filter that searches user identifiers. The following tokens can
be
used in the filter string:
diff -Nrub --exclude debian --exclude '*~' reference/ptclient/ldap.c
editing/ptclient/ldap.c
--- reference/ptclient/ldap.c 2008-10-29 13:08:23.0 +
+++ editing/ptclient/ldap.c 2009-05-06 13:08:43.0 +0100
@@ -63,6 +63,8 @@
/* Functions like ldap_bind() have been deprecated in OpenLDAP 2.3 */
#define LDAP_DEPRECATED 1
+#define LDAP_EXTERNAL_IDS_MAX 256
+
#include
#include
@@ -165,6 +167,8 @@
const char *group_base;
intgroup_scope;
LDAP *ld;
+
+const char *external_canon_ids[LDAP_EXTERNAL_IDS_MAX];
} t_ptsm;
#define PTSM_OK 0
@@ -526,6 +530,30 @@
ptsm->version = LDAP_VERSION3;
ptsm->ld = NULL;
+
+int i=0, j=0, space=1;
+p = config_getstring(IMAPOPT_LDAP_EXTERNAL_IDS);
+if(p && strlen(p))
+{
+ /* Pull the identifiers out of the config option
+ ** and populate the array */
+ /* XXX FIXME: This ought to canonify as it goes */
+ char *q = NULL;
+ if(!(q = xstrdup(p)))
+ fatal("No memory for pts ldap external ids parser", EC_OSERR);
+
+ for(j=0; q[j] && (iexternal_canon_ids[i++] = (q+j);
+ }
+ if(isspace(q[j])) {
+ space = 1;
+ q[j] = '\0';
+ }
+ }
+}
+ptsm->external_canon_ids[i]=NULL;
}
/*
@@ -1180,6 +1208,42 @@
return rc;
}
+static int ptsmodule_make_authstate_external (
+const char *canon_id,
+size_t size,
+const char **reply,
+int *dsize,
+struct auth_state **newstate)
+{
+syslog(LOG_DEBUG, "pts ldap fake authstate for external id '%s'.",
canon_id);
+
+*dsize = sizeof(struct auth_state);
+*newstate = xmalloc(*dsize);
+if (*newstate == NULL) {
+*reply = "no memory";
+return PTSM_FAIL;
+}
+
+(*newstate)->ngroups = 0;
+strcpy((*newstate)->userid.id, canon_id);
+(*newstate)->userid.hash = strhash(canon_id);
+(*newstate)->mark = time(0);
+
+return PTSM_OK;
+}
+
+int pts_is_external(const char *canon_id)
+{
+int i;
+
+for( i=0; ptsm->external_canon_ids[i]; i++ )
+if( !strcmp( canon_id, ptsm->external_canon_ids[i] ) )
+return 1;
+
+return 0;
+}
+
+
static struct auth_state *myauthstate(
const char *identifier,
size_t size,
@@ -1204,6 +1268,8 @@
if (!strncmp(canon_id, "group:
Re: Ptloader configuration in Cyrus IMAP
Oops, about the slowness : it is really fast. The pts information is cached. Actually, you will likely use ptexpire a lot when setting your groups at first, to reset the cache. On 8 20, 2009 8:10 PM, "Wil Cooley" wrote: On Wed, 2009-08-19 at 15:33 +0300, Evgeniy Arbatov wrote: > Dear list, > > I want to ask your advic... Do I understand correctly from this discussion and the sparse mention of this in the documentation that the LDAP ptloader module can be used to manage group ACLs with "auth_mech=pts/pts_module=ldap", instead of "auth_mech=unix/unix_group_enable=1"? Does this solve the slowness caused by UNIX groups in LDAP? Does "auth_mech" affect anything else? I have heretofore ignored mention of the pts/ptloader stuff because I was under the impression that it was entirely AFS-related, which I have no infrastructure for, but if this is the way to enable groups in LDAP without the slowness, then I need to look more closely at this. Wil -- Wil Cooley Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Ptloader configuration in Cyrus IMAP
Hi, I stumbled onto this before. What is not clearly stated in the doc is that if you use auth_mech: pts , every user need to exist in the pts database (ldap in your case). Well, maybe it is clearly stated, but I overlooked it ;-) That said, you do not need AFS to use pts, though it seems to be very AFS oriented. Kind regards, Clement Hermann P.S. : Sorry about the top posting : blame the stupid android gmail client... On 8 20, 2009 8:10 PM, "Wil Cooley" wrote: On Wed, 2009-08-19 at 15:33 +0300, Evgeniy Arbatov wrote: > Dear list, > > I want to ask your advic... Do I understand correctly from this discussion and the sparse mention of this in the documentation that the LDAP ptloader module can be used to manage group ACLs with "auth_mech=pts/pts_module=ldap", instead of "auth_mech=unix/unix_group_enable=1"? Does this solve the slowness caused by UNIX groups in LDAP? Does "auth_mech" affect anything else? I have heretofore ignored mention of the pts/ptloader stuff because I was under the impression that it was entirely AFS-related, which I have no infrastructure for, but if this is the way to enable groups in LDAP without the slowness, then I need to look more closely at this. Wil -- Wil Cooley Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Ptloader configuration in Cyrus IMAP
On Wed, 2009-08-19 at 15:33 +0300, Evgeniy Arbatov wrote: > Dear list, > > I want to ask your advice on the use of ptloader for LDAP-based > authorization in Cyrus IMAP. Do I understand correctly from this discussion and the sparse mention of this in the documentation that the LDAP ptloader module can be used to manage group ACLs with "auth_mech=pts/pts_module=ldap", instead of "auth_mech=unix/unix_group_enable=1"? Does this solve the slowness caused by UNIX groups in LDAP? Does "auth_mech" affect anything else? I have heretofore ignored mention of the pts/ptloader stuff because I was under the impression that it was entirely AFS-related, which I have no infrastructure for, but if this is the way to enable groups in LDAP without the slowness, then I need to look more closely at this. Wil -- Wil Cooley signature.asc Description: This is a digitally signed message part Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Ptloader configuration in Cyrus IMAP
Hi, Evgeniy Arbatov schrieb: > Thank you for your suggestions! They helped me a great deal. > The situation is better now, in a sense that ptloader connects to LDAP > and finds something. OK. :) > After corrections my imapd.conf: This ist what I have. auth_mech: pts pts_module: ldap ptloader_sock: /var/lib/imap/socket/ptclient sasl_mech_list: PLAIN DIGEST-MD5 CRAM-MD5 LOGIN sasl_log_level: 5 sasl_pwcheck_method: auxprop sasl_auxprop_plugin: ldapdb sasl_ldapdb_uri: ldap://tfas099.foo sasl_ldapdb_id: xxx sasl_ldapdb_pw: sasl_ldapdb_mech: PLAIN DIGEST-MD5 CRAM-MD5 LOGIN allowplaintext: yes sasl_minimum_layer: 0 sasl_ldapdb_starttls: Demand sasl_ldap_search_base: ou=humans,ou=foo sasl_ldap_search_filter: maildrop=%U lmtp_overquota_perm_failure: no maxmessagesize: 2500 ldap_id: ldap_sasl: 1 ldap_password: ldap_uri: ldap://tfas099.foo ldap_mech: PLAIN DIGEST-MD5 CRAM-MD5 LOGIN ldap_tls_cacert_file: /opt/mail/etc/openldap/ssl/ca2006.pem ldap_tls_cert: /opt/mail/etc/openldap/ssl/cert2006.pem ldap_tls_key: /opt/mail/etc/openldap/ssl/key2006.pem ldap_base: ou=humans,ou=foo ldap_group_base: ou=gruppen,ou=humans,ou=foo ldap_group_filter: ou=%U ldap_member_attribute: member ldap_group_scope: sub ldap_member_method: attribute > The LDAP now looks as following: I use group like you did before. Marc Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Ptloader configuration in Cyrus IMAP
Thank you for your suggestions! They helped me a great deal. The situation is better now, in a sense that ptloader connects to LDAP and finds something. After corrections my imapd.conf: auth_mech: pts pts_module: ldap ptloader_sock: /var/lib/imap/socket/ptsock ldap_uri: ldaps://ldap.example.com:636 ldap_sasl: 0 ldap_size_limit: 20 ldap_filter: (uid=%U) ldap_group_filter: (cn=%u) ldap_member_method: filter ldap_member_filter: (memberUid=%u) ldap_member_attribute: cn ldap_base: dc=example,dc=com ldap_group_base: ou=groups,ou=people,dc=example,dc=com ldap_member_base: ou=groups,ou=people,dc=example,dc=com The LDAP now looks as following: dn: cn=admins,ou=groups,ou=people,dc=example,dc=com cn: admins memberUid: earbatov memberUid: user I modified the permissions for the admins group: sam user/postmaster group:admins lrswipkxte The logs for ptloader now have: mail imaps[17540]: ptload(): pinging ptloader mail imaps[17540]: connected with no delay mail imaps[17540]: ptload(): connected mail imaps[17540]: timeout_select: sock = 17, rp = 0x0, wp = 0x4aa71af0, sec = 30 mail imaps[17540]: timeout_select exiting. r = 1; errno = 0 mail ptloader[17538]: accepted connection mail imaps[17540]: ptload sent data mail imaps[17540]: timeout_select: sock = 17, rp = 0x4aa71b70, wp = 0x0, sec = 30 mail imaps[17540]: timeout_select exiting. r = 1; errno = 0 mail imaps[17540]: ptload read data back mail imaps[17540]: ptload(): empty response from ptloader server mail master[17508]: process 17538 exited, signaled to death by 11 mail master[17508]: service ptloader pid 17538 in READY state: terminated abnormally mail imaps[17540]: No data available at all from ptload() mail imaps[17540]: ptload completely failed: unable to canonify identifier: earbatov mail imaps[17540]: badlogin: net.example.com [192.168.0.78] plaintext earbatov invalid user mail master[17613]: about to exec /usr/lib/cyrus-imapd/ptloader mail ptloader[17613]: executed mail ptloader[17613]: starting: $Id: ptloader.c,v 1.32.2.9 2005/02/25 07:19:06 shadow Exp $ The LDAP logs show this: ldap slapd[30259]: conn=20 op=2 SRCH base="ou=groups,ou=people,dc=example,dc=com" scope=2 deref=0 filter="(memberUid=earbatov)" ldap slapd[30259]: conn=20 op=2 SRCH attr=cn ldap slapd[30259]: conn=20 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= And the ptdump tells: user: admins time: 1250751529 groups: 0 user: cyrusimap time: 1250751556 groups: 0 user: group:admins time: 1250751780 groups: 0 user: postmaster time: 1250751701 groups: 0 Needless to say, the authorization fails, without even giving me access to usual, not shared mailboxes. >> EA> pts_module: ldap >> >> This module is currently very difficult to configure, IMHO. > That's true. :) But it's doable. I would be glad not to use this pts_module, but if I leave it to defaults I see: mail ptloader[18396]: starting: $Id: ptloader.c,v 1.32.2.9 2005/02/25 07:19:06 shadow Exp $ mail ptloader[18396]: PTS module afskrb not supported mail master[18364]: process 18428 exited, status 75 mail master[18364]: service ptloader pid 18428 in READY state: terminated abnormally Please refer me to any instructions on pts_module, if I do need to make changes. One more question: I am confused about the role of ldap_group_filter and ldap_group_base. Isn't ldap_member* enough? Evgeniy Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Ptloader configuration in Cyrus IMAP
Duncan, Duncan Gibb schrieb: > EA> pts_module: ldap > > This module is currently very difficult to configure, IMHO. That's true. :) But it's doable. > EA> ldap_member_method: attribute > > This method doesn't work they way you might expect. It finds the user > object and wants to see the names of the groups of which the user is a > member in the named attribute of the user. For example: > > dn: cn=Evgeniy Arbatov,ou=users,ou=people,dc=example,dc=com > cn: Evgeniy Arbatov > ou: admins > ou: othergroup > ou: thirdgroup > > If you want to put the names of the members into the group objects, you > probably need to use the filter method. > >> dn: cn=admins,ou=groups,ou=people,dc=example,dc=com >> uid: admins >> member: cn=Evgeniy Arbatov,ou=users,ou=people,dc=example,dc=com > > I don't believe the current implementation supports this style of group > membership (groupOfUniqueNames and similar). It's much more orientated > towards posixGroup-style groups. It does IMHO. Here it ist my config: ldap_id: xxx ldap_sasl: 1 ldap_password: ldap_uri: ldap://tfas099.foo ldap_mech: PLAIN DIGEST-MD5 CRAM-MD5 LOGIN ldap_tls_cacert_file: /opt/mail/etc/openldap/ssl/ca2006.pem ldap_tls_cert: /opt/mail/etc/openldap/ssl/cert2006.pem ldap_tls_key: /opt/mail/etc/openldap/ssl/key2006.pem ldap_base: ou=humans,ou=foo ldap_group_base: ou=gruppen,ou=humans,ou=foo ldap_group_filter: ou=%U ldap_member_attribute: member ldap_group_scope: sub ldap_member_method: attribute Marc Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Ptloader configuration in Cyrus IMAP
Evgeniy, Evgeniy Arbatov schrieb: > Dear list, > > I want to ask your advice on the use of ptloader for LDAP-based > authorization in Cyrus IMAP. > > I configured my Cyrus IMAP to use ptloader: > [...] > Can you tell where I am wrong? auth_mech: pts was mentioned before. Did you set ptloader_sock in imapd.conf? What does the log say about ptloader? Does it start? Does it get any data? Marc Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Ptloader configuration in Cyrus IMAP
Evgeniy Arbatov wrote: EA> pts_module: ldap This module is currently very difficult to configure, IMHO. I've posted previously that there's scope for a mini-project to make it behave more similarly to other LDAP-group-orientated things such as nss_ldap or saslauthd. EA> ldap_member_method: attribute This method doesn't work they way you might expect. It finds the user object and wants to see the names of the groups of which the user is a member in the named attribute of the user. For example: dn: cn=Evgeniy Arbatov,ou=users,ou=people,dc=example,dc=com cn: Evgeniy Arbatov ou: admins ou: othergroup ou: thirdgroup If you want to put the names of the members into the group objects, you probably need to use the filter method. > dn: cn=admins,ou=groups,ou=people,dc=example,dc=com > uid: admins > member: cn=Evgeniy Arbatov,ou=users,ou=people,dc=example,dc=com I don't believe the current implementation supports this style of group membership (groupOfUniqueNames and similar). It's much more orientated towards posixGroup-style groups. Can you make your data look like dn: cn=admins,ou=groups,ou=people,dc=example,dc=com cn: admins memberuid: earbatov memberuid: otherperson Then configure ldap_member_method:filter ldap_member_filter:(memberUid=%u) ldap_member_attribute: cn EA> Via cyradm I add needed permissions for admins group: >>> sam user/postmaster admins lrswipkxte "group:admins" ? EA> Moreover, I do not see any attempts of Cyrus IMAP to query EA> LDAP for authorization information. I know that TLS is EA> working for this LDAP connection. The ptdump utility will show you the current state of the cache, eg: user: earbatov time: NN groups: 1 group: admins Cheers Duncan -- Duncan Gibb - Technical Director Sirius Corporation plc - control through freedom http://www.siriusit.co.uk/ || t: +44 870 608 0063 Debian Cyrus Team - https://alioth.debian.org/projects/pkg-cyrus-imapd/ Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Ptloader configuration in Cyrus IMAP
On Wed, Aug 19, 2009 at 10:02 AM, Evgeniy Arbatov wrote: > On Wed, Aug 19, 2009 at 3:45 PM, Reinaldo de > Carvalho wrote: >> On Wed, Aug 19, 2009 at 9:33 AM, Evgeniy >> Arbatov wrote: >> >>> Via cyradm I add needed permissions for admins group: >>> sam user/postmaster admins lrswipkxte >>> >>> Then I successfully authenticate using earbatov UID, but shared >>> folders are not visible in the Thunderbird. >>> >> >> Do you subscribe mailbox? >> > > I can not yet subscribe in the Thunderbird, since I do not see the > mailbox in the subscription list. One more note: if I configure shared > access locally via cyradm interface, without using the ptloader and > LDAP - everything works as expected. > > Evgeniy > auth_mech: pts -- Reinaldo de Carvalho http://korreio.sf.net http://python-cyrus.sf.net "Don't try to adapt the software to the way you work, but rather yourself to the way the software works" (myself) Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Ptloader configuration in Cyrus IMAP
On Wed, Aug 19, 2009 at 9:33 AM, Evgeniy Arbatov wrote: > Via cyradm I add needed permissions for admins group: > >> sam user/postmaster admins lrswipkxte > > Then I successfully authenticate using earbatov UID, but shared > folders are not visible in the Thunderbird. > Do you subscribe mailbox? -- Reinaldo de Carvalho http://korreio.sf.net http://python-cyrus.sf.net "Don't try to adapt the software to the way you work, but rather yourself to the way the software works" (myself) Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Ptloader configuration in Cyrus IMAP
Dear list, I want to ask your advice on the use of ptloader for LDAP-based authorization in Cyrus IMAP. I configured my Cyrus IMAP to use ptloader: ldap_uri: ldaps://ldap.example.com:636 ldap_sasl: 0 pts_module: ldap ldap_filter: (uid=%U) ldap_base: dc=example,dc=com ldap_group_filter: (cn=%u) ldap_group_base: ou=groups,ou=people,dc=example,dc=com ldap_member_method: attribute ldap_member_attribute: member ldap_member_base: ou=users,ou=people,dc=example,dc=com ldap_size_limit: 20 In the LDAP I have the following entries: dn: cn=admins,ou=groups,ou=people,dc=example,dc=com uid: admins member: cn=Evgeniy Arbatov,ou=users,ou=people,dc=example,dc=com dn: cn=Evgeniy Arbatov,ou=users,ou=people,dc=example,dc=com uid: earbatov Via cyradm I add needed permissions for admins group: > sam user/postmaster admins lrswipkxte Then I successfully authenticate using earbatov UID, but shared folders are not visible in the Thunderbird. Moreover, I do not see any attempts of Cyrus IMAP to query LDAP for authorization information. I know that TLS is working for this LDAP connection. Can you tell where I am wrong? Thank you very much! Regards, Evgeniy Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
