Re: alternative login names
Wolfgang, Wolfgang Rosenauer schrieb (03.02.2013 20:29 Uhr): I'm running Cyrus imapd 2.3.x since quite some time for a group of users. My setup is LDAP based using saslauthd to pam_ldap currently and works just fine. But now I want to allow access to the mailboxes using the email address as an alternative to the system username. I have no real idea where to start how I could achieve that w/o changing the whole architecture of the system. Someone got a hint for me what to look at? I don't know much about pam_ldap, but as you have all the data in LDAP, why not switch to auxprop ldapdb and configure your LDAP to map the existing logins and mail address to the same object? Marc Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: alternative login names
Thanks Marc, On Mon, Feb 4, 2013 at 10:07 AM, Marc Patermann hans.mo...@ofd-z.niedersachsen.de wrote: Wolfgang Rosenauer schrieb (03.02.2013 20:29 Uhr): I'm running Cyrus imapd 2.3.x since quite some time for a group of users. My setup is LDAP based using saslauthd to pam_ldap currently and works just fine. But now I want to allow access to the mailboxes using the email address as an alternative to the system username. I have no real idea where to start how I could achieve that w/o changing the whole architecture of the system. Someone got a hint for me what to look at? I don't know much about pam_ldap, but as you have all the data in LDAP, why not switch to auxprop ldapdb and configure your LDAP to map the existing logins and mail address to the same object? I actually needed a pointer into the right direction and I guess that is one. I've never used sasl ldapdb though and I have a hard time figuring out how and what to do. From the documentation I found it's also not clear to me if a crypted userPassword as I use in my LDAP can be used in that setup. If I understand correctly all the hard work to match usernames in done via some regexp which should be powerful enough to let me search the login name in uid and mail attributes? Or did you actually refer to a different mapping in LDAP? Is there some sort of HOWTO somewhere or is all the information really spread in openldap, sasl and imapd documentation only? Thanks, Wolfgang Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: alternative login names
Wolfgang, Wolfgang Rosenauer schrieb (04.02.2013 14:25 Uhr): On Mon, Feb 4, 2013 at 10:07 AM, Marc Patermann hans.mo...@ofd-z.niedersachsen.de mailto:hans.mo...@ofd-z.niedersachsen.de wrote: Wolfgang Rosenauer schrieb (03.02.2013 20 tel:%2803.02.2013%2020:29 Uhr): I'm running Cyrus imapd 2.3.x since quite some time for a group of users. My setup is LDAP based using saslauthd to pam_ldap currently and works just fine. But now I want to allow access to the mailboxes using the email address as an alternative to the system username. I have no real idea where to start how I could achieve that w/o changing the whole architecture of the system. Someone got a hint for me what to look at? I don't know much about pam_ldap, but as you have all the data in LDAP, why not switch to auxprop ldapdb and configure your LDAP to map the existing logins and mail address to the same object? I actually needed a pointer into the right direction and I guess that is one. I've never used sasl ldapdb though and I have a hard time figuring out how and what to do. There are not too much options specific to ldapdb in SASL: http://cyrusimap.org/docs/cyrus-sasl/2.1.25/options.php Mine is somewhat like that: sasl_mech_list: PLAIN DIGEST-MD5 CRAM-MD5 LOGIN sasl_log_level: 5 sasl_pwcheck_method: auxprop sasl_auxprop_plugin: ldapdb sasl_ldapdb_uri: ldap://server.name sasl_ldapdb_id: adminuser sasl_ldapdb_pw: adminusersPW sasl_ldapdb_mech: PLAIN DIGEST-MD5 CRAM-MD5 LOGIN sasl_minimum_layer: 0 sasl_ldapdb_starttls: demand There are a few threads in the archive here. http://asg.andrew.cmu.edu/archive/index.php?mailbox=archive.info-cyrus From the documentation I found it's also not clear to me if a crypted userPassword as I use in my LDAP can be used in that setup. Look at this thread: http://asg.andrew.cmu.edu/archive/message.php?mailbox=archive.info-cyrussearchterm=auxprop%20ldapmsg=54167 If I understand correctly all the hard work to match usernames in done via some regexp which should be powerful enough to let me search the login name in uid and mail attributes? You have openLDAP, right? Mostly yes. You need regex for Mapping Authentication Identities http://www.openldap.org/doc/admin24/sasl.html#Mapping%20Authentication%20Identities You may need SASL Proxy Authorization to switch from your ldapdb_id to the authenticating user. Or did you actually refer to a different mapping in LDAP? Is there some sort of HOWTO somewhere or is all the information really spread in openldap, sasl and imapd documentation only? These are the tools involved. :) But the least is IMAPd, SASL is few and most is openLDAP mapping. Marc Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: alternative login names
On Mon, 2013-02-04 at 14:25 +0100, Wolfgang Rosenauer wrote: I actually needed a pointer into the right direction and I guess that is one. I've never used sasl ldapdb though and I have a hard time figuring out how and what to do. I have some examples for using ldapdb @ http://www.wmmi.net/documents/LDAP103.pdf From the documentation I found it's also not clear to me if a crypted userPassword as I use in my LDAP can be used in that setup. H. I can't recall off the top of my head. I believe it SHOULD be possible to do LOGIN/PLAIN auth via ldapdb. If I understand correctly all the hard work to match usernames in done via some regexp which should be powerful enough to let me search the login name in uid and mail attributes? Yes, the matching regex is key. And confusing, at first. Or did you actually refer to a different mapping in LDAP? Is there some sort of HOWTO somewhere or is all the information really spread in openldap, sasl and imapd documentation only? Maybe the above PDF will help? -- Adam Tauno Williams GPG D95ED383 Systems Administrator, Python Developer, LPI / NCLA Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: alternative login names
On 02/04/13 09:08 -0500, Adam Tauno Williams wrote: On Mon, 2013-02-04 at 14:25 +0100, Wolfgang Rosenauer wrote: I actually needed a pointer into the right direction and I guess that is one. I've never used sasl ldapdb though and I have a hard time figuring out how and what to do. I have some examples for using ldapdb @ http://www.wmmi.net/documents/LDAP103.pdf From the documentation I found it's also not clear to me if a crypted userPassword as I use in my LDAP can be used in that setup. H. I can't recall off the top of my head. I believe it SHOULD be possible to do LOGIN/PLAIN auth via ldapdb. It should be possible to continue to use saslauthd for authentication (with crypted passwords) and then use ldapdb just as a canonicalization plugin. If I understand correctly all the hard work to match usernames in done via some regexp which should be powerful enough to let me search the login name in uid and mail attributes? Yes, the matching regex is key. And confusing, at first. Or did you actually refer to a different mapping in LDAP? Is there some sort of HOWTO somewhere or is all the information really spread in openldap, sasl and imapd documentation only? Maybe the above PDF will help? -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: alternative login names
On 02/03/13 20:29 +0100, Wolfgang Rosenauer wrote: Hi, I'm running Cyrus imapd 2.3.x since quite some time for a group of users. My setup is LDAP based using saslauthd to pam_ldap currently and works just fine. But now I want to allow access to the mailboxes using the email address as an alternative to the system username. I have no real idea where to start how I could achieve that w/o changing the whole architecture of the system. Someone got a hint for me what to look at? To allow users to login using a different username than the name of the mailbox, use a canonicalization plugin, such as ldapdb. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: alternative login names
On Mon, Feb 4, 2013 at 3:27 PM, Dan White dwh...@olp.net wrote: On 02/04/13 09:08 -0500, Adam Tauno Williams wrote: On Mon, 2013-02-04 at 14:25 +0100, Wolfgang Rosenauer wrote: I actually needed a pointer into the right direction and I guess that is one. I've never used sasl ldapdb though and I have a hard time figuring out how and what to do. I have some examples for using ldapdb @ http://www.wmmi.net/documents/LDAP103.pdf From the documentation I found it's also not clear to me if a crypted userPassword as I use in my LDAP can be used in that setup. H. I can't recall off the top of my head. I believe it SHOULD be possible to do LOGIN/PLAIN auth via ldapdb. It should be possible to continue to use saslauthd for authentication (with crypted passwords) and then use ldapdb just as a canonicalization plugin. I played around some more with openldap's SASL and ran exactly into the issue that SASL seems to explicitely _not_ support CRYPT userPasswords. So yes, keeping saslauthd using PAM would help with that. But now after reading quite some stuff about ldapdb I still have no idea how a use ldapdb just as a canonicalization plugin would look like. Any pointers to documentation which shows how that comes together starting from imapd.conf. I found some snippets for example here: http://comments.gmane.org/gmane.mail.imap.cyrus/29985 But this is the other way round as I'd like it to behave. I have simple login names but want to allow people to login with their email address. As I understand the canonicalization feature it would return any attribute from an ldap entry but I'd need to search for the mail attribute and return the uid. Or does it do the same sasl_regexp stuff so I could create a search from a sasl request? Wolfgang Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: alternative login names
Wolfgang Wolfgang Rosenauer schrieb (04.02.2013 18:03 Uhr): I played around some more with openldap's SASL and ran exactly into the issue that SASL seems to explicitely _not_ support CRYPT userPasswords. So yes, keeping saslauthd using PAM would help with that. What did you test? (I did not do it myself.) Like an ldapsearch with -Y cram-md5 or -Y plain both do not work against an object where userPassword is encrypted with CRYPT? And both do work while it is encrypted with like SHA or unencrypted? Marc Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: alternative login names
On Mon, Feb 4, 2013 at 6:44 PM, Marc Patermann hans.mo...@ofd-z.niedersachsen.de wrote: Wolfgang Wolfgang Rosenauer schrieb (04.02.2013 18:03 Uhr): I played around some more with openldap's SASL and ran exactly into the issue that SASL seems to explicitely _not_ support CRYPT userPasswords. So yes, keeping saslauthd using PAM would help with that. What did you test? (I did not do it myself.) Like an ldapsearch with -Y cram-md5 or -Y plain both do not work against an object where userPassword is encrypted with CRYPT? And both do work while it is encrypted with like SHA or unencrypted? DIGEST-MD5 did not work (as expected) and PLAIN also failed with slap_ap_lookup: str2ad(cmusaslsecretPLAIN): attribute type undefined SASL [conn=1004] Failure: Password verification failed When I googled for that issue I found statements that SASL cannot handle CRYPT passwords and tries to fall back to cmusaslsecret what I do not have. I haven't tried plain passwords since I have no test setup at the moment and didn't want to kill the production mail server. Wolfgang Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: alternative login names
Gentelman Sorry to but into this thread at so late a stage. Indeed SASL does not support encrypted pass words because it can't! SASL CRAM-MD5 and DIGEST-MD5 do not transmit the pass word over the link, as a consequence both the client and the server need knowledge of the clear text. It is possible to store encrypted passwords in some kind of database provided that the lookup mechanism is capable doing the de-crypt. Mysql AES is one possibility. Both MD5 and SHA are a one way hashing functions! Pass word verification against either requires knowledge of the clear text! Charles Bradshaw On: Mon, 4 Feb 2013 18:44:48 +0100, Marc Paterman wrote: Wolfgang Wolfgang Rosenauer schrieb (04.02.2013 18:03 Uhr): I played around some more with openldap's SASL and ran exactly into the issue that SASL seems to explicitely _not_ support CRYPT userPasswords. So yes, keeping saslauthd using PAM would help with that. What did you test? (I did not do it myself.) Like an ldapsearch with -Y cram-md5 or -Y plain both do not work against an object where userPassword is encrypted with CRYPT? And both do work while it is encrypted with like SHA or unencrypted? Marc Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
