Re: VirtDomains, DefaultDomain, and SASL
Is there a better list I should send this question ? I am guessing from lack of response I am sending to the wrong list. Sorry and thank you for any pointers to the proper place to get help. -- Forwarded Message -- Subject: VirtDomains, DefaultDomain, and SASL Date: Tuesday 01 June 2004 02:54 pm From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: [EMAIL PROTECTED] Hello All, I have: cyrus-imapd-2.2.3 cyrus-sasl-2.1.14 openldap-2.1.26 sasl is set to use ldap. My sasl ldap conf file follows: ldap_servers: ldap://localhost ldap_bind_dn: cn=cyrus,ou=users,dc=internal,dc=root ldap_bind_pw: neener ldap_version: 3 ldap_timeout: 10 ldap_time_limit:10 ldap_scope: sub ldap_search_base: dc=root ldap_auth_method: bind ldap_filter:((dc:dn:=%d)(mail=%U)) ldap_password_attr: userPassword My imapd.conf follows: admins: cyrus hashimapspool: yes allowanonymouslogin:no allowplaintext: yes lmtp_allowplaintext:yes lmtp_downcase_rcpt: yes virtdomains:yes defaultdomain: internal altnamespace: yes sasl_pwcheck_method:saslauthd sasl_mech_list: PLAIN LOGIN when using imtest like imtest -a [EMAIL PROTECTED] 127.0.0.1, I can authenticate fine. Also imtest -a [EMAIL PROTECTED] 127.0.0.1, works too. But imtest -a cyrus 127.0.0.1, doesn't work. Shouldn't the defaultdomain value be appended when authenticating via sasl ? And would login via cyrus be a global admin, and not just an admin for the internal domain ? Thanks, Steven --- --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: VirtDomains, DefaultDomain, and SASL
On Wed, 2 Jun 2004, [EMAIL PROTECTED] wrote: Is there a better list I should send this question ? I am guessing from lack of response I am sending to the wrong list. Sorry and thank you for any pointers to the proper place to get help. Show some patience... :-) -- Forwarded Message -- Subject: VirtDomains, DefaultDomain, and SASL Date: Tuesday 01 June 2004 02:54 pm From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: [EMAIL PROTECTED] Hello All, I have: cyrus-imapd-2.2.3 cyrus-sasl-2.1.14 I recommend you upgrade to 2.1.18. Lots of fixes. openldap-2.1.26 sasl is set to use ldap. My sasl ldap conf file follows: ldap_servers: ldap://localhost ldap_bind_dn: cn=cyrus,ou=users,dc=internal,dc=root ldap_bind_pw: neener ldap_version: 3 ldap_timeout: 10 ldap_time_limit:10 ldap_scope: sub ldap_search_base: dc=root ldap_auth_method: bind ldap_filter:((dc:dn:=%d)(mail=%U)) ldap_password_attr: userPassword My imapd.conf follows: admins: cyrus hashimapspool: yes allowanonymouslogin:no allowplaintext: yes lmtp_allowplaintext:yes lmtp_downcase_rcpt: yes virtdomains:yes defaultdomain: internal altnamespace: yes sasl_pwcheck_method:saslauthd sasl_mech_list: PLAIN LOGIN when using imtest like imtest -a [EMAIL PROTECTED] 127.0.0.1, I can authenticate fine. Also imtest -a [EMAIL PROTECTED] 127.0.0.1, works too. But imtest -a cyrus 127.0.0.1, doesn't work. Shouldn't the defaultdomain value be appended when authenticating via sasl ? No, it may append reverse lookup of 127.0.0.1 if it is a fqdn. See 'man imapd.conf' for more on virtdomains. And would login via cyrus be a global admin, and not just an admin for the internal domain ? Yes. -- Igor --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: VirtDomains, DefaultDomain, and SASL
On Wednesday 02 June 2004 12:36 pm, you wrote: Show some patience... :-) Didn't mean to seem impatient, I just know that ya get ignored on some lists for posting the wrong 'type' of question. Since I am a newbie to this list, just figured I would ask if I was suppose to be elsewehere. Thanks for your advice :) I recommend you upgrade to 2.1.18. Lots of fixes. Ok will update. No, it may append reverse lookup of 127.0.0.1 if it is a fqdn. See 'man imapd.conf' for more on virtdomains. If it was appending the fqdn, would I see it in my logs? I see saslauthd, say 'Domain not available'. So shouldn't it be appending something, either my defaultdomain or my FQDN ? You can also see the ldapsearch sees the %d in the ldap search filter as undefined. Jun 2 13:02:18 localhost imap[30159]: accepted connection Jun 2 13:02:20 localhost saslauthd[30225]: Domain not available. Jun 2 13:02:20 localhost slapd[29742]: conn=19 fd=17 ACCEPT from IP=127.0.0.1:3492 (IP=0.0.0.0:389) Jun 2 13:02:20 localhost slapd[29811]: conn=19 op=0 BIND dn=cn=sasl,ou=users,dc=internal,dc=root method=128 Jun 2 13:02:20 localhost slapd[29811]: conn=19 op=0 BIND dn=cn=sasl,ou=users,dc=internal,dc=root mech=SIMPLE ssf=0 Jun 2 13:02:20 localhost slapd[29811]: conn=19 op=0 RESULT tag=97 err=0 text= Jun 2 13:02:20 localhost slapd[29810]: conn=19 op=1 SRCH base=dc=root scope=2 filter=((?=undefined)(mail=cyrus)) Jun 2 13:02:20 localhost slapd[29810]: conn=19 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text= Jun 2 13:02:20 localhost saslauthd[30225]: Entry not found or more than one entries found (((dc:dn:=)(mail=cyrus))). Jun 2 13:02:20 localhost saslauthd[30225]: do_auth : auth failure: [user=cyrus] [service=imap] [realm=] [mech=ldap] [reason=Unknown] Jun 2 13:02:20 localhost imap[30159]: badlogin: localhost [127.0.0.1] plaintext cyrus SASL(-13): authentication failure: checkpass failed --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: VirtDomains, DefaultDomain, and SASL
On Wed, 2 Jun 2004, [EMAIL PROTECTED] wrote: No, it may append reverse lookup of 127.0.0.1 if it is a fqdn. See 'man imapd.conf' for more on virtdomains. If it was appending the fqdn, would I see it in my logs? I see saslauthd, say 'Domain not available'. To be exact, cyrus will append domain part of the fqdn. It looks like 127.0.0.1 resolves to 'localhost' on your system which is not a fqdn. So shouldn't it be appending something, either my defaultdomain or my FQDN ? I do not know if it should, but the code is not written to work this way. You can write a canon plugin which can do this or change the reverse lookup for 127.0.0.1. You can also see the ldapsearch sees the %d in the ldap search filter as undefined. Jun 2 13:02:18 localhost imap[30159]: accepted connection Jun 2 13:02:20 localhost saslauthd[30225]: Domain not available. Jun 2 13:02:20 localhost slapd[29742]: conn=19 fd=17 ACCEPT from IP=127.0.0.1:3492 (IP=0.0.0.0:389) Jun 2 13:02:20 localhost slapd[29811]: conn=19 op=0 BIND dn=cn=sasl,ou=users,dc=internal,dc=root method=128 Jun 2 13:02:20 localhost slapd[29811]: conn=19 op=0 BIND dn=cn=sasl,ou=users,dc=internal,dc=root mech=SIMPLE ssf=0 Jun 2 13:02:20 localhost slapd[29811]: conn=19 op=0 RESULT tag=97 err=0 text= Jun 2 13:02:20 localhost slapd[29810]: conn=19 op=1 SRCH base=dc=root scope=2 filter=((?=undefined)(mail=cyrus)) Jun 2 13:02:20 localhost slapd[29810]: conn=19 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text= Jun 2 13:02:20 localhost saslauthd[30225]: Entry not found or more than one entries found (((dc:dn:=)(mail=cyrus))). Jun 2 13:02:20 localhost saslauthd[30225]: do_auth : auth failure: [user=cyrus] [service=imap] [realm=] [mech=ldap] [reason=Unknown] Jun 2 13:02:20 localhost imap[30159]: badlogin: localhost [127.0.0.1] plaintext cyrus SASL(-13): authentication failure: checkpass failed --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html -- Igor --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: VirtDomains, DefaultDomain, and SASL
On Wednesday 02 June 2004 01:42 pm, you wrote: I do not know if it should, but the code is not written to work this way. You can write a canon plugin which can do this or change the reverse lookup for 127.0.0.1. I just changed my ldap tree to use 'internal.com' instead of 'internal'. If I change the hosts entry of '127.0.0.1' to 'dev.internal.com', logging as user cyrus works. If I changed my defaultdomain value in imapd.conf to internal.com, and change the hosts file 127.0.0.1 value back to 'localhost', logging in as user cyrus does not work. Should/Does the defaultdomain value get appended ? --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: VirtDomains, DefaultDomain, and SASL
On Wed, 2 Jun 2004, [EMAIL PROTECTED] wrote: On Wednesday 02 June 2004 01:42 pm, you wrote: I do not know if it should, but the code is not written to work this way. You can write a canon plugin which can do this or change the reverse lookup for 127.0.0.1. I just changed my ldap tree to use 'internal.com' instead of 'internal'. If I change the hosts entry of '127.0.0.1' to 'dev.internal.com', logging as user cyrus works. If I changed my defaultdomain value in imapd.conf to internal.com, and change the hosts file 127.0.0.1 value back to 'localhost', logging in as user cyrus does not work. Should/Does the defaultdomain value get appended ? No. Please read $cyrus-src/imap/global.c/canonify_userid() function. -- Igor --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
VirtDomains, DefaultDomain, and SASL
Hello All, I have: cyrus-imapd-2.2.3 cyrus-sasl-2.1.14 openldap-2.1.26 sasl is set to use ldap. My sasl ldap conf file follows: ldap_servers: ldap://localhost ldap_bind_dn: cn=cyrus,ou=users,dc=internal,dc=root ldap_bind_pw: neener ldap_version: 3 ldap_timeout: 10 ldap_time_limit:10 ldap_scope: sub ldap_search_base: dc=root ldap_auth_method: bind ldap_filter:((dc:dn:=%d)(mail=%U)) ldap_password_attr: userPassword My imapd.conf follows: admins: cyrus hashimapspool: yes allowanonymouslogin:no allowplaintext: yes lmtp_allowplaintext:yes lmtp_downcase_rcpt: yes virtdomains:yes defaultdomain: internal altnamespace: yes sasl_pwcheck_method:saslauthd sasl_mech_list: PLAIN LOGIN when using imtest like imtest -a [EMAIL PROTECTED] 127.0.0.1, I can authenticate fine. Also imtest -a [EMAIL PROTECTED] 127.0.0.1, works too. But imtest -a cyrus 127.0.0.1, doesn't work. Shouldn't the defaultdomain value be appended when authenticating via sasl ? And would login via cyrus be a global admin, and not just an admin for the internal domain ? Thanks, Steven --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html