subject:"imapd \+ sasl \+ ldapdb problems"

Re: imapd + sasl + ldapdb problems

2014-02-06 Thread Peter Erickson

I got it working so thanks for clarifying the setup for the ldapdb  
auxprop module. I needed to add an additional authz-regexp option to  
the openldap config to map an email address to its proper ldap entry.  
Once that was added, everything started working. Thanks again for the  
help.

On Wed Feb  5 12:07:58 2014, Dan White  wrote:
> On 02/05/14 11:15 -0600, Peter Erickson wrote:
 virtdomains: userid
 defaultdomain: example.com
>>>
>>> Other than that, your config looks reasonable. Include an 'ldapdb_mech'
>>> option to reduce confusion. sasl_ldapdb_canon_attr may need to be 'uid'
>>> instead, since example.com is the default domain. This command should
>>> succeed, and return the DN of the test user if your config is good:
>>
>> Just to make sure that I'm understanding the options right, is there a
>> good explanation for what sasl_ldapdb_canon_attr does? I'm not quite
>> sure that I understand its purpose.
>
> sasl_ldapdb_canon_attr will be the resolved identity that sasl hands back
> to cyrus. The identity will be used to find the user's INBOX. Having a
> default domain complicates things a bit (and you may have to experiment. I
> don't define a default domain). Basically, the sasl_ldapdb_canon_attr
> should equal the user portion of their INBOX name. It's handy in scenarios
> where the authentication identity differs from the mailbox name (name
> change, for instance).
>
>> Based on the following, its possible that my problem isn't with cyrus
>> imapd/sasl, but a misunderstanding of the ldap proxy authorization
>> process and I need to recheck my ldap config. I'm more accustomed to
>> using ldap filters and a base instead of the proxy authorization.
>>
>> # ldapwhoami -Y digest-md5 -U imapd-user -w password -X u:tuser -Z
>> SASL/DIGEST-MD5 authentication started
>> SASL username: u:tuser
>> SASL SSF: 128
>> SASL data security layer installed.
>> dn:cn=test user,o=hosted_domain,ou=hosting,dc=example.com
>
> This looks good.
>
>> # ldapwhoami -Y digest-md5 -U imapd-user -w password -X   
>> u:tu...@example.com -Z
>> SASL/DIGEST-MD5 authentication started
>> ldap_sasl_interactive_bind_s: Insufficient access (50)
>>  additional info: SASL(-14): authorization failure: not authorized
>
> You may need a different or better authz-regexp rule here, or you may need
> to adjust your authzto/authzfrom rules. See:
>
> http://www.openldap.org/doc/admin24/sasl.html#SASL Proxy Authorization



Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

Re: imapd + sasl + ldapdb problems

2014-02-05 Thread Dan White

On 02/05/14 11:15 -0600, Peter Erickson wrote:
>> >virtdomains: userid
>> >defaultdomain: example.com
>>
>> Other than that, your config looks reasonable. Include an 'ldapdb_mech'
>> option to reduce confusion. sasl_ldapdb_canon_attr may need to be 'uid'
>> instead, since example.com is the default domain. This command should
>> succeed, and return the DN of the test user if your config is good:
>
>Just to make sure that I'm understanding the options right, is there a
>good explanation for what sasl_ldapdb_canon_attr does? I'm not quite
>sure that I understand its purpose.

sasl_ldapdb_canon_attr will be the resolved identity that sasl hands back
to cyrus. The identity will be used to find the user's INBOX. Having a
default domain complicates things a bit (and you may have to experiment. I
don't define a default domain). Basically, the sasl_ldapdb_canon_attr
should equal the user portion of their INBOX name. It's handy in scenarios
where the authentication identity differs from the mailbox name (name
change, for instance).

>Based on the following, its possible that my problem isn't with cyrus
>imapd/sasl, but a misunderstanding of the ldap proxy authorization
>process and I need to recheck my ldap config. I'm more accustomed to
>using ldap filters and a base instead of the proxy authorization.
>
># ldapwhoami -Y digest-md5 -U imapd-user -w password -X u:tuser -Z
>SASL/DIGEST-MD5 authentication started
>SASL username: u:tuser
>SASL SSF: 128
>SASL data security layer installed.
>dn:cn=test user,o=hosted_domain,ou=hosting,dc=example.com

This looks good.

># ldapwhoami -Y digest-md5 -U imapd-user -w password -X u:tu...@example.com -Z
>SASL/DIGEST-MD5 authentication started
>ldap_sasl_interactive_bind_s: Insufficient access (50)
>   additional info: SASL(-14): authorization failure: not authorized

You may need a different or better authz-regexp rule here, or you may need
to adjust your authzto/authzfrom rules. See:

http://www.openldap.org/doc/admin24/sasl.html#SASL Proxy Authorization

-- 
Dan White

Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

Re: imapd + sasl + ldapdb problems

2014-02-05 Thread Peter Erickson

Dan, thanks for the response.

On Wed, Feb 05, 2014 at 09:35:49AM -0600, Dan White wrote:
> On 02/04/14?20:15?-0600, Peter Erickson wrote:
> >In hopes of requiring users login using their email address I set
> >sasl_ldapdb_canon_attr, however that resulted in the following syslog
> >messages (These same messages occur if comment out the canonuser_attr
> >options in imapd.conf as well):
> >imtest: ldapdb_canonuser_plug_init() failed in
> >sasl_canonuser_add_plugin(): invalid parameter supplied
> >imap[16385]: SQL engine 'mysql' not supported
> >imap[16385]: auxpropfunc error no mechanism available
> >imap[16385]: unable to canonify user and get auxprops
> >imap[16385]: badlogin: localhost [127.0.0.1] DIGEST-MD5 [SASL(-1):
> >generic failure: unable to canonify user and get auxprops]
> 
> You'll need to have a Cyrus SASL version > 2.1.23 installed for the ldapdb
> canonuser functionality, or you'll need to patch your existing version.

I am currently working with Cyrus SASL 2.1.26 and Cyrus imap 2.4.17
installed on FreeBSD 9-STABLE.

> Check that you have a properly installed cyrus sasl with:
> 
> ~$ cat > /tmp/pluginviewer.conf << EOF
> > ldapdb_uri: ldapi:///
> > sql_select: select please_work from the_ether
> > EOF
> ~$ SASL_CONF_PATH=/tmp /usr/sbin/saslpluginviewer -a
> Installed and properly configured auxprop mechanisms are:
> ldapdb sql sasldb
> List of auxprop plugins follows
> Plugin "ldapdb" ,   API version: 8
>  supports store: yes
> 
> Plugin "sql" ,  API version: 8
>  supports store: yes
> 
> Plugin "sasldb" ,   API version: 8
>  supports store: yes

# pluginviewer -a
Installed and properly configured auxprop mechanisms are:
ldapdb sasldb
List of auxprop plugins follows
Plugin "ldapdb" ,   API version: 8
supports store: yes

Plugin "sasldb" ,   API version: 8
supports store: yes

> ~$ SASL_CONF_PATH=/tmp /usr/sbin/saslpluginviewer -s | grep -i 
> 'cram-md5\|digest-md5'
>GSSAPI DIGEST-MD5 EXTERNAL CRAM-MD5 NTLM PLAIN LOGIN ANONYMOUS
>GSSAPI DIGEST-MD5 CRAM-MD5 NTLM PLAIN LOGIN ANONYMOUS
>  SASL mechanism: DIGEST-MD5, best SSF: 128, supports setpass: no
>  SASL mechanism: CRAM-MD5, best SSF: 0, supports setpass: no

# pluginviewer -s | grep -i 'cram-md5\|digest-md5'
  SCRAM-SHA-1 DIGEST-MD5 EXTERNAL OTP CRAM-MD5 NTLM LOGIN PLAIN ANONYMOUS
  SCRAM-SHA-1 DIGEST-MD5 CRAM-MD5 NTLM LOGIN PLAIN ANONYMOUS
SASL mechanism: DIGEST-MD5, best SSF: 128, supports setpass: no
SASL mechanism: CRAM-MD5, best SSF: 0, supports setpass: no

> ~$ strings /usr/lib/x86_64-linux-gnu/sasl2/libldapdb.so.2 | grep canon
> ldapdb_canonuser_plug_init
> sasl_canonuser_init
> ldapdb_canon_attr

#  strings /usr/local/lib/sasl2/libldapdb.so.3 | grep canon
ldapdb_canonuser_plug_init
sasl_canonuser_init
ldapdb_canon_attr

> >imapd.conf:
> >configdirectory: /var/cyrus/config
> >partition-default: /var/cyrus/spool
> >admin: cyrusadmin
> >sasl_pwcheck_method: auxprop
> >sasl_auxprop_plugin: ldapdb
> >sasl_ldapdb_uri: ldaps://localhost
> >sasl_ldapdb_id: imapd-user
> >sasl_ldapdb_pw: password
> >sasl_canon_user_plugin: ldapdb
> >sasl_ldapdb_canon_attr: mail
> >sasl_mech_list: cram-md5 digest-md5
> >virtdomains: userid
> >defaultdomain: example.com
> 
> Consider that the certificate returned by ldaps://localhost may fail,
> unless the certificate used by localhost is named 'localhost', or is
> otherwise trusted. ldapi:/// may be a better option.

The ldap server is actually on a different system and works properly
with and without the SSL/TLS connection. I just replaced the actual
server with localhost to mask the real host.

> Other than that, your config looks reasonable. Include an 'ldapdb_mech'
> option to reduce confusion. sasl_ldapdb_canon_attr may need to be 'uid'
> instead, since example.com is the default domain. This command should
> succeed, and return the DN of the test user if your config is good:

Just to make sure that I'm understanding the options right, is there a
good explanation for what sasl_ldapdb_canon_attr does? I'm not quite
sure that I understand its purpose.

Based on the following, its possible that my problem isn't with cyrus
imapd/sasl, but a misunderstanding of the ldap proxy authorization
process and I need to recheck my ldap config. I'm more accustomed to
using ldap filters and a base instead of the proxy authorization.

# ldapwhoami -Y digest-md5 -U imapd-user -w password -X u:tuser -Z
SASL/DIGEST-MD5 authentication started
SASL username: u:tuser
SASL SSF: 128
SASL data security layer installed.
dn:cn=test user,o=hosted_domain,ou=hosting,dc=example.com

# ldapwhoami -Y digest-md5 -U imapd-user -w password -X u:tu...@example.com -Z
SASL/DIGEST-MD5 authentication started
ldap_sasl_interactive_bind_s: Insufficient access (50)
additional info: SASL(-14): authorization failure: not authorized

> >example ldap entry:
> >dn: cn=test user,o=hosted_domain,ou=hosting,dc=example.com
> >objectclass: top
> >objectcl

Re: imapd + sasl + ldapdb problems

2014-02-05 Thread Dan White

On 02/04/14 20:15 -0600, Peter Erickson wrote:
>I'm trying to configure imapd to authenticate against an ldap
>directory using ldapdb and am running into problems. I provide hosting
>services (i.e. ftp, svn, mail, etc) for several people where user
>account information is stored in an openldap directory. In addition to
>having a username/password, each user also has a primary email account
>and a list of services that they are authorized to use. I've got
>authentication working using the a user's uid, but I need to change
>this so that users are only allowed access using their email address.
>I believe I need this to happen as well since I'm using the Cyrus'
>virtdomains option. Once that is done, I'll attempt to restrict access
>based on the existence of the proper "authorizedService" attribute.
>
>In hopes of requiring users login using their email address I set
>sasl_ldapdb_canon_attr, however that resulted in the following syslog
>messages (These same messages occur if comment out the canonuser_attr
>options in imapd.conf as well):
>imtest: ldapdb_canonuser_plug_init() failed in
>sasl_canonuser_add_plugin(): invalid parameter supplied
>imap[16385]: SQL engine 'mysql' not supported
>imap[16385]: auxpropfunc error no mechanism available
>imap[16385]: unable to canonify user and get auxprops
>imap[16385]: badlogin: localhost [127.0.0.1] DIGEST-MD5 [SASL(-1):
>generic failure: unable to canonify user and get auxprops]

You'll need to have a Cyrus SASL version > 2.1.23 installed for the ldapdb
canonuser functionality, or you'll need to patch your existing version.

Check that you have a properly installed cyrus sasl with:

~$ cat > /tmp/pluginviewer.conf << EOF
> ldapdb_uri: ldapi:///
> sql_select: select please_work from the_ether
> EOF
~$ SASL_CONF_PATH=/tmp /usr/sbin/saslpluginviewer -a
Installed and properly configured auxprop mechanisms are:
ldapdb sql sasldb
List of auxprop plugins follows
Plugin "ldapdb" ,   API version: 8
 supports store: yes

Plugin "sql" ,  API version: 8
 supports store: yes

Plugin "sasldb" ,   API version: 8
 supports store: yes

~$ SASL_CONF_PATH=/tmp /usr/sbin/saslpluginviewer -s | grep -i 
'cram-md5\|digest-md5'
   GSSAPI DIGEST-MD5 EXTERNAL CRAM-MD5 NTLM PLAIN LOGIN ANONYMOUS
   GSSAPI DIGEST-MD5 CRAM-MD5 NTLM PLAIN LOGIN ANONYMOUS
 SASL mechanism: DIGEST-MD5, best SSF: 128, supports setpass: no
 SASL mechanism: CRAM-MD5, best SSF: 0, supports setpass: no

~$ strings /usr/lib/x86_64-linux-gnu/sasl2/libldapdb.so.2 | grep canon
ldapdb_canonuser_plug_init
sasl_canonuser_init
ldapdb_canon_attr

rm /tmp/pluginviewer.conf

>I tracked down the ldapdb_canonuser_plug_init() error to
>ldapdb_config(). When the "ldapdb_uri" option is read, it apparently
>returns a null string reference which results in the SASL_BADPARAM
>being returned. Unfortunately, not fully understanding the SASL
>package, I'm not really sure where to go from here nor do I know if
>this will even solve my problem if it returns successfully.
>
>Any help in configuring this would be greatly appreciated.
>
>
>imapd.conf:
>configdirectory: /var/cyrus/config
>partition-default: /var/cyrus/spool
>admin: cyrusadmin
>sasl_pwcheck_method: auxprop
>sasl_auxprop_plugin: ldapdb
>sasl_ldapdb_uri: ldaps://localhost
>sasl_ldapdb_id: imapd-user
>sasl_ldapdb_pw: password
>sasl_canon_user_plugin: ldapdb
>sasl_ldapdb_canon_attr: mail
>sasl_mech_list: cram-md5 digest-md5
>virtdomains: userid
>defaultdomain: example.com

Consider that the certificate returned by ldaps://localhost may fail,
unless the certificate used by localhost is named 'localhost', or is
otherwise trusted. ldapi:/// may be a better option.

Other than that, your config looks reasonable. Include an 'ldapdb_mech'
option to reduce confusion. sasl_ldapdb_canon_attr may need to be 'uid'
instead, since example.com is the default domain. This command should
succeed, and return the DN of the test user if your config is good:

ldapwhoami -Y digest-md5 -H ldaps://localhost -U imapd-user -w password -X
u:tuser (or u:tu...@example.com? not sure)

>example ldap entry:
>dn: cn=test user,o=hosted_domain,ou=hosting,dc=example.com
>objectclass: top
>objectclass: inetOrgPerson
>objectclass: authorizedServiceObject
>cn: test user
>sn: user
>uid: tuser
>mail: tu...@example.com
>userPassword: password
>authorizedService: mail
>authorizedService: svn

-- 
Dan White

Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

imapd + sasl + ldapdb problems

2014-02-04 Thread Peter Erickson

I'm trying to configure imapd to authenticate against an ldap  
directory using ldapdb and am running into problems. I provide hosting  
services (i.e. ftp, svn, mail, etc) for several people where user  
account information is stored in an openldap directory. In addition to  
having a username/password, each user also has a primary email account  
and a list of services that they are authorized to use. I've got  
authentication working using the a user's uid, but I need to change  
this so that users are only allowed access using their email address.  
I believe I need this to happen as well since I'm using the Cyrus'  
virtdomains option. Once that is done, I'll attempt to restrict access  
based on the existence of the proper "authorizedService" attribute.

In hopes of requiring users login using their email address I set  
sasl_ldapdb_canon_attr, however that resulted in the following syslog  
messages (These same messages occur if comment out the canonuser_attr  
options in imapd.conf as well):
imtest: ldapdb_canonuser_plug_init() failed in  
sasl_canonuser_add_plugin(): invalid parameter supplied
imap[16385]: SQL engine 'mysql' not supported
imap[16385]: auxpropfunc error no mechanism available
imap[16385]: unable to canonify user and get auxprops
imap[16385]: badlogin: localhost [127.0.0.1] DIGEST-MD5 [SASL(-1):  
generic failure: unable to canonify user and get auxprops]

I tracked down the ldapdb_canonuser_plug_init() error to  
ldapdb_config(). When the "ldapdb_uri" option is read, it apparently  
returns a null string reference which results in the SASL_BADPARAM  
being returned. Unfortunately, not fully understanding the SASL  
package, I'm not really sure where to go from here nor do I know if  
this will even solve my problem if it returns successfully.

Any help in configuring this would be greatly appreciated.


imapd.conf:
configdirectory: /var/cyrus/config
partition-default: /var/cyrus/spool
admin: cyrusadmin
sasl_pwcheck_method: auxprop
sasl_auxprop_plugin: ldapdb
sasl_ldapdb_uri: ldaps://localhost
sasl_ldapdb_id: imapd-user
sasl_ldapdb_pw: password
sasl_canon_user_plugin: ldapdb
sasl_ldapdb_canon_attr: mail
sasl_mech_list: cram-md5 digest-md5
virtdomains: userid
defaultdomain: example.com

example ldap entry:
dn: cn=test user,o=hosted_domain,ou=hosting,dc=example.com
objectclass: top
objectclass: inetOrgPerson
objectclass: authorizedServiceObject
cn: test user
sn: user
uid: tuser
mail: tu...@example.com
userPassword: password
authorizedService: mail
authorizedService: svn

-- 
Peter Erickson
redlam...@gmail.com

Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

Re: imapd + sasl + ldapdb problems

Re: imapd + sasl + ldapdb problems

Re: imapd + sasl + ldapdb problems

Re: imapd + sasl + ldapdb problems

imapd + sasl + ldapdb problems

5 matches

Site Navigation

Mail list logo

Footer information