Re: Specify saslauthd state directory to imapd in build
Am 02.07.2018 um 06:57 schrieb Alexander Dalloz: Am 02.07.2018 um 03:39 schrieb Andrew Bernard: Any assistance most appreciated. Andrew man 5 imapd.conf sasl_option: 0 Any SASL option can be set by preceding it with "sasl_". This file overrides the SASL configuration file. And then see the documentation of saslauthd. Should ship with your version locally. Anyhow https://blog.sys4.de/cyrus-sasl-saslauthd-man-page-en.html Little correction, it is the options.html file you should consult: https://www.sendmail.org/~ca/email/cyrus2/options.html Alexander Alexander Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Specify saslauthd state directory to imapd in build
Am 02.07.2018 um 03:39 schrieb Andrew Bernard: I am having trouble with getting imapd and saslauthd to work together on Ubuntu 18.04, using the recent Cyrus imapd (3.0.7) and sasl (2.1.26) releases. Using postfix (3.3.1), I have the saslauthd state directory in /var/run/saslauthd (and also in the chroot'd postfix directory hierarchy). For days I have had this error: cyrus/imap[]: SASL cannot connect to saslauthd server: No such file or directory To come to the point, finally I ran strace on imapd and found it is trying to open /var/state/saslauthd. I believe this is the default for saslauthd. I am unable to decipher which configure options to build cyrus-imapd with to change this directory name. Any assistance most appreciated. Andrew man 5 imapd.conf sasl_option: 0 Any SASL option can be set by preceding it with "sasl_". This file overrides the SASL configuration file. And then see the documentation of saslauthd. Should ship with your version locally. Anyhow https://blog.sys4.de/cyrus-sasl-saslauthd-man-page-en.html Alexander Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Specify saslauthd state directory to imapd in build
I am having trouble with getting imapd and saslauthd to work together on Ubuntu 18.04, using the recent Cyrus imapd (3.0.7) and sasl (2.1.26) releases. Using postfix (3.3.1), I have the saslauthd state directory in /var/run/saslauthd (and also in the chroot'd postfix directory hierarchy). For days I have had this error: cyrus/imap[]: SASL cannot connect to saslauthd server: No such file or directory To come to the point, finally I ran strace on imapd and found it is trying to open /var/state/saslauthd. I believe this is the default for saslauthd. I am unable to decipher which configure options to build cyrus-imapd with to change this directory name. Any assistance most appreciated. Andrew Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Problem with cyrus 2.3.16-6, sendmail, saslauthd on centos 6
Hi, we have installed a cyrus-imapd server on a centos 6.6 architecture. Unfortunatly our service has some bugs: 1. we stop the service, process cyrus files remain in /var/lib/imap/proc 2. we have many errors in /var/log/maillog -- Mar 29 15:53:00 mailbox lmtpunix[20870]: DBERROR db4: Logging region out of memory; you may need to increase its size Mar 29 15:53:00 mailbox lmtpunix[20870]: DBERROR: opening /var/lib/imap/deliver.db: Cannot allocate memory Mar 29 15:53:00 mailbox lmtpunix[20870]: DBERROR: opening /var/lib/imap/deliver.db: cyrusdb error Mar 29 15:53:00 mailbox lmtpunix[20870]: FATAL: lmtpd: unable to init duplicate delivery database Mar 29 15:53:00 mailbox master[27585]: process 20870 exited, status 75 Mar 29 15:53:00 mailbox master[27585]: service lmtpunix pid 20870 in READY state: terminated abnormally Mar 29 15:53:00 mailbox master[20871]: about to exec /usr/lib/cyrus-imapd/lmtpd Mar 29 15:53:00 mailbox lmtpunix[20871]: executed Mar 29 15:53:00 mailbox lmtpunix[20871]: DBERROR db4: Logging region out of memory; you may need to increase its size --- We setup a cyrus db configuration /var/lib/imap/db/DB_CONFIG in this way: set_cachesize 0 2097152 1 set_lg_regionmax 1048576 but the problem is always present. Please can you help us? Thank a lot in advance. Regards D. Bortolotti & A. Monducci Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: CRAM-MD5 with saslauthd
On 2015-03-12 17:42, Geoff Winkless wrote: > On 12 March 2015 at 16:04, Vladislav Kurz <mailto:vladislav.k...@webstep.net>>wrote: > > __ > > On Thursday 12 of March 2015 Ram <mailto:r...@netcore.co.in>> wrote: > > > > > > You need access to plaintext passwords for CRAM/DIGEST-MD5. > > > > > > > > LDAP and saslauthd do not provide that. > > > > > > How can I use CRAM-MD5 with passwords stored in LDAP (in MD5 format ) > > > then ? > > > > > > I need to disable plain & login methods and cannot store passwords in > > > plain text too. > > > > I'm afraid you are trying to do impossible things. Read more about > how cram-md5 works. You can eforce ssl/tls encryption and use > plain/login auth. > > > The definition of "plain text" doesn't mean that it cannot be stored in > a retrievable form. You could make a fairly simple patch to retrieve the > ciphertext from a ROT13 store, as an extreme example :) AD supports an (AES-based, I think?) "reversible encryption" option for their LDAP passwords. This might be the sanest venue for this kind of "feature". > > G > > > > Cyrus Home Page: http://www.cyrusimap.org/ > List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ > To Unsubscribe: > https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus > -- Mit freundlichen Grüßen, / Best Regards, Sven Schwedas Systemadministrator TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz Mail/XMPP: sven.schwe...@tao.at | +43 (0)680 301 7167 http://software.tao.at signature.asc Description: OpenPGP digital signature Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: CRAM-MD5 with saslauthd
On 12 March 2015 at 16:04, Vladislav Kurz wrote: > On Thursday 12 of March 2015 Ram wrote: > > > > > > You need access to plaintext passwords for CRAM/DIGEST-MD5. > > > > > > > > LDAP and saslauthd do not provide that. > > > > > > How can I use CRAM-MD5 with passwords stored in LDAP (in MD5 format ) > > > then ? > > > > > > I need to disable plain & login methods and cannot store passwords in > > > plain text too. > > > > I'm afraid you are trying to do impossible things. Read more about how > cram-md5 works. You can eforce ssl/tls encryption and use plain/login auth. > The definition of "plain text" doesn't mean that it cannot be stored in a retrievable form. You could make a fairly simple patch to retrieve the ciphertext from a ROT13 store, as an extreme example :) G Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: CRAM-MD5 with saslauthd
On Thursday 12 of March 2015 Ram wrote: > > You need access to plaintext passwords for CRAM/DIGEST-MD5. > > > > LDAP and saslauthd do not provide that. > > How can I use CRAM-MD5 with passwords stored in LDAP (in MD5 format ) > then ? > > I need to disable plain & login methods and cannot store passwords in > plain text too. I'm afraid you are trying to do impossible things. Read more about how cram- md5 works. You can eforce ssl/tls encryption and use plain/login auth. -- S pozdravem Vladislav Kurz Centrála: Celní 17/5, 63900 Brno, CZ Web: http://www.webstep.net E-Mail: i...@webstep.net Tel: 840-840-700, +420.548214711 Obchodní podmínky: https://zkrat.to/op Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: CRAM-MD5 with saslauthd
On 03/12/2015 09:03 PM, Vladislav Kurz wrote: On Thursday 12 of March 2015 Ram wrote: > I am trying to use CRAM-MD5 for password authentication. > The passwords are in ldap. > > > But the cyrus document here > https://cyrusimap.org/docs/cyrus-sasl/2.1.23/sysadmin.php says that I > cannot use saslauthd with CRAM-MD5 or DIGEST-MD5 > > Then how do I configure my imap server to use CRAM-MD5 ?? > > Is there a simple howto ? You need access to plaintext passwords for CRAM/DIGEST-MD5. LDAP and saslauthd do not provide that. How can I use CRAM-MD5 with passwords stored in LDAP (in MD5 format ) then ? I need to disable plain & login methods and cannot store passwords in plain text too. Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: CRAM-MD5 with saslauthd
On Thursday 12 of March 2015 Ram wrote: > I am trying to use CRAM-MD5 for password authentication. > The passwords are in ldap. > > > But the cyrus document here > https://cyrusimap.org/docs/cyrus-sasl/2.1.23/sysadmin.php says that I > cannot use saslauthd with CRAM-MD5 or DIGEST-MD5 > > Then how do I configure my imap server to use CRAM-MD5 ?? > > Is there a simple howto ? You need access to plaintext passwords for CRAM/DIGEST-MD5. LDAP and saslauthd do not provide that. -- Best Regards Vladislav Kurz Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
CRAM-MD5 with saslauthd
I am trying to use CRAM-MD5 for password authentication. The passwords are in ldap. But the cyrus document here https://cyrusimap.org/docs/cyrus-sasl/2.1.23/sysadmin.php says that I cannot use saslauthd with CRAM-MD5 or DIGEST-MD5 Then how do I configure my imap server to use CRAM-MD5 ?? Is there a simple howto ? Thanks Ram Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: saslauthd and multiple dc levels
On 12/30/14 10:52 +0100, Gabriele Bulfon wrote: >So, first I changed openldap configuration with "sasl-secprops none" to have >also plain auth enabled. >Running pluginviewer to see the plugins: >sonicle@www:~$ pluginviewer -m PLAIN >List of server plugins follows >Plugin "plain" [loaded],API version: 4 >List of client plugins follows >Plugin "plain" [loaded],API version: 4 >sonicle@www:~$ ldapsearch -xLLLH 'ldap://localhost/' -s base -b '' >'supportedSASLMechanisms' >dn: >supportedSASLMechanisms: SCRAM-SHA-1 >supportedSASLMechanisms: GS2-IAKERB >supportedSASLMechanisms: GS2-KRB5 >supportedSASLMechanisms: GSSAPI >supportedSASLMechanisms: DIGEST-MD5 >supportedSASLMechanisms: OTP >supportedSASLMechanisms: CRAM-MD5 >supportedSASLMechanisms: PLAIN >supportedSASLMechanisms: ANONYMOUS >Now, try plain auth doing a earch of an existing user: >sonicle@www:~$ ldapsearch -Y PLAIN -U test.u...@sonicle.com -H >ldap://localhost -W >Enter LDAP Password: >ldap_sasl_interactive_bind_s: Unknown authentication method (-6) >additional info: SASL(-4): no mechanism available: No worthy mechs found >Can't find a reason for ldapsearch not finding the plain mech. Odd. Add a '-d -1' to get more detail. See the ldap.conf(5) manpage, and verify you don't have any conflicting options set via relevant ENVIRONMENT VARIABLES or FILES. Check your syslog for any additional details (auth facility). >Also, slapd has been built with sasl: >sonicle@www:~$ ldd /sonicle/libexec/slapd >libdb-4.8.so =/sonicle/lib/libdb-4.8.so >libpthread.so.1 =/lib/libpthread.so.1 >libsasl2.so.2 =/sonicle/lib/libsasl2.so.2 >libdl.so.1 =/lib/libdl.so.1 >libssl.so.0.9.8 =/lib/libssl.so.0.9.8 >libcrypto.so.0.9.8 =/lib/libcrypto.so.0.9.8 >libresolv.so.2 =/lib/libresolv.so.2 >libgen.so.1 =/lib/libgen.so.1 >libnsl.so.1 =/lib/libnsl.so.1 >libsocket.so.1 =/lib/libsocket.so.1 >libc.so.1 =/lib/libc.so.1 >libgcc_s.so.1 =/usr/sfw/lib/libgcc_s.so.1 >libmd.so.1 =/lib/libmd.so.1 >libmp.so.2 =/lib/libmp.so.2 >libm.so.2 =/lib/libm.so.2 How about your libldap library and client utilities? Do they have access to libsasl2 and the PLAIN shared library/mechanism? Try: ldd `which ldapsearch` And verify that the linked sasl library is the same as for slapd, or if not, uses a good libsasl installation. Also, you may want to try ldapsearch from another system with a known good sasl installation. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: saslauthd and multiple dc levels
Hi, I'm trying to follow your suggestion. So, first I changed openldap configuration with "sasl-secprops none" to have also plain auth enabled. Running pluginviewer to see the plugins: Sonicle XStream Server (XStreamOS/illumos) SunOS 5.11 xs_153 Apr 2014 sonicle@www:~$ pluginviewer -m PLAIN Installed and properly configured auxprop mechanisms are: sasldb List of auxprop plugins follows Plugin "sasldb" , API version: 8 supports store: yes Installed and properly configured SASL (server side) mechanisms are: SCRAM-SHA-1 GS2-IAKERB GS2-KRB5 GSSAPI DIGEST-MD5 EXTERNAL OTP CRAM-MD5 PLAIN ANONYMOUS Available SASL (server side) mechanisms matching your criteria are: PLAIN List of server plugins follows Plugin "plain" [loaded],API version: 4 SASL mechanism: PLAIN, best SSF: 0, supports setpass: no security flags: NO_ANONYMOUS|PASS_CREDENTIALS features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION Installed and properly configured SASL (client side) mechanisms are: SCRAM-SHA-1 GS2-IAKERB GS2-KRB5 GSSAPI DIGEST-MD5 EXTERNAL OTP CRAM-MD5 PLAIN ANONYMOUS Available SASL (client side) mechanisms matching your criteria are: SCRAM-SHA-1 GS2-IAKERB GS2-KRB5 GSSAPI DIGEST-MD5 EXTERNAL OTP CRAM-MD5 PLAIN ANONYMOUS List of client plugins follows Plugin "plain" [loaded],API version: 4 SASL mechanism: PLAIN, best SSF: 0 security flags: NO_ANONYMOUS|PASS_CREDENTIALS features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION Now running a search of SASL mechs: sonicle@www:~$ ldapsearch -xLLLH 'ldap://localhost/' -s base -b '' 'supportedSASLMechanisms' dn: supportedSASLMechanisms: SCRAM-SHA-1 supportedSASLMechanisms: GS2-IAKERB supportedSASLMechanisms: GS2-KRB5 supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: OTP supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: PLAIN supportedSASLMechanisms: ANONYMOUS Now, try plain auth doing a earch of an existing user: sonicle@www:~$ ldapsearch -Y PLAIN -U test.u...@sonicle.com -H ldap://localhost -W Enter LDAP Password: ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: No worthy mechs found Can't find a reason for ldapsearch not finding the plain mech. Also, slapd has been built with sasl: sonicle@www:~$ ldd /sonicle/libexec/slapd libdb-4.8.so =/sonicle/lib/libdb-4.8.so libpthread.so.1 =/lib/libpthread.so.1 libsasl2.so.2 =/sonicle/lib/libsasl2.so.2 libdl.so.1 =/lib/libdl.so.1 libssl.so.0.9.8 =/lib/libssl.so.0.9.8 libcrypto.so.0.9.8 =/lib/libcrypto.so.0.9.8 libresolv.so.2 =/lib/libresolv.so.2 libgen.so.1 =/lib/libgen.so.1 libnsl.so.1 =/lib/libnsl.so.1 libsocket.so.1 =/lib/libsocket.so.1 libc.so.1 =/lib/libc.so.1 libgcc_s.so.1 =/usr/sfw/lib/libgcc_s.so.1 libmd.so.1 =/lib/libmd.so.1 libmp.so.2 =/lib/libmp.so.2 libm.so.2 =/lib/libm.so.2 Any clue? Or...any simpler way to let saslauthd do multiple search base takes?...or maybe let it choose the correct search base depending on the number of dc arguments determined? Thanks for your help! Gabriele. -- Da: Dan White A: Willy Offermans Cc: Gabriele Bulfon Raffaele Fullone info-cyrus@lists.andrew.cmu.edu Data: 23 dicembre 2014 16.52.46 CET Oggetto: Re: saslauthd and multiple dc levels On 12/23/14 16:07 +0100, Willy Offermans wrote: Hello Dan, On Tue, Dec 23, 2014 at 08:50:07AM -0600, Dan White wrote: On 12/23/14 15:22 +0100, Gabriele Bulfon wrote: How can I let saslauthd support both configurations? Is the server OpenLDAP? If so, using olcAuthzRegexp would be a far more flexible way to handle this scenario. Within saslauthd's ldap config, use 'ldap_use_sasl' without specifying a search filter or base. Within slapd, your regex rules could perform a subtree search, or a simple string replacement for each domain. See http://www.openldap.org/doc/admin24/sasl.html and slapd-config(5). I don't understand how this works. ldap_use_sasl in saslauthd.conf tells saslauthd to contact OpenLDAP server via sasl protocol directly. Is this correct? Correct. The ldap backend to saslauthd itself performs sasl authentication. And what happens then? How do saslauthd and slapd communicate and how is authentication performed? The communication between Cyrus IMAP and saslauthd would not change. imapd would still communicate with saslauthd in the same manor, by submitting a username and password via the saslauthd mux. The ldap backend to saslauthd can be configured to perform SASL over LDAP authentication to slapd (not to be confused with SASL over IMAP authentication). slapd would simply return a successful bind code back to the saslauthd backend, which in turn would respond with an 'OK' to cyrus IMAP. Using SASL within the LDAP saslauthd backend is a much simpler configuration. i.e.: ldap_servers: ldap://ldap.example.com ldap_use_sasl: yes ldap_mech: PLAIN (T
Re: saslauthd and multiple dc levels
On 12/23/14 16:07 +0100, Willy Offermans wrote: >Hello Dan, > >On Tue, Dec 23, 2014 at 08:50:07AM -0600, Dan White wrote: >> On 12/23/14 15:22 +0100, Gabriele Bulfon wrote: >> >How can I let saslauthd support both configurations? >> >> Is the server OpenLDAP? If so, using olcAuthzRegexp would be a far more >> flexible way to handle this scenario. Within saslauthd's ldap config, use >> 'ldap_use_sasl' without specifying a search filter or base. >> >> Within slapd, your regex rules could perform a subtree search, or a simple >> string replacement for each domain. See >> http://www.openldap.org/doc/admin24/sasl.html and slapd-config(5). > >I don't understand how this works. > >ldap_use_sasl in saslauthd.conf tells saslauthd to contact OpenLDAP server >via sasl protocol directly. Is this correct? Correct. The ldap backend to saslauthd itself performs sasl authentication. >And what happens then? How do saslauthd and slapd communicate and how is >authentication performed? The communication between Cyrus IMAP and saslauthd would not change. imapd would still communicate with saslauthd in the same manor, by submitting a username and password via the saslauthd mux. The ldap backend to saslauthd can be configured to perform SASL over LDAP authentication to slapd (not to be confused with SASL over IMAP authentication). slapd would simply return a successful bind code back to the saslauthd backend, which in turn would respond with an 'OK' to cyrus IMAP. Using SASL within the LDAP saslauthd backend is a much simpler configuration. i.e.: ldap_servers: ldap://ldap.example.com ldap_use_sasl: yes ldap_mech: PLAIN (This may require you to configure olcSaslSecProps) The '-r' option to saslauthd may be necessary, if you're not already using it. Use ldapwhoami to test your slapd config: ldapsearch -Y PLAIN -U jsm...@example.com -H ldap://ldap.example.com \ -W And if that works, verify your saslauthd configuration with: testsaslauthd -u jsm...@example.com -p password -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: saslauthd and multiple dc levels
Hello Dan, On Tue, Dec 23, 2014 at 08:50:07AM -0600, Dan White wrote: > On 12/23/14 15:22 +0100, Gabriele Bulfon wrote: > >Hi, > >I recently stumbled upon this issue, where I can't find a solution. > >Same cyrus/sasl server, serving multiple 2 level domains (dc=domain,dc=com). > >Sasl configuration is like: > >ldap_search_base: ou=People,dc=%2,dc=%1 > >ldap_filter: uid=%u > >Enter a new domain, but this time it's a 3 level one > >(dc=dpt,dc=domain,dc=com). > >Sasl configuration should be like: > >ldap_search_base: ou=People,dc=%3,dc=%2,dc=%1 > >ldap_filter: uid=%u > >How can I let saslauthd support both configurations? > > Is the server OpenLDAP? If so, using olcAuthzRegexp would be a far more > flexible way to handle this scenario. Within saslauthd's ldap config, use > 'ldap_use_sasl' without specifying a search filter or base. > > Within slapd, your regex rules could perform a subtree search, or a simple > string replacement for each domain. See > http://www.openldap.org/doc/admin24/sasl.html and slapd-config(5). I don't understand how this works. ldap_use_sasl in saslauthd.conf tells saslauthd to contact OpenLDAP server via sasl protocol directly. Is this correct? And what happens then? How do saslauthd and slapd communicate and how is authentication performed? -- Met vriendelijke groeten, With kind regards, Mit freundlichen Gruessen, De jrus wah, Wiel * W.K. Offermans Powered by (__) \\\'',) \/ \ ^ .\._/_) www.FreeBSD.org Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: saslauthd and multiple dc levels
On 12/23/14 15:22 +0100, Gabriele Bulfon wrote: >Hi, >I recently stumbled upon this issue, where I can't find a solution. >Same cyrus/sasl server, serving multiple 2 level domains (dc=domain,dc=com). >Sasl configuration is like: >ldap_search_base: ou=People,dc=%2,dc=%1 >ldap_filter: uid=%u >Enter a new domain, but this time it's a 3 level one (dc=dpt,dc=domain,dc=com). >Sasl configuration should be like: >ldap_search_base: ou=People,dc=%3,dc=%2,dc=%1 >ldap_filter: uid=%u >How can I let saslauthd support both configurations? Is the server OpenLDAP? If so, using olcAuthzRegexp would be a far more flexible way to handle this scenario. Within saslauthd's ldap config, use 'ldap_use_sasl' without specifying a search filter or base. Within slapd, your regex rules could perform a subtree search, or a simple string replacement for each domain. See http://www.openldap.org/doc/admin24/sasl.html and slapd-config(5). -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: saslauthd and multiple dc levels
Dear Gabriele and Cyrus friends, On Tue, Dec 23, 2014 at 03:22:18PM +0100, Gabriele Bulfon wrote: > Hi, > I recently stumbled upon this issue, where I can't find a solution. > Same cyrus/sasl server, serving multiple 2 level domains (dc=domain,dc=com). > Sasl configuration is like: > ldap_search_base: ou=People,dc=%2,dc=%1 > ldap_filter: uid=%u > Enter a new domain, but this time it's a 3 level one > (dc=dpt,dc=domain,dc=com). > Sasl configuration should be like: > ldap_search_base: ou=People,dc=%3,dc=%2,dc=%1 > ldap_filter: uid=%u > How can I let saslauthd support both configurations? > Google didn't find an answer to this, just a lot of confused discussions. > Any help? :) > Gabriele. What happens if you set ldap_search_base: dc=%2,dc=%1 ldap_filter: uid=%u ? also set ldap_verbose: on , to get more output. Maybe you need to play with ldap_scope: sub as well. All settings in your saslauthd.conf file -- Met vriendelijke groeten, With kind regards, Mit freundlichen Gruessen, De jrus wah, Wiel * W.K. Offermans Powered by (__) \\\'',) \/ \ ^ .\._/_) www.FreeBSD.org Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
saslauthd and multiple dc levels
Hi, I recently stumbled upon this issue, where I can't find a solution. Same cyrus/sasl server, serving multiple 2 level domains (dc=domain,dc=com). Sasl configuration is like: ldap_search_base: ou=People,dc=%2,dc=%1 ldap_filter: uid=%u Enter a new domain, but this time it's a 3 level one (dc=dpt,dc=domain,dc=com). Sasl configuration should be like: ldap_search_base: ou=People,dc=%3,dc=%2,dc=%1 ldap_filter: uid=%u How can I let saslauthd support both configurations? Google didn't find an answer to this, just a lot of confused discussions. Any help? :) Gabriele. Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: saslauthd question
On Thu, 11 Dec 2014, Patrick Goetz wrote: > On 12/11/2014 12:45 PM, Andrew Morgan wrote: >> I only have PAM files for "imap", "lmtp", and "sieve" >> although I have other service names for some of them. >> > > I don't understand why you have PAM files for lmtp and sieve, but most > particularly lmtp. lmtpd is just a local daemon that transfers stuff > from your smtp server to cyrus. Are you running cyrus and smtpd on > different servers? If so, what does the PAM lmtp configuration look like? > > I don't know anything about sieve, but thought the filters where all > internal, too; hence not in need of authentication. We have multiple smtp servers that accept incoming mail plus we run a Cyrus Murder cluster. There is a lot of lmtp over the network happening. :) The PAM configuration for lmtp, sieve, and imap is identical (auth against LDAP). Andy Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: saslauthd question
> On 12/11/2014 12:45 PM, Andrew Morgan wrote: >> I only have PAM files for "imap", "lmtp", and "sieve" >> although I have other service names for some of them. >> > > I don't understand why you have PAM files for lmtp and sieve, but most > particularly lmtp. lmtpd is just a local daemon that transfers stuff > from your smtp server to cyrus. Are you running cyrus and smtpd on > different servers? If so, what does the PAM lmtp configuration look like? If you do lmtp over the network, you may want to authenticate who can deliver mails. Otherwise you can just use "lmtpd -a" if the environment is considered secure. > > I don't know anything about sieve, but thought the filters where all > internal, too; hence not in need of authentication. Sieve rules have to be managed per user, and therefore you need authentication. The server itself doesn't need to auth anything to run the filters. Regards, Simon Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: saslauthd question
On 12/11/2014 12:45 PM, Andrew Morgan wrote: > I only have PAM files for "imap", "lmtp", and "sieve" > although I have other service names for some of them. > I don't understand why you have PAM files for lmtp and sieve, but most particularly lmtp. lmtpd is just a local daemon that transfers stuff from your smtp server to cyrus. Are you running cyrus and smtpd on different servers? If so, what does the PAM lmtp configuration look like? I don't know anything about sieve, but thought the filters where all internal, too; hence not in need of authentication. Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: saslauthd question
On 12/11/14 12:34 -0600, Patrick Goetz wrote: >Surely someone on this list will know the answer to this question. > >Given sasl_pwcheck_method: saslauthd, with authentication mechanism=pam > >I'm trying to track down how saslauthd knows that the cyrus PAM service >file is called imap; i.e. /etc/pam.d/imap. > >Is this just built in? I can't find a configuration for it anywhere. saslauthd receives the service name via the unix domain socket protocol exchange - see the OVERVIEW section in saslauthd-main.c. The glue layer (libsasl2) provides the service name to saslauthd based on what it's given in the call to sasl_server_new (See the manpage). Cyrus imapd hard codes the service names, and they are not configurable. Grep through the cyrus imap source for that function call to determine which pam file to configure for each service. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: saslauthd question
On Thu, 11 Dec 2014, Patrick Boutilier wrote: > On 12/11/2014 02:34 PM, Patrick Goetz wrote: >> Surely someone on this list will know the answer to this question. >> >> Given sasl_pwcheck_method: saslauthd, with authentication mechanism=pam >> >> I'm trying to track down how saslauthd knows that the cyrus PAM service >> file is called imap; i.e. /etc/pam.d/imap. >> >> Is this just built in? I can't find a configuration for it anywhere. >> >> >> >> >> Cyrus Home Page: http://www.cyrusimap.org/ >> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ >> To Unsubscribe: >> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus >> > > > Harcoded in imapd.c > > if (sasl_server_new("imap", config_servername > I thought the PAM name was taken from the service name in /etc/cyrus.conf, but my own configuration seems to indicate that it must be hardcoded for each service. I only have PAM files for "imap", "lmtp", and "sieve" although I have other service names for some of them. I guess it's just the imapd.conf config variables that are allowed to be prefixed with the service name. Andy Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: saslauthd question
On 12/11/2014 02:34 PM, Patrick Goetz wrote: Surely someone on this list will know the answer to this question. Given sasl_pwcheck_method: saslauthd, with authentication mechanism=pam I'm trying to track down how saslauthd knows that the cyrus PAM service file is called imap; i.e. /etc/pam.d/imap. Is this just built in? I can't find a configuration for it anywhere. Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus Harcoded in imapd.c if (sasl_server_new("imap", config_servername <> Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
saslauthd question
Surely someone on this list will know the answer to this question. Given sasl_pwcheck_method: saslauthd, with authentication mechanism=pam I'm trying to track down how saslauthd knows that the cyrus PAM service file is called imap; i.e. /etc/pam.d/imap. Is this just built in? I can't find a configuration for it anywhere. Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: saslauthd with openldap
On 19-04-13 14:06, Marc Patermann wrote: > Paul, > > Paul van der Vlis schrieb (19.04.2013 11:58 Uhr): > >> I am trying to get saslauthd working > While this is not IMAPd related, why don't your try a SASL list? I am not a member of it. I have tried to post to it via Gmane but my mail was refused... >> to authenticate on openLDAP with >> passwords stored with a MD5 hash (base64 encoded) in the field >> UserPassword. The passwords are created with smb-ldap so I think it's >> normal that they are base64 encoded. > Is SASL auxprop ldapdb not an option for you? I am a Cyrus user for about 10 years, and I have always used saslauthd. Most of the time using PAM, but sometimes LDAP to Microsoft AD and to Novell. But I have never authenticated to OpenLDAP before. >> "testsaslauthd -u mailtest -p secret" gives always "authentication >> failed". In auth.log I see always: "Bind failed". >> >> I've tried many options in saslauthd.conf, at the moment it's this: >> >> ldap_servers: ldap://192.168.28.240/ >> ldap_auth_method: custom >> ldap_bind_dn: uid=admin,dc=domain,dc=local >> ldap_bind_pw: secret >> ldap_search_base: ou=Users,dc=domain,dc=local >> ldap_filter: cn=%u >> > what does > # ldapsearch -H ldap://192.168.28.240/ -x -D > uid=admin,dc=domain,dc=local -w secret -B ou=Users,dc=domain,dc=local > cn=oneOfYourUsernames > for you? It first gave an error because -B has to be -b, after the changing it, it says "ldap_bind: Invalid credentials (49)". H. But because I had another working ldapsearch string, I looked at the differences and I found the solution! This was wrong: ldap_bind_dn: uid=admin,dc=domain,dc=local This is right: ldap_bind_dn: cn=admin,dc=domain,dc=local Many thanks for your help! >> I am using cyrus-sasl2 version 2.1.25.dfsg1-6 from Debian Wheezy. >> LDAP is on an old machine (Ubuntu 8.04, slapd version 2.4.7). > FYI: For a production use LDAP server it is best advice from the > openldap developers to use the lastest version, which is 2.4.35. This is an environment what should be replaced but what is in production for many years and for many people. I am only hired for the mailserver.. With regards, Paul van der Vlis. -- Paul van der Vlis Linux systeembeheer, Groningen http://www.vandervlis.nl Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: saslauthd with openldap
Paul, Paul van der Vlis schrieb (19.04.2013 11:58 Uhr): > I am trying to get saslauthd working While this is not IMAPd related, why don't your try a SASL list? > to authenticate on openLDAP with > passwords stored with a MD5 hash (base64 encoded) in the field > UserPassword. The passwords are created with smb-ldap so I think it's > normal that they are base64 encoded. Is SASL auxprop ldapdb not an option for you? > "testsaslauthd -u mailtest -p secret" gives always "authentication > failed". In auth.log I see always: "Bind failed". > > I've tried many options in saslauthd.conf, at the moment it's this: > > ldap_servers: ldap://192.168.28.240/ > ldap_auth_method: custom > ldap_bind_dn: uid=admin,dc=domain,dc=local > ldap_bind_pw: secret > ldap_search_base: ou=Users,dc=domain,dc=local > ldap_filter: cn=%u > what does # ldapsearch -H ldap://192.168.28.240/ -x -D uid=admin,dc=domain,dc=local -w secret -B ou=Users,dc=domain,dc=local cn=oneOfYourUsernames for you? > I am using cyrus-sasl2 version 2.1.25.dfsg1-6 from Debian Wheezy. > LDAP is on an old machine (Ubuntu 8.04, slapd version 2.4.7). FYI: For a production use LDAP server it is best advice from the openldap developers to use the lastest version, which is 2.4.35. Marc Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
saslauthd with openldap
Hello, I am trying to get saslauthd working to authenticate on openLDAP with passwords stored with a MD5 hash (base64 encoded) in the field UserPassword. The passwords are created with smb-ldap so I think it's normal that they are base64 encoded. "testsaslauthd -u mailtest -p secret" gives always "authentication failed". In auth.log I see always: "Bind failed". I've tried many options in saslauthd.conf, at the moment it's this: ldap_servers: ldap://192.168.28.240/ ldap_auth_method: custom ldap_bind_dn: uid=admin,dc=domain,dc=local ldap_bind_pw: secret ldap_search_base: ou=Users,dc=domain,dc=local ldap_filter: cn=%u I am using cyrus-sasl2 version 2.1.25.dfsg1-6 from Debian Wheezy. LDAP is on an old machine (Ubuntu 8.04, slapd version 2.4.7). With regards, Paul van der Vlis. -- Paul van der Vlis Linux systeembeheer, Groningen http://www.vandervlis.nl Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: saslauthd cache / cyrus-imap and several passwords per login
On 01/28/2013 09:46 PM, Patrick Boutilier wrote: On 01/28/2013 09:39 PM, Andrew Morgan wrote: On Mon, 28 Jan 2013, Patrick Boutilier wrote: On 01/27/2013 09:03 PM, Andrew Morgan wrote: On Sat, 5 Jan 2013, Patrick Lamaiziere wrote: Helo, We use cyrus-imapd on Centos 6 at work and I've got the following issue on authentication: Users can login via a mailer (imap/pop) or use a webmail (horde). The webmail uses a SSO-CAS and horde uses a CAS token to log in cyrus-imap). As the CAS tokens are one-time tokens they must been cached by saslauthd. For this we use PAM with saslauthd and 3 PAM modules. pam_cas checks if the password is a valid CAS token, then we try ldap and then a local account. cyrus-imap -> saslauthd (cache) -> PAM (pam_cas, pam_ldap, pam_unix) That works fine. The problem is: when a user uses the webmail and uses also a mailer (using imap), saslauthd will remove the CAS token previously cached when the mailer connects. So the webmail is disconnected. There is a patch to allow saslauthd to cache several passwords for one login but I would like to avoid this. As far I can see, the cache depends on the service used (ie if I connect via pop, the imap password is not cleared from the saslauthd cache). So I'm asking if there is a way to introduce another "service" on cyrus-imap that will be used by the webmail (on another port than 143). I mean a service in the saslauthd / PAM way (the parameter '-s' in testsaslauthd: imap, pop, sieve). I don't know where to start. Is there a way to achieve this? Thanks, best regards. Sorry I have taken so long to respond. I saw this message a while ago but I didn't have time to reply then. It doesn't look like anyone else has responded according to the list archives. You can easily run multiple Cyrus imapd processes with different service names. In your cyrus.conf, make a copy of your "imap" service and name it something like "imap_webmail", listening on a different port. Then make a /etc/pam.d/imap_webmail file with your desired PAM config. I just gave the above a try since I currently modify the source to force which pam service the imapd binary calls but this entry still calls /etc/pam.d/imap instead of /etc/pam.d/imaptest imaptestcmd="imapd" listen="imaptest" imaptest is in /etc/services on port 146 Well shoot, it looks like the SASL service name is hard-coded in imapd.c: /* create the SASL connection */ if (sasl_server_new("imap", config_servername, NULL, NULL, NULL, NULL, 0, &imapd_saslconn) != SASL_OK) { fatal("SASL failed initializing: sasl_server_new()", EC_TEMPFAIL); } It would be nice if there was a way to override this somehow... Perhaps file a bug on the bugzilla! Yup, that is the code I modify. :-) I think I will file an enhancement bug. https://bugzilla.cyrusimap.org/show_bug.cgi?id=3767 Andy Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus <> Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: saslauthd cache / cyrus-imap and several passwords per login
On 01/28/2013 09:39 PM, Andrew Morgan wrote: On Mon, 28 Jan 2013, Patrick Boutilier wrote: On 01/27/2013 09:03 PM, Andrew Morgan wrote: On Sat, 5 Jan 2013, Patrick Lamaiziere wrote: Helo, We use cyrus-imapd on Centos 6 at work and I've got the following issue on authentication: Users can login via a mailer (imap/pop) or use a webmail (horde). The webmail uses a SSO-CAS and horde uses a CAS token to log in cyrus-imap). As the CAS tokens are one-time tokens they must been cached by saslauthd. For this we use PAM with saslauthd and 3 PAM modules. pam_cas checks if the password is a valid CAS token, then we try ldap and then a local account. cyrus-imap -> saslauthd (cache) -> PAM (pam_cas, pam_ldap, pam_unix) That works fine. The problem is: when a user uses the webmail and uses also a mailer (using imap), saslauthd will remove the CAS token previously cached when the mailer connects. So the webmail is disconnected. There is a patch to allow saslauthd to cache several passwords for one login but I would like to avoid this. As far I can see, the cache depends on the service used (ie if I connect via pop, the imap password is not cleared from the saslauthd cache). So I'm asking if there is a way to introduce another "service" on cyrus-imap that will be used by the webmail (on another port than 143). I mean a service in the saslauthd / PAM way (the parameter '-s' in testsaslauthd: imap, pop, sieve). I don't know where to start. Is there a way to achieve this? Thanks, best regards. Sorry I have taken so long to respond. I saw this message a while ago but I didn't have time to reply then. It doesn't look like anyone else has responded according to the list archives. You can easily run multiple Cyrus imapd processes with different service names. In your cyrus.conf, make a copy of your "imap" service and name it something like "imap_webmail", listening on a different port. Then make a /etc/pam.d/imap_webmail file with your desired PAM config. I just gave the above a try since I currently modify the source to force which pam service the imapd binary calls but this entry still calls /etc/pam.d/imap instead of /etc/pam.d/imaptest imaptestcmd="imapd" listen="imaptest" imaptest is in /etc/services on port 146 Well shoot, it looks like the SASL service name is hard-coded in imapd.c: /* create the SASL connection */ if (sasl_server_new("imap", config_servername, NULL, NULL, NULL, NULL, 0, &imapd_saslconn) != SASL_OK) { fatal("SASL failed initializing: sasl_server_new()", EC_TEMPFAIL); } It would be nice if there was a way to override this somehow... Perhaps file a bug on the bugzilla! Yup, that is the code I modify. :-) I think I will file an enhancement bug. Andy <> Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: saslauthd cache / cyrus-imap and several passwords per login
On Mon, 28 Jan 2013, Patrick Boutilier wrote: > On 01/27/2013 09:03 PM, Andrew Morgan wrote: >> On Sat, 5 Jan 2013, Patrick Lamaiziere wrote: >> >>> Helo, >>> >>> We use cyrus-imapd on Centos 6 at work and I've got the following issue >>> on authentication: >>> >>> Users can login via a mailer (imap/pop) or use a webmail (horde). The >>> webmail uses a SSO-CAS and horde uses a CAS token to log in >>> cyrus-imap). As the CAS tokens are one-time tokens they must been >>> cached by saslauthd. >>> >>> For this we use PAM with saslauthd and 3 PAM modules. pam_cas checks if >>> the password is a valid CAS token, then we try ldap and then a local >>> account. >>> >>> cyrus-imap -> saslauthd (cache) -> PAM (pam_cas, pam_ldap, pam_unix) >>> >>> That works fine. >>> >>> The problem is: when a user uses the webmail and uses also a mailer >>> (using imap), saslauthd will remove the CAS token previously cached when >>> the mailer connects. So the webmail is disconnected. >>> >>> There is a patch to allow saslauthd to cache several passwords for one >>> login but I would like to avoid this. >>> >>> As far I can see, the cache depends on the service used (ie if I >>> connect via pop, the imap password is not cleared from the >>> saslauthd cache). >>> >>> So I'm asking if there is a way to introduce another "service" on >>> cyrus-imap that will be used by the webmail (on another port than 143). >>> I mean a service in the saslauthd / PAM way (the parameter '-s' in >>> testsaslauthd: imap, pop, sieve). >>> >>> I don't know where to start. Is there a way to achieve this? >>> Thanks, best regards. >> >> Sorry I have taken so long to respond. I saw this message a while ago but >> I didn't have time to reply then. It doesn't look like anyone else has >> responded according to the list archives. >> >> You can easily run multiple Cyrus imapd processes with different service >> names. In your cyrus.conf, make a copy of your "imap" service and name it >> something like "imap_webmail", listening on a different port. Then make a >> /etc/pam.d/imap_webmail file with your desired PAM config. > > > I just gave the above a try since I currently modify the source to force > which pam service the imapd binary calls but this entry still calls > /etc/pam.d/imap instead of /etc/pam.d/imaptest > > > imaptestcmd="imapd" listen="imaptest" > > > imaptest is in /etc/services on port 146 Well shoot, it looks like the SASL service name is hard-coded in imapd.c: /* create the SASL connection */ if (sasl_server_new("imap", config_servername, NULL, NULL, NULL, NULL, 0, &imapd_saslconn) != SASL_OK) { fatal("SASL failed initializing: sasl_server_new()", EC_TEMPFAIL); } It would be nice if there was a way to override this somehow... Perhaps file a bug on the bugzilla! Andy Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: saslauthd cache / cyrus-imap and several passwords per login
On 01/27/2013 09:03 PM, Andrew Morgan wrote: On Sat, 5 Jan 2013, Patrick Lamaiziere wrote: Helo, We use cyrus-imapd on Centos 6 at work and I've got the following issue on authentication: Users can login via a mailer (imap/pop) or use a webmail (horde). The webmail uses a SSO-CAS and horde uses a CAS token to log in cyrus-imap). As the CAS tokens are one-time tokens they must been cached by saslauthd. For this we use PAM with saslauthd and 3 PAM modules. pam_cas checks if the password is a valid CAS token, then we try ldap and then a local account. cyrus-imap -> saslauthd (cache) -> PAM (pam_cas, pam_ldap, pam_unix) That works fine. The problem is: when a user uses the webmail and uses also a mailer (using imap), saslauthd will remove the CAS token previously cached when the mailer connects. So the webmail is disconnected. There is a patch to allow saslauthd to cache several passwords for one login but I would like to avoid this. As far I can see, the cache depends on the service used (ie if I connect via pop, the imap password is not cleared from the saslauthd cache). So I'm asking if there is a way to introduce another "service" on cyrus-imap that will be used by the webmail (on another port than 143). I mean a service in the saslauthd / PAM way (the parameter '-s' in testsaslauthd: imap, pop, sieve). I don't know where to start. Is there a way to achieve this? Thanks, best regards. Sorry I have taken so long to respond. I saw this message a while ago but I didn't have time to reply then. It doesn't look like anyone else has responded according to the list archives. You can easily run multiple Cyrus imapd processes with different service names. In your cyrus.conf, make a copy of your "imap" service and name it something like "imap_webmail", listening on a different port. Then make a /etc/pam.d/imap_webmail file with your desired PAM config. I just gave the above a try since I currently modify the source to force which pam service the imapd binary calls but this entry still calls /etc/pam.d/imap instead of /etc/pam.d/imaptest imaptestcmd="imapd" listen="imaptest" imaptest is in /etc/services on port 146 Another idea, which *might* work, is to run an imap proxy for your Horde instance. We do that here. That way, from Cyrus' perspective, Horde only logs in once so it shouldn't matter if the CAS token is single-use because there is only one authentication attempt. I haven't tried this, so I'm not sure if you would see odd behavior if the proxied connection times out or something. Just a thought! Good luck. Andy Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus <> Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: saslauthd cache / cyrus-imap and several passwords per login
On Sat, 5 Jan 2013, Patrick Lamaiziere wrote: > Helo, > > We use cyrus-imapd on Centos 6 at work and I've got the following issue > on authentication: > > Users can login via a mailer (imap/pop) or use a webmail (horde). The > webmail uses a SSO-CAS and horde uses a CAS token to log in > cyrus-imap). As the CAS tokens are one-time tokens they must been > cached by saslauthd. > > For this we use PAM with saslauthd and 3 PAM modules. pam_cas checks if > the password is a valid CAS token, then we try ldap and then a local > account. > > cyrus-imap -> saslauthd (cache) -> PAM (pam_cas, pam_ldap, pam_unix) > > That works fine. > > The problem is: when a user uses the webmail and uses also a mailer > (using imap), saslauthd will remove the CAS token previously cached when > the mailer connects. So the webmail is disconnected. > > There is a patch to allow saslauthd to cache several passwords for one > login but I would like to avoid this. > > As far I can see, the cache depends on the service used (ie if I > connect via pop, the imap password is not cleared from the > saslauthd cache). > > So I'm asking if there is a way to introduce another "service" on > cyrus-imap that will be used by the webmail (on another port than 143). > I mean a service in the saslauthd / PAM way (the parameter '-s' in > testsaslauthd: imap, pop, sieve). > > I don't know where to start. Is there a way to achieve this? > Thanks, best regards. Sorry I have taken so long to respond. I saw this message a while ago but I didn't have time to reply then. It doesn't look like anyone else has responded according to the list archives. You can easily run multiple Cyrus imapd processes with different service names. In your cyrus.conf, make a copy of your "imap" service and name it something like "imap_webmail", listening on a different port. Then make a /etc/pam.d/imap_webmail file with your desired PAM config. Another idea, which *might* work, is to run an imap proxy for your Horde instance. We do that here. That way, from Cyrus' perspective, Horde only logs in once so it shouldn't matter if the CAS token is single-use because there is only one authentication attempt. I haven't tried this, so I'm not sure if you would see odd behavior if the proxied connection times out or something. Just a thought! Good luck. Andy Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
saslauthd cache / cyrus-imap and several passwords per login
Helo, We use cyrus-imapd on Centos 6 at work and I've got the following issue on authentication: Users can login via a mailer (imap/pop) or use a webmail (horde). The webmail uses a SSO-CAS and horde uses a CAS token to log in cyrus-imap). As the CAS tokens are one-time tokens they must been cached by saslauthd. For this we use PAM with saslauthd and 3 PAM modules. pam_cas checks if the password is a valid CAS token, then we try ldap and then a local account. cyrus-imap -> saslauthd (cache) -> PAM (pam_cas, pam_ldap, pam_unix) That works fine. The problem is: when a user uses the webmail and uses also a mailer (using imap), saslauthd will remove the CAS token previously cached when the mailer connects. So the webmail is disconnected. There is a patch to allow saslauthd to cache several passwords for one login but I would like to avoid this. As far I can see, the cache depends on the service used (ie if I connect via pop, the imap password is not cleared from the saslauthd cache). So I'm asking if there is a way to introduce another "service" on cyrus-imap that will be used by the webmail (on another port than 143). I mean a service in the saslauthd / PAM way (the parameter '-s' in testsaslauthd: imap, pop, sieve). I don't know where to start. Is there a way to achieve this? Thanks, best regards. Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: ldap auth through saslauthd through cyrus
Hello, > i am assuming that you are running saslauthd with the -r argument -- > something like: > > saslauthd -a ldap -O/etc/saslauthd.conf -r actually I did not, but thanks for pointing me on that! I noticed before in /var/log/auth, that username and realm have been splitted, so that the username didn't contain the full email address and thus the LDAP lookup failed: saslauthd[19326]: Entry not found ((cn=userpart)). saslauthd[19326]: Authentication failed for userpart/domain.com: User not found (-6) saslauthd[19326]: do_auth : auth failure: [user=userpart] [service=imap] [realm=domain.com] [mech=ldap] [reason=Unknown] But I thought that it is an issue how cyrus passes the values to saslauthd but actually it depends on how saslauthd treats the values it receives. So the -r parameter was just right: "Combine the realm with the login (with an '@' sign in between). e.g. login: "foo" realm: "bar" will get passed as login: "foo@bar". Note that the realm will still be passed, which may lead to unexpected behaviour." Thanks! Kind regards Marten Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
Re: ldap auth through saslauthd through cyrus
On Tue, 2012-01-03 at 22:22 +0100, Marten Lehmann wrote: > > But logging in through POP3 results in this line in syslog: > > cyrus/pop3[20085]: badlogin: [10.0.1.71] plaintext userp...@domain.com > SASL(-13): authentication failure: checkpass failed hi marten, i am assuming that you are running saslauthd with the -r argument -- something like: saslauthd -a ldap -O/etc/saslauthd.conf -r i usually saslauthd in the foreground so i can watch what is going on ... cheers m Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
ldap auth through saslauthd through cyrus
Hello, I have a working installation of cyrus-imapd-2.3.7 on CentOS 5 and now I'm trying to apply the configuration to 2.4.9 on Ubuntu 11.10. I have a setup with virtualdomains, ie. I'm using userp...@domain.com to login. Tests with testsaslauthd like testsaslauthd -u userp...@domain.com -p 123456 work fine: 0: OK "Success." But logging in through POP3 results in this line in syslog: cyrus/pop3[20085]: badlogin: [10.0.1.71] plaintext userp...@domain.com SASL(-13): authentication failure: checkpass failed I'm using cleartext logins and the important parts of imapd.conf look like this: allowapop: no sasl_mech_list: PLAIN virtdomains: userid sasl_pwcheck_method: saslauthd How can I get more verbose output? Is there a separate saslauthd logfile so I can see what cyrus is actually sending to it? I'm afraid cyrus doesn't use the full email address to login but just "userpart". But how can I check or fix that? I can under now circumstances specify thousands of domains als allowed realms. Kind regards Marten Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
Re: New 2.4.10 install - authentication problems with saslauthd
On 06/08/11 11:44 +0100, John wrote: >On 05/08/11 22:32, Dan White wrote: >>Does your cyrus user have permissions to access the saslauthd mux? >> >>Try running your testsaslauthd command as your cyrus user... I'm assuming >>that during testing you were using root, or another account. >> >Aha! Thank you so much. I had checked the permissions on >/var/run/saslauthd/mux and they were 777 and also the directory >/var/run/saslauthd which had 766. . I assumed that these were >sufficient but I just changed the directory also to 777 and all works >well. > >However I am not sure 777 is the right way to sort the problem. I've >looked in the sasl documentation and can find nothing at all >regarding the entitlements of /var/run/saslauthd. Is there any >guidance on how the entitlement should be given? I would have >expected to need some kind of group entitlement to be giveen to sasl >users? Or is 777 ok? > >At least it's now working so I appreciate your help with that. A common approach is to have 777 on your mux, and then 710 on your /var/run/saslauthd, with ownership of 'root:sasl'. Add any users who need access to the saslauthd mux to the sasl group. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
Re: New 2.4.10 install - authentication problems with saslauthd
On 05/08/11 22:32, Dan White wrote: > Does your cyrus user have permissions to access the saslauthd mux? > > Try running your testsaslauthd command as your cyrus user... I'm assuming > that during testing you were using root, or another account. > Aha! Thank you so much. I had checked the permissions on /var/run/saslauthd/mux and they were 777 and also the directory /var/run/saslauthd which had 766. . I assumed that these were sufficient but I just changed the directory also to 777 and all works well. However I am not sure 777 is the right way to sort the problem. I've looked in the sasl documentation and can find nothing at all regarding the entitlements of /var/run/saslauthd. Is there any guidance on how the entitlement should be given? I would have expected to need some kind of group entitlement to be giveen to sasl users? Or is 777 ok? At least it's now working so I appreciate your help with that. > > Be aware that your password here is uuencoded and can be trivially > reversed. > Thanks for that info, I wasn't aware of that. It doesn't matter anyway, these are just test systems not connected to the outside world and that will be trashed when I'm finished. Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
Re: New 2.4.10 install - authentication problems with saslauthd
On 05/08/11 22:10 +0100, John wrote: >I have a server, currently running 2.4.7 and all is well (and has been >for a very long time). I am trying to build a new server with 2.4.10 but >I can't get anything to authenticate on it. > >configdirectory: /srv/mail/cyrus >partition-default: /srv/mail/cyrus/mail >admins: cyrus >sasl_pwcheck_method: saslauthd >sasl_saslauthd_path: /var/run/saslauthd/mux >allowplaintext: yes >altnamespace: yes >unixhierarchysep: yes >virtdomains: userid >defaultdomain: mydomain.com >hashimapspool: true > >Firstly, saslauthd is running to use PAM for authentication and on both >boxes I have tested this works using "testsaslauthd" getting identical >results on both cases. ( in both cases the test was "testsaslauthd -u >cyrus -p cyruspw -f /var/run/saslauthd/mux" and the result was "0: OK >"Success."") > >Both boxes have the same sasl package, installed from the ArchLinux >repository: ># saslauthd -v >saslauthd 2.1.23 >authentication mechanisms: getpwent kerberos5 pam rimap shadow ldap > >If I put "sasl_mech_list: PLAIN" into imapd.conf and retry "imtest -a >cyrus" on the 2.4.10 box I do get a password prompt but it still errors: > >The log then shows: >Aug 5 21:46:10 localhost imap[491]: badlogin: localhost.localdomain >[::1] PLAIN [SASL(-1): generic failure: Password verification failed] Try running your saslauthd daemon in debug mode and see if it is getting contacted at all by cyrus imap. Does your cyrus user have permissions to access the saslauthd mux? Try running your testsaslauthd command as your cyrus user... I'm assuming that during testing you were using root, or another account. ># imtest -a cyrus -m PLAIN 10.0.200.6 >S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE AUTH=PLAIN AUTH=OTP >AUTH=CRAM-MD5 AUTH=GSSAPI AUTH=LOGIN AUTH=DIGEST-MD5 SASL-IR] carbon >Cyrus IMAP v2.4.7 server ready >Please enter your password: >C: A01 AUTHENTICATE PLAIN AGN5cnVzAGd1aW5uZXNz Be aware that your password here is uuencoded and can be trivially reversed. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
New 2.4.10 install - authentication problems with saslauthd
Hello, I have a problem with a new installation. I've been trying to sort this for several days now without any luck so post here in the hope for a solution. I have a server, currently running 2.4.7 and all is well (and has been for a very long time). I am trying to build a new server with 2.4.10 but I can't get anything to authenticate on it. In both cases the host is Arch Linux and both have exactly the same configuration files: Here is imapd.conf: configdirectory: /srv/mail/cyrus partition-default: /srv/mail/cyrus/mail admins: cyrus sasl_pwcheck_method: saslauthd sasl_saslauthd_path: /var/run/saslauthd/mux allowplaintext: yes altnamespace: yes unixhierarchysep: yes virtdomains: userid defaultdomain: mydomain.com hashimapspool: true I know it's reading the correct file because I can force an error by temporarily corrupting it: Aug 5 21:44:14 localhost master[407]: invalid option name on line 1 of configuration file /etc/cyrus/imapd.conf Aug 5 21:44:14 localhost master[407]: exiting Firstly, saslauthd is running to use PAM for authentication and on both boxes I have tested this works using "testsaslauthd" getting identical results on both cases. ( in both cases the test was "testsaslauthd -u cyrus -p cyruspw -f /var/run/saslauthd/mux" and the result was "0: OK "Success."") Both boxes have the same sasl package, installed from the ArchLinux repository: # saslauthd -v saslauthd 2.1.23 authentication mechanisms: getpwent kerberos5 pam rimap shadow ldap I try "imtest -a cyrus" on each box. On the 2.4.7 box it prompts for a password, which I enter, and I am told it is "Authenticated". On the 2.4.10 box it does not prompt for a password but just returns " Authentication failed. generic failure" The log shows it is trying to use GSSAPI despite my saslauthd configuration: Aug 5 21:41:11 localhost imtest: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_0' not found) If I put "sasl_mech_list: PLAIN" into imapd.conf and retry "imtest -a cyrus" on the 2.4.10 box I do get a password prompt but it still errors: The log then shows: Aug 5 21:46:10 localhost imap[491]: badlogin: localhost.localdomain [::1] PLAIN [SASL(-1): generic failure: Password verification failed] I also tried using telnet. On the 2.4.7 box it authenticates fine. On the 2.4.10 box I get "Login failed: generic failure" I tried using imtest from the new box to access the old box (imtest -a cyrus -m PLAIN old-box) and it authenticates: # imtest -a cyrus -m PLAIN 10.0.200.6 S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE AUTH=PLAIN AUTH=OTP AUTH=CRAM-MD5 AUTH=GSSAPI AUTH=LOGIN AUTH=DIGEST-MD5 SASL-IR] carbon Cyrus IMAP v2.4.7 server ready Please enter your password: C: A01 AUTHENTICATE PLAIN AGN5cnVzAGd1aW5uZXNz S: A01 OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE LIST-EXTENDED WITHIN QRESYNC SCAN XLIST URLAUTH URLAUTH=BINARY LOGINDISABLED COMPRESS=DEFLATE IDLE] Success (no protection) Authenticated. Security strength factor: 0 I tried using imtest from the old box to access the new box (imtest -a cyrus -m PLAIN new-box). This prompts for a password but returns "Authentication failed. generic failure" # imtest -a cyrus -m PLAIN 10.0.200.6 S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE AUTH=PLAIN AUTH=OTP AUTH=CRAM-MD5 AUTH=GSSAPI AUTH=LOGIN AUTH=DIGEST-MD5 SASL-IR] carbon Cyrus IMAP v2.4.7 server ready Please enter your password: C: A01 AUTHENTICATE PLAIN AGN5cnVzAGd1aW5uZXNz S: A01 OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE LIST-EXTENDED WITHIN QRESYNC SCAN XLIST URLAUTH URLAUTH=BINARY LOGINDISABLED COMPRESS=DEFLATE IDLE] Success (no protection) Authenticated. Security strength factor: 0 The log shows: Aug 5 22:02:54 localhost imap[733]: badlogin: [10.0.200.6] PLAIN [SASL(-1): generic failure: Password verification failed] I don't know what else to try. I have read and reread the documentation on cyrusimap.org for both Cyrus-IMAP and Cyrus SASL. The sasl tests are ok, imtest works from both boxes to connect to the 2.4.7 imapd but fails from both boxes when connecting to the 2.4.10 box. It appears to use saslauthd but for some reason isn't working. I would really appreciate some help. Thanks in advance. Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
Re: saslauthd vs auxprop
On Sun, 2011-01-09 at 23:38 -0800, Andrew Morgan wrote: > On Sun, 9 Jan 2011, j...@destar.net wrote: > > I cannot wrap my mind around saslauthd and auxprop. > > Does auxprop use the sasldb file to authenticate users that have been > > added using the 'saslpasswd2' command? > > What is saslauthd trying to use for authentication, would it be the > > mechs shown in a 'saslauthd -v' output? > > What does changing the value in the Sendmail.conf file from saslauthd > > to auxprop or vice versa doing? > > Running a ps I see that saslauthd is using the shadow mech: > > /usr/sbin/saslauthd -m /var/run/saslauthd -a shadow > > But I have no users in the shadow file other than cyrus and my users > > for my mail server are in the sasldb file? > > I have read the documentation on the cyrus site, the man pages and > > searched the mailing list but I still cannot grasp what seems to be a > > simple concept. > > Can someone shed some light or at least point me in the right direction? > Hopefully I get this right! There are basically 2 high-level choices to > make: saslauthd or auxprop. saslauthd is an external daemon process that > your program communicates with via a unix socket. auxprop uses C library > modules that are loaded by libsasl into your program. > saslauthd support a few different authentication mechanisms. The most > popular are PAM and passwd/shadow. The most important part here is that saslauthd [much like PAM] can only provide chat-expect authentication mechanisms - like LOGIN and PLAIN. So, in short, only insecure authentication mechanisms. > Auxprop is usually used for sasldb, but I think there are several > different modules that can be used. I'm fuzzy on auxprop so maybe someone > else can fill in more detail here. auxprop is used to implement 'real' SASL mechanisms [Kerberos, digest, otp, etcc...] The purpose is to tie external servers [your MTA, DSA, etc...] into the SASL framework. Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
Re: saslauthd vs auxprop
On Sun, 9 Jan 2011, j...@destar.net wrote: > I cannot wrap my mind around saslauthd and auxprop. > > Does auxprop use the sasldb file to authenticate users that have been > added using the 'saslpasswd2' command? > > What is saslauthd trying to use for authentication, would it be the > mechs shown in a 'saslauthd -v' output? > > What does changing the value in the Sendmail.conf file from saslauthd > to auxprop or vice versa doing? > > Running a ps I see that saslauthd is using the shadow mech: > > /usr/sbin/saslauthd -m /var/run/saslauthd -a shadow > > But I have no users in the shadow file other than cyrus and my users > for my mail server are in the sasldb file? > > > I have read the documentation on the cyrus site, the man pages and > searched the mailing list but I still cannot grasp what seems to be a > simple concept. > > Can someone shed some light or at least point me in the right direction? Hopefully I get this right! There are basically 2 high-level choices to make: saslauthd or auxprop. saslauthd is an external daemon process that your program communicates with via a unix socket. auxprop uses C library modules that are loaded by libsasl into your program. saslauthd support a few different authentication mechanisms. The most popular are PAM and passwd/shadow. Auxprop is usually used for sasldb, but I think there are several different modules that can be used. I'm fuzzy on auxprop so maybe someone else can fill in more detail here. Andy Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
saslauthd vs auxprop
I cannot wrap my mind around saslauthd and auxprop. Does auxprop use the sasldb file to authenticate users that have been added using the 'saslpasswd2' command? What is saslauthd trying to use for authentication, would it be the mechs shown in a 'saslauthd -v' output? What does changing the value in the Sendmail.conf file from saslauthd to auxprop or vice versa doing? Running a ps I see that saslauthd is using the shadow mech: /usr/sbin/saslauthd -m /var/run/saslauthd -a shadow But I have no users in the shadow file other than cyrus and my users for my mail server are in the sasldb file? I have read the documentation on the cyrus site, the man pages and searched the mailing list but I still cannot grasp what seems to be a simple concept. Can someone shed some light or at least point me in the right direction? Jon Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
Re: Cryus-imapd/Saslauthd/LDAP login access
On Wed, 2010-04-14 at 13:33 -0400, Wesley Craig wrote: > On 14 Apr 2010, at 12:42, Shelley Waltz wrote: > > I wish a simple way to control who in the LDAP database may login > > and autocreate a cyrus imap account. Not everyone in the LDAP > > database, > > just certain users. Any suggested methods? > > > > I have RHEL5 with > > cyrus-imapd-2.3.7-7 > > cyrus-sasl-2.1.22-5 > > and use > > sasl_pwcheck_method: saslauthd > > sasl_mech_list: PLAIN LOGIN > > and /etc/sysconfig/saslauthd > > MECH=ldap > Is there something in LDAP that defines who may or may not have > access? If so, you can modify the LDAP search so only the authorized > users are returned, e.g.: > (&(uid=$uid)(something=imap)) Right, we use: ldap_filter: (|(&(objectclass=morrisonuser)(morrisonactiveuser=Y)(uid=% u))(&(objectclass=morrisonsystemaccount)(uid=% u))(&(objectclass=simpleSecurityObject)(employeeType=virtual)(uid=%u))) Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Cryus-imapd/Saslauthd/LDAP login access
On 14 Apr 2010, at 12:42, Shelley Waltz wrote: > I wish a simple way to control who in the LDAP database may login > and autocreate a cyrus imap account. Not everyone in the LDAP > database, > just certain users. Any suggested methods? > > I have RHEL5 with > cyrus-imapd-2.3.7-7 > cyrus-sasl-2.1.22-5 > and use > sasl_pwcheck_method: saslauthd > sasl_mech_list: PLAIN LOGIN > and /etc/sysconfig/saslauthd > MECH=ldap Is there something in LDAP that defines who may or may not have access? If so, you can modify the LDAP search so only the authorized users are returned, e.g.: (&(uid=$uid)(something=imap)) Does this make sense? Or, ... taking a look at: http://idms.rutgers.edu/ldap/authn-authz.shtml it seems that the Rutgers LDAP servers have a pretty robust, per- application authorization model. :wes Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Cryus-imapd/Saslauthd/LDAP login access
I wish a simple way to control who in the LDAP database may login and autocreate a cyrus imap account. Not everyone in the LDAP database, just certain users. Any suggested methods? I have RHEL5 with cyrus-imapd-2.3.7-7 cyrus-sasl-2.1.22-5 and use sasl_pwcheck_method: saslauthd sasl_mech_list: PLAIN LOGIN and /etc/sysconfig/saslauthd MECH=ldap S.waltz Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: saslauthd w/postfix smtp only works the first time
On 29/09/09 23:10 -0400, ravi raju wrote: >Folks, >I set up cyrus sasl2 to work with postfix smtp server. I am able to send >e-mail by authenticating via sasl the first time after I start the saslauthd >process. When I send another e-mail, it doesn't work. I looked through >different logs, here is what I find: > >1. Start saslauthd. I checked the status, several pids start up. >Starting saslauthd [ OK ] >Creating hardlink from /var/lib/sasl2/mux to >/var/spool/postfix/var/lib/sasl2/ > >saslauthd (pid 29638 29636 29634 29628 29627) is running... > >2. Send e-mail. Everything works. > >3. I checked the /var/log/syslog to make sure the connection was terminated >after it was first opened when sending e-mail. > >4. Try sending another e-mail from the same box. E-mail is not sent. > >5. I see most of the saslauthd process are shutdown at this point. Status >only shows one process running > >saslauthd (pid 29627) is running... > >6. After I force restart saslauthd, I can send another e-mail. At any point >in time, I am able to only send one e-mail. > >Anyone has a clue what is going on? I appreciate your time and help with >this. Is postifix authenticating to LMTP? or is your mail client authenticating to Postfix? Either way, I recommend using lmtptest or smtptest to trouble shoot. You can find them in the cyrus-imapd distribution. To further trouble shoot with us, please provide (sanitized) copies of the following: postfix syslog of a good and bad email delivery attempt any corresponding imapd/lmtpd syslog entries any corresponding auth syslog entries (cyrus sasl) Also, please provide your imapd.conf configuration, or at least the output of 'grep sasl /etc/imapd.conf', your postfix sasl configuration if appropriate (the contents of /etc/postfix/sasl/*), and your postfix lmtp/deliver configuration. -- Dan White Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
saslauthd w/postfix smtp only works the first time
Folks, I set up cyrus sasl2 to work with postfix smtp server. I am able to send e-mail by authenticating via sasl the first time after I start the saslauthd process. When I send another e-mail, it doesn't work. I looked through different logs, here is what I find: 1. Start saslauthd. I checked the status, several pids start up. Starting saslauthd [ OK ] Creating hardlink from /var/lib/sasl2/mux to /var/spool/postfix/var/lib/sasl2/ saslauthd (pid 29638 29636 29634 29628 29627) is running... 2. Send e-mail. Everything works. 3. I checked the /var/log/syslog to make sure the connection was terminated after it was first opened when sending e-mail. 4. Try sending another e-mail from the same box. E-mail is not sent. 5. I see most of the saslauthd process are shutdown at this point. Status only shows one process running saslauthd (pid 29627) is running... 6. After I force restart saslauthd, I can send another e-mail. At any point in time, I am able to only send one e-mail. Anyone has a clue what is going on? I appreciate your time and help with this. Thanks Ravi Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Cyrus IMAP and saslauthd
Egoitz Aurrekoetxea wrote: > Hi mates, > > I'm running Cyrus IMAP without saslauthd with cyrus-sasl library at > this moment and integrated with Postfix. The OS I'm running is > FreeBSD... it has taken me sometime to set up this testing server... I > have tried several times to set cyrus imap auth against saslauthd... I > can't get my goal so now have had to switch to auxprop with mysql... > but this IMHO has a little disadvantage... with saslauthd and X number > of procceses forked you have like a "pool" of connections (what in > postfix config is called proxy daemon too) but without saslauthd and > with bulk connections to database through auxprop perhaps you could > cause DOS to you're mysql server if you receive a dictionarie attack > for example... I have read that it's possible to set saslauthd with > mysql BUT without crypted passwords on database... that wouldn't mind > me... could you please advise some howto or doc please? All doc I > found is for being set up with crypted passwords and through pam... > but this has run me into some troubles in freebsd... because I think > pam-mysql doesn't work quite nice on freebsd... so could you please > advise me some doc or howto setup cyrus imap and postfix auth through > saslauthd? I think it's a concept problem because I don't understand > quite well how saslauth works and will config file reads and so... Egoitz, See the man page for saslauthd for available saslauthd backend mechanisms. Other than PAM, you may be able to use nss-mysql along with the getpwent or shadow backends. saslauthd is also documented in 'doc/sysadmin.html' in the sasl source. - Dan Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Imap saslauthd produces huge no of logs & crashe
On Fri, May 16, 2008 at 12:06 PM, faris <[EMAIL PROTECTED]> wrote: > Hi, > > I am little bit new to cyrus and now a days my cyrus imap server crashes > every day. once stop/start cyrus, services are back to normal. After > checking the /var/log/messages & /var/log/imapd.log i get huge no > of messages coming. donno how to trace the error. also i need to stop cyrus > imap & saslauthd information coming to my /var/log/messages file as > well. information is listed below. please help ! If restarting imapd solve your problem, this is probably related to cyrus, but I dont see anything wrong here. See below for further details. Whats is your problem ? What does mean "crashes" ? Doe you have a cyrmaster.log or any log about cyrmaster process ? > > > [EMAIL PROTECTED] ~]# tail -f /var/log/messages > May 16 10:41:14 mxstore2a saslauthd[7860]: sqlLog called. > May 16 10:41:14 mxstore2a saslauthd[7860]: pam_mysql: error: sqllog set but You have set sqllog to True but dont have created the required SQL table. Set it to False or create the table! > logtable not set > May 16 10:41:14 mxstore2a saslauthd[7860]: pam_mysql: error: sqllog set but > logmsgcolumn not set > May 16 10:41:14 mxstore2a saslauthd[7860]: pam_mysql: error: sqllog set but > logusercolumn not set > May 16 10:41:14 mxstore2a saslauthd[7860]: pam_mysql: error: sqllog set but > loghostcolumn not set > May 16 10:41:14 mxstore2a saslauthd[7860]: pam_mysql: error: sqllog set but > logtimecolumn not set > May 16 10:41:14 mxstore2a saslauthd[7860]: returning 0 . > May 16 10:41:14 mxstore2a saslauthd[7860]: returning 0. > May 16 10:41:14 mxstore2a saslauthd[7860]: pam_mysql: acct_mgmt called but > not implemented. Dont panic though :) > May 16 10:41:14 mxstore2a imap[7873]: login: cctrl1 [10.2.30.214] 9 > plaintext User logged in > May 16 10:41:20 mxstore2a saslauthd[7861]: pam_sm_authenticate called. > May 16 10:41:20 mxstore2a saslauthd[7861]: dbuser changed. > May 16 10:41:20 mxstore2a saslauthd[7861]: dbpasswd changed. > May 16 10:41:20 mxstore2a saslauthd[7861]: host changed. > May 16 10:41:20 mxstore2a saslauthd[7861]: database changed. > May 16 10:41:20 mxstore2a saslauthd[7861]: table changed. > May 16 10:41:20 mxstore2a saslauthd[7861]: usercolumn changed. > May 16 10:41:20 mxstore2a saslauthd[7861]: passwdcolumn changed. > May 16 10:41:20 mxstore2a saslauthd[7861]: db_connect called. > May 16 10:41:20 mxstore2a saslauthd[7861]: returning 0 . > May 16 10:41:20 mxstore2a saslauthd[7861]: db_checkpasswd called. > May 16 10:41:20 mxstore2a saslauthd[7861]: pam_mysql: where clause = > May 16 10:41:20 mxstore2a saslauthd[7861]: SELECT user_pswd FROM UserInfo > WHERE username='94723783294' > May 16 10:41:20 mxstore2a saslauthd[7861]: sqlLog called. > May 16 10:41:20 mxstore2a saslauthd[7861]: pam_mysql: error: sqllog set but > logtable not set > May 16 10:41:20 mxstore2a saslauthd[7861]: pam_mysql: error: sqllog set but > logmsgcolumn not set > May 16 10:41:20 mxstore2a saslauthd[7861]: pam_mysql: error: sqllog set but > logusercolumn not set > May 16 10:41:20 mxstore2a saslauthd[7861]: pam_mysql: error: sqllog set but > loghostcolumn not set > May 16 10:41:20 mxstore2a saslauthd[7861]: pam_mysql: error: sqllog set but > logtimecolumn not set > May 16 10:41:20 mxstore2a saslauthd[7861]: returning 0 . > - > > > [EMAIL PROTECTED] ~]# tail -f /var/log/imapd.log > May 16 11:28:21 mxstore2a imap[7968]: login: cctrl1 [10.2.30.214] > 94724550835 plaintext User logged in > May 16 11:28:21 mxstore2a imap[7968]: open: user 94724550835 opened INBOX > May 16 11:28:21 mxstore2a imap[7968]: open: user 94724550835 opened INBOX > May 16 11:28:21 mxstore2a imap[7968]: SQUAT failed to open index file > May 16 11:28:21 mxstore2a imap[7968]: SQUAT failed > May 16 11:28:21 mxstore2a imap[7968]: SQUAT failed to open index file > May 16 11:28:21 mxstore2a imap[7968]: SQUAT failed > May 16 11:28:21 mxstore2a imap[7968]: SQUAT failed to open index file > May 16 11:28:21 mxstore2a imap[7968]: SQUAT failed Their is nothing wrong with that > May 16 11:28:21 mxstore2a imap[7968]: open: user 94724550835 opened > INBOX.Saved Items > > ---- > > > [EMAIL PROTECTED] ~]# tail -f /var/log/auth.log > May 16 11:28:36 mxstore2a saslauthd[7862]: SELECT user_pswd FROM UserInfo > WHERE username='94725327205' > May 16 11:28:36 mxstore2a saslauthd[7862]: sqlLog called. > May 16 11:28:36 mxstore2a saslauthd[7862]: pam_mysql: error: sqllog set but > logtable not set > May 16 11:28:36 mxstore2a saslauthd[7862]: pam_mysql: error: sqllog set but &
Imap saslauthd produces huge no of logs & crashes
Hi, I am little bit new to cyrus and now a days my cyrus imap server crashes every day. once stop/start cyrus, services are back to normal. After checking the /var/log/messages & /var/log/imapd.log i get huge no of messages coming. donno how to trace the error. also i need to stop cyrus imap & saslauthd information coming to my /var/log/messages file as well. information is listed below. please help ! [EMAIL PROTECTED] ~]# tail -f /var/log/messages May 16 10:41:14 mxstore2a saslauthd[7860]: sqlLog called. May 16 10:41:14 mxstore2a saslauthd[7860]: pam_mysql: error: sqllog set but logtable not set May 16 10:41:14 mxstore2a saslauthd[7860]: pam_mysql: error: sqllog set but logmsgcolumn not set May 16 10:41:14 mxstore2a saslauthd[7860]: pam_mysql: error: sqllog set but logusercolumn not set May 16 10:41:14 mxstore2a saslauthd[7860]: pam_mysql: error: sqllog set but loghostcolumn not set May 16 10:41:14 mxstore2a saslauthd[7860]: pam_mysql: error: sqllog set but logtimecolumn not set May 16 10:41:14 mxstore2a saslauthd[7860]: returning 0 . May 16 10:41:14 mxstore2a saslauthd[7860]: returning 0. May 16 10:41:14 mxstore2a saslauthd[7860]: pam_mysql: acct_mgmt called but not implemented. Dont panic though :) May 16 10:41:14 mxstore2a imap[7873]: login: cctrl1 [10.2.30.214] 9 plaintext User logged in May 16 10:41:20 mxstore2a saslauthd[7861]: pam_sm_authenticate called. May 16 10:41:20 mxstore2a saslauthd[7861]: dbuser changed. May 16 10:41:20 mxstore2a saslauthd[7861]: dbpasswd changed. May 16 10:41:20 mxstore2a saslauthd[7861]: host changed. May 16 10:41:20 mxstore2a saslauthd[7861]: database changed. May 16 10:41:20 mxstore2a saslauthd[7861]: table changed. May 16 10:41:20 mxstore2a saslauthd[7861]: usercolumn changed. May 16 10:41:20 mxstore2a saslauthd[7861]: passwdcolumn changed. May 16 10:41:20 mxstore2a saslauthd[7861]: db_connect called. May 16 10:41:20 mxstore2a saslauthd[7861]: returning 0 . May 16 10:41:20 mxstore2a saslauthd[7861]: db_checkpasswd called. May 16 10:41:20 mxstore2a saslauthd[7861]: pam_mysql: where clause = May 16 10:41:20 mxstore2a saslauthd[7861]: SELECT user_pswd FROM UserInfo WHERE username='94723783294' May 16 10:41:20 mxstore2a saslauthd[7861]: sqlLog called. May 16 10:41:20 mxstore2a saslauthd[7861]: pam_mysql: error: sqllog set but logtable not set May 16 10:41:20 mxstore2a saslauthd[7861]: pam_mysql: error: sqllog set but logmsgcolumn not set May 16 10:41:20 mxstore2a saslauthd[7861]: pam_mysql: error: sqllog set but logusercolumn not set May 16 10:41:20 mxstore2a saslauthd[7861]: pam_mysql: error: sqllog set but loghostcolumn not set May 16 10:41:20 mxstore2a saslauthd[7861]: pam_mysql: error: sqllog set but logtimecolumn not set May 16 10:41:20 mxstore2a saslauthd[7861]: returning 0 . - [EMAIL PROTECTED] ~]# tail -f /var/log/imapd.log May 16 11:28:21 mxstore2a imap[7968]: login: cctrl1 [10.2.30.214] 94724550835 plaintext User logged in May 16 11:28:21 mxstore2a imap[7968]: open: user 94724550835 opened INBOX May 16 11:28:21 mxstore2a imap[7968]: open: user 94724550835 opened INBOX May 16 11:28:21 mxstore2a imap[7968]: SQUAT failed to open index file May 16 11:28:21 mxstore2a imap[7968]: SQUAT failed May 16 11:28:21 mxstore2a imap[7968]: SQUAT failed to open index file May 16 11:28:21 mxstore2a imap[7968]: SQUAT failed May 16 11:28:21 mxstore2a imap[7968]: SQUAT failed to open index file May 16 11:28:21 mxstore2a imap[7968]: SQUAT failed May 16 11:28:21 mxstore2a imap[7968]: open: user 94724550835 opened INBOX.Saved Items [EMAIL PROTECTED] ~]# tail -f /var/log/auth.log May 16 11:28:36 mxstore2a saslauthd[7862]: SELECT user_pswd FROM UserInfo WHERE username='94725327205' May 16 11:28:36 mxstore2a saslauthd[7862]: sqlLog called. May 16 11:28:36 mxstore2a saslauthd[7862]: pam_mysql: error: sqllog set but logtable not set May 16 11:28:36 mxstore2a saslauthd[7862]: pam_mysql: error: sqllog set but logmsgcolumn not set May 16 11:28:36 mxstore2a saslauthd[7862]: pam_mysql: error: sqllog set but logusercolumn not set May 16 11:28:36 mxstore2a saslauthd[7862]: pam_mysql: error: sqllog set but loghostcolumn not set May 16 11:28:36 mxstore2a saslauthd[7862]: pam_mysql: error: sqllog set but logtimecolumn not set May 16 11:28:36 mxstore2a saslauthd[7862]: returning 0 . May 16 11:28:36 mxstore2a saslauthd[7862]: returning 0. May 16 11:28:36 mxstore2a saslauthd[7862]: pam_mysql: acct_mgmt called but not implemented. Dont panic though :) May 16 11:28:55 mxstore2a saslauthd[7861]: pam_sm_authenticate called. May 16 11:28:55 mxstore2a saslauthd[7861]: dbuser changed. May 16 11:28:55 mxstore2a saslauthd[7861]: dbpasswd changed. May 16 11:28:55 mxstore2a saslauthd[7861]: host changed. May 16 11:28:55 mxstore2a saslauthd[
Re: cyrus_imapd + saslauthd problem
>> This is the problem that is how my config file is set and it does not >> work >> >> Even when it is set to pam it does not work. Which is werid as my >> other setup works fine >> >> Theres nothing in the logs so I have no idea why Cyrus is not talking >> to saslauthd >> >> >> So any ideas? Could this be a fubar compile? > > Make sure cyrus daemon has access to the saslauthd socket. > Ta that did it - permissions were wrong Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: cyrus_imapd + saslauthd problem
On Jan 31, 2008 6:19 AM, jpd <[EMAIL PROTECTED]> wrote: > This is the problem that is how my config file is set and it does not > work > > Even when it is set to pam it does not work. Which is werid as my > other setup works fine > > Theres nothing in the logs so I have no idea why Cyrus is not talking > to saslauthd Have you confirmed that saslauthd is working correctly by using testsaslauthd? Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: cyrus_imapd + saslauthd problem
jpd wrote: > This is the problem that is how my config file is set and it does not > work > > Even when it is set to pam it does not work. Which is werid as my > other setup works fine > > Theres nothing in the logs so I have no idea why Cyrus is not talking > to saslauthd > > > So any ideas? Could this be a fubar compile? Make sure cyrus daemon has access to the saslauthd socket. -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- Rudy Gevaert [EMAIL PROTECTED] tel:+32 9 264 4734 Directie ICT, afd. Infrastructuur ICT Department, Infrastructure office Groep SystemenSystems group Universiteit Gent Ghent University Krijgslaan 281, gebouw S9, 9000 Gent, Belgie www.UGent.be -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
cyrus_imapd + saslauthd problem
This is the problem that is how my config file is set and it does not work Even when it is set to pam it does not work. Which is werid as my other setup works fine Theres nothing in the logs so I have no idea why Cyrus is not talking to saslauthd So any ideas? Could this be a fubar compile? Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: cyrus_imapd + saslauthd problem
jpd wrote: > Hopefully this is to the right list. > > I am trying to get ldap users to work with cyrus and not having much luck. > > So I tried dropping back to pam, as I have another setup like this, and > this did not work as well. > > So its not going well. > > The problem seems to the that cyrus is not taking to saslauthd - as I > have run saslauthd in a debug mode to see what happens. > > Any ideas why cyrus would not want the talk to saslauthd when it has > been configured to. > > Binaries are of the blastwave repository > > Working version is on opensolaris b77 x86 > Broke one is on Solaris 10 sparc > > Any ideas on how you get cyrus into a "debug" mode to see whats happing > there? What is in your imapd.conf? Mine has: sasl_pwcheck_method: saslauthd sasl_mech_list: PLAIN And saslauthd is started with the ldap switch. Cyrus logs to syslog. Documentation for the IMAP server is located in the doc directory of the distribution. Have look there. Rudy -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- Rudy Gevaert [EMAIL PROTECTED] tel:+32 9 264 4734 Directie ICT, afd. Infrastructuur ICT Department, Infrastructure office Groep SystemenSystems group Universiteit Gent Ghent University Krijgslaan 281, gebouw S9, 9000 Gent, Belgie www.UGent.be -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
cyrus_imapd + saslauthd problem
Hopefully this is to the right list. I am trying to get ldap users to work with cyrus and not having much luck. So I tried dropping back to pam, as I have another setup like this, and this did not work as well. So its not going well. The problem seems to the that cyrus is not taking to saslauthd - as I have run saslauthd in a debug mode to see what happens. Any ideas why cyrus would not want the talk to saslauthd when it has been configured to. Binaries are of the blastwave repository Working version is on opensolaris b77 x86 Broke one is on Solaris 10 sparc Any ideas on how you get cyrus into a "debug" mode to see whats happing there? Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
imapd not sending realm to saslauthd
Is there any reason why imapd would not send a realm to saslauthd using plain authentication ? Or could this be some type of error in the way I'm using imtest? My command line is similar too... imtest -u daniel -p password -r networks.com localhost Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Cyrus2.2 with IMAPS/SASLauthd not working
Hi Holgar, your problem is saslauthd related - I think so. you have two way of auth cyrus imap against LDAP either 'saslauthd -o ldap' -> /sasl_pwcheck_method: saslauthd /or directly -> sasl_pwcheck_method: auxprop sasl_auxprop_plugin: ldapdb If you ask what I recommend - sorry I've only used 'saslauthd -o ldap' so far. Maybe someone else could give good advice. Best regards Roland PS: If the hints from my last mail do not work try to comment out: 'ldap_mech: DIGEST_MD5' as well. /etc/saslauthd.conf: ldap_servers: ldaps://ds1.example.net ldap_search_base: dc=example,dc=net # ldap_mech: DIGEST_MD5 check if one/both works: ldapsearch -H ldaps://ds1.example.net -U username -w password -Y DIGEST-MD5 ldapsearch -H ldaps://ds1.example.net -U username -w password -x FreiNet Technik wrote: Roland Felnhofer schrieb: Hi Holger, Are you using Thunderbird ? Hello Roland, i use several clients, but with Thunderbird i do most of the tests. I already tried all possible combinations of "secure authentication" and TLS-Settings, but nothing works. Regards, Holger Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html smime.p7s Description: S/MIME Cryptographic Signature Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Cyrus2.2 with IMAPS/SASLauthd not working
Hi Holger, how does the output of ps aux |grep saslauthd look like? It should look like:/usr/sbin/saslauthd -a ldap and NOT:/usr/sbin/saslauthd -a pam Best regards Roland FreiNet Technik wrote: Roland Felnhofer schrieb: Hi Holger, Are you using Thunderbird ? Hello Roland, i use several clients, but with Thunderbird i do most of the tests. I already tried all possible combinations of "secure authentication" and TLS-Settings, but nothing works. Regards, Holger Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html smime.p7s Description: S/MIME Cryptographic Signature Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Cyrus2.2 with IMAPS/SASLauthd not working
Roland Felnhofer schrieb: > Hi Holger, > > Are you using Thunderbird ? > Hello Roland, i use several clients, but with Thunderbird i do most of the tests. I already tried all possible combinations of "secure authentication" and TLS-Settings, but nothing works. Regards, Holger Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Cyrus2.2 with IMAPS/SASLauthd not working
Hi Holger, Are you using Thunderbird ? Try these settings: Port: 993 Use secure connection: SSL Use secure authentication: NOT checked! Best regards Roland FreiNet Technik wrote: Hello all, I set up a cyrus2.2 IMAP-Server with authentication to a LDAP-userdirectory via "saslauthd". All ist working well if i use IMAP. When i try to use IMAPs "mail auth" ist still working (used in groupware web-client), but IMAP connections from clients time out. It is logged in cyrus.log as: Oct 26 13:35:49 mailer cyrus/imaps[1531]: accepted connection Oct 26 13:35:49 mailer cyrus/imaps[1531]: telling master 3 Oct 26 13:35:49 mailer cyrus/master[1407]: service imaps pid 1531 in READY state: now unavailable and in BUSY state Oct 26 13:35:49 mailer cyrus/master[1407]: service imaps now has 0 ready workers Oct 26 13:35:49 mailer cyrus/master[1407]: service imaps pid 1531 in BUSY state: now serving connection Oct 26 13:35:49 mailer cyrus/master[1407]: service imaps now has 0 ready workers Oct 26 13:36:31 mailer cyrus/imaps[1530]: imaps TLS negotiation failed: client.example.net [192.168.x.x] Oct 26 13:36:31 mailer cyrus/imaps[1530]: Fatal error: tls_start_servertls() failed Oct 26 13:36:31 mailer cyrus/master[1407]: process 1530 exited, status 75 Oct 26 13:36:31 mailer cyrus/master[1407]: service imaps pid 1530 in BUSY state: terminated abnormally auth.log says: Oct 26 14:32:21 mailer cyrus/imaps[1972]: auxpropfunc error invalid parameter supplied Oct 26 14:32:21 mailer cyrus/imaps[1972]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb If i test the configuration with "imtest -s -v -a client mailer -p 993" i am able to log in and fetch some mails. In this case the log looks like: Oct 26 14:56:12 mailer cyrus/imaps[1994]: accepted connection Oct 26 14:56:12 mailer cyrus/imaps[1994]: telling master 3 Oct 26 14:56:12 mailer cyrus/master[1957]: service imaps pid 1994 in READY state: now unavailable and in BUSY state Oct 26 14:56:12 mailer cyrus/master[1957]: service imaps now has 0 ready workers Oct 26 14:56:12 mailer cyrus/master[1957]: service imaps pid 1994 in BUSY state: now serving connection Oct 26 14:56:12 mailer cyrus/master[1957]: service imaps now has 0 ready workers Oct 26 14:56:12 mailer cyrus/imaps[1994]: mydelete: starting txn 2147483659 Oct 26 14:56:12 mailer cyrus/imaps[1994]: mydelete: committing txn 2147483659 Oct 26 14:56:12 mailer cyrus/imaps[1994]: mystore: starting txn 2147483660 Oct 26 14:56:12 mailer cyrus/imaps[1994]: mystore: committing txn 2147483660 Oct 26 14:56:12 mailer cyrus/imaps[1994]: starttls: TLSv1 with cipher AES256-SHA (256/256 bits new) no authentication Oct 26 14:56:18 mailer cyrus/imaps[1994]: login: client.example.net [192.168.x.x] client PLAIN+TLS User logged in Oct 26 14:56:27 mailer cyrus/imaps[1994]: seen_db: user client opened /var/lib/cyrus/user/c/client.seen Oct 26 14:56:27 mailer cyrus/imaps[1994]: open: user client opened Inbox Oct 26 14:57:21 mailer cyrus/imaps[1994]: telling master 1 Oct 26 14:57:21 mailer cyrus/master[1957]: service imaps pid 1994 in BUSY state: now available and in READY state Oct 26 14:57:21 mailer cyrus/master[1957]: service imaps now has 1 ready workers Can someone tell me the difference between connecting with client (i tried with and without TLS, with and without "secure authentication" and "imtest"? Where come these strange "_sasl_plugin_load" errors from when "mail auth" works with imaps? Can somebody please enlighten me? Thanks in advance, Holger I use the following configs: /etc/saslauthd.conf: ldap_servers: ldaps://ds1.example.net ldap_search_base: dc=example,dc=net ldap_mech: DIGEST_MD5 /etc/cyurus.conf (excerpt) #imap cmd="imapd -U 30" listen="localhost:imap" prefork=0 maxchild=100 imaps cmd="imapd -s -U 30" listen="imaps" prefork=0 maxchild=100 /etc/imapd.conf (excerpt) # No anonymous logins allowanonymouslogin: no # Allow plaintext logins by default (SASL PLAIN) allowplaintext: yes sasl_mech_list: PLAIN sasl_pwcheck_method: saslauthd FreiNet Gesellschaft fuer Informationsdienste mbH Loerracher Strasse 5a, D-79115 Freiburg Telefon: +49-761-496-1700, Fax: +49-761-496-1790 http://www.freinet.de Registergericht AG Freiburg i. Br. - HRB 4758 Geschaeftsfuehrung: Manfred Neufang USt-Id-Nr.:DE142316038 - FA Freiburg Stadt - Steuernummer 06425/40959 Sparkasse Freiburg-Noerdlicher Breisgau - BLZ 680 501 01 - Konto 10105414 _
Cyrus2.2 with IMAPS/SASLauthd not working
Hello all, I set up a cyrus2.2 IMAP-Server with authentication to a LDAP-userdirectory via "saslauthd". All ist working well if i use IMAP. When i try to use IMAPs "mail auth" ist still working (used in groupware web-client), but IMAP connections from clients time out. It is logged in cyrus.log as: Oct 26 13:35:49 mailer cyrus/imaps[1531]: accepted connection Oct 26 13:35:49 mailer cyrus/imaps[1531]: telling master 3 Oct 26 13:35:49 mailer cyrus/master[1407]: service imaps pid 1531 in READY state: now unavailable and in BUSY state Oct 26 13:35:49 mailer cyrus/master[1407]: service imaps now has 0 ready workers Oct 26 13:35:49 mailer cyrus/master[1407]: service imaps pid 1531 in BUSY state: now serving connection Oct 26 13:35:49 mailer cyrus/master[1407]: service imaps now has 0 ready workers Oct 26 13:36:31 mailer cyrus/imaps[1530]: imaps TLS negotiation failed: client.example.net [192.168.x.x] Oct 26 13:36:31 mailer cyrus/imaps[1530]: Fatal error: tls_start_servertls() failed Oct 26 13:36:31 mailer cyrus/master[1407]: process 1530 exited, status 75 Oct 26 13:36:31 mailer cyrus/master[1407]: service imaps pid 1530 in BUSY state: terminated abnormally auth.log says: Oct 26 14:32:21 mailer cyrus/imaps[1972]: auxpropfunc error invalid parameter supplied Oct 26 14:32:21 mailer cyrus/imaps[1972]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb If i test the configuration with "imtest -s -v -a client mailer -p 993" i am able to log in and fetch some mails. In this case the log looks like: Oct 26 14:56:12 mailer cyrus/imaps[1994]: accepted connection Oct 26 14:56:12 mailer cyrus/imaps[1994]: telling master 3 Oct 26 14:56:12 mailer cyrus/master[1957]: service imaps pid 1994 in READY state: now unavailable and in BUSY state Oct 26 14:56:12 mailer cyrus/master[1957]: service imaps now has 0 ready workers Oct 26 14:56:12 mailer cyrus/master[1957]: service imaps pid 1994 in BUSY state: now serving connection Oct 26 14:56:12 mailer cyrus/master[1957]: service imaps now has 0 ready workers Oct 26 14:56:12 mailer cyrus/imaps[1994]: mydelete: starting txn 2147483659 Oct 26 14:56:12 mailer cyrus/imaps[1994]: mydelete: committing txn 2147483659 Oct 26 14:56:12 mailer cyrus/imaps[1994]: mystore: starting txn 2147483660 Oct 26 14:56:12 mailer cyrus/imaps[1994]: mystore: committing txn 2147483660 Oct 26 14:56:12 mailer cyrus/imaps[1994]: starttls: TLSv1 with cipher AES256-SHA (256/256 bits new) no authentication Oct 26 14:56:18 mailer cyrus/imaps[1994]: login: client.example.net [192.168.x.x] client PLAIN+TLS User logged in Oct 26 14:56:27 mailer cyrus/imaps[1994]: seen_db: user client opened /var/lib/cyrus/user/c/client.seen Oct 26 14:56:27 mailer cyrus/imaps[1994]: open: user client opened Inbox Oct 26 14:57:21 mailer cyrus/imaps[1994]: telling master 1 Oct 26 14:57:21 mailer cyrus/master[1957]: service imaps pid 1994 in BUSY state: now available and in READY state Oct 26 14:57:21 mailer cyrus/master[1957]: service imaps now has 1 ready workers Can someone tell me the difference between connecting with client (i tried with and without TLS, with and without "secure authentication" and "imtest"? Where come these strange "_sasl_plugin_load" errors from when "mail auth" works with imaps? Can somebody please enlighten me? Thanks in advance, Holger I use the following configs: /etc/saslauthd.conf: ldap_servers: ldaps://ds1.example.net ldap_search_base: dc=example,dc=net ldap_mech: DIGEST_MD5 /etc/cyurus.conf (excerpt) #imap cmd="imapd -U 30" listen="localhost:imap" prefork=0 maxchild=100 imaps cmd="imapd -s -U 30" listen="imaps" prefork=0 maxchild=100 /etc/imapd.conf (excerpt) # No anonymous logins allowanonymouslogin: no # Allow plaintext logins by default (SASL PLAIN) allowplaintext: yes sasl_mech_list: PLAIN sasl_pwcheck_method: saslauthd FreiNet Gesellschaft fuer Informationsdienste mbH Loerracher Strasse 5a, D-79115 Freiburg Telefon: +49-761-496-1700, Fax: +49-761-496-1790 http://www.freinet.de Registergericht AG Freiburg i. Br. - HRB 4758 Geschaeftsfuehrung: Manfred Neufang USt-Id-Nr.:DE142316038 - FA Freiburg Stadt - Steuernummer 06425/40959 Sparkasse Freiburg-Noerdlicher Breisgau - BLZ 680 501 01 - Konto 10105414 Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Thunderbird causes weird saslauthd auth failure
Client: Thunderbird (V2 - beta 2) on Vista 32 I get a failure in my log when opening a (imap)mailbox with Tunderbird but everything works! #imap.conf virtdomains: yes defaultdomain: domain.xx servername: domain.xx loginrealms: domain.xx saslauthd[55269] :cache_lookup: [login=] [service=] [realm=imap]: not found, update pending #I did not define realm=imap anywhere... saslauthd[55269] :cache_un_lock : attempting to release lock on slot: 975 saslauthd[55269] :do_auth : auth failure: [user=<..myuser..>] [service=imap] [realm=] [mech=pam] [reason=PAM auth error] #[realm=] is now undefined?? Mulberry 4.0.8 (Win32) shows no errors. But when connecting with Mulberry saslauthd even doesn't use cache. My log shows no 'cache_lookup', 'no do_auth'.. Does it mean no use of cache no error?!.. Well, is it a failure or not? Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
imapd can't auth to sasl (imap[13935]: [ID 702911 auth.notice] cannot connect to saslauthd server: Permission denied)
I've installed sasl (2.1.22) and cyrus (2.2.12) imapd on a solaris 10 box (inside a zone) sasl is configured to auth against ldap and work well on my tests w/ testsaslauthd (w/ root/cyrus users) while trying to auth imapd w/ this sasl I get errors. here what I get from imtest: % ./imtest -a yk -m login -p imap localhost S: * OK mta.comany.com Cyrus IMAP4 v2.2.12 server ready C: C01 CAPABILITY S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE S: C01 OK Completed Please enter your password: C: L01 LOGIN yk {5} S: + go ahead C: S: L01 NO Login failed: generic failure Authentication failed. generic failure Security strength factor: 0 C: Q01 LOGOUT * BYE LOGOUT received Q01 OK Completed Connection closed. and here is logfile: May 28 16:29:12 rambam2 imap[14066]: [ID 702911 auth.notice] cannot connect to saslauthd server: Permission denied May 28 16:29:12 rambam2 imap[14066]: [ID 914338 local6.notice] badlogin: localhost [127.0.0.1] plaintext yk SASL(-1): generic failure: checkpass failed I checked that the mux file of sasl has accessible permission, and it has.. any idea what could be the problem ?? tnx, --Yedidia Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: saslauthd pam_mysql problem for virtualdomains
On Tue, 2007-04-17 at 12:50 +0530, ram wrote: > I have a pam_mysql setup with a simple mysql table > and saslauthd is running with the "-r" option on > If I test with a user on the primary domain it works fine , but for a > user on any other domain there is an auth failure > > > > --- > cat /etc/pam.d/imap > #%PAM-1.0 > auth sufficient pam_mysql.so user=mail passwd=password verbose=1 > host=localhost db=mail table=users usercolumn=email > passwdcolumn=password crypt=0 > > auth sufficient pam_unix_auth.so > > auth required pam_mysql.so user=mail passwd=password verbose=1 > host=localhost db=mail table=users usercolumn=email > passwdcolumn=password crypt=0 > > account sufficient pam_unix_acct.so > > Sorry for bothering you all I found the issue the third line in pam.d should be "account required" instead of "auth required" Thanks Ram Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
saslauthd pam_mysql problem for virtualdomains
I have a pam_mysql setup with a simple mysql table and saslauthd is running with the "-r" option on If I test with a user on the primary domain it works fine , but for a user on any other domain there is an auth failure --- cat /etc/pam.d/imap #%PAM-1.0 auth sufficient pam_mysql.so user=mail passwd=password verbose=1 host=localhost db=mail table=users usercolumn=email passwdcolumn=password crypt=0 auth sufficient pam_unix_auth.so auth required pam_mysql.so user=mail passwd=password verbose=1 host=localhost db=mail table=users usercolumn=email passwdcolumn=password crypt=0 account sufficient pam_unix_acct.so -- /usr/sbin/testsaslauthd -u shantanu -p shantanu -s imap 0: OK "Success." /usr/sbin/testsaslauthd -u shantanu -r xyz.com -p test -s imap 0: NO "authentication failed" But pam_mysql logs in /var/log/secure report no errors at all So what could be the issue - pam_mysql - SELECT password FROM users WHERE email = '[EMAIL PROTECTED]' Apr 17 07:17:56 indiamart saslauthd[16123]: pam_mysql - pam_mysql_sql_log() called. Apr 17 07:17:56 indiamart saslauthd[16123]: pam_mysql - pam_mysql_sql_log() returning 0. Apr 17 07:17:56 indiamart saslauthd[16123]: pam_mysql - pam_mysql_check_passwd() returning 0. Apr 17 07:17:56 indiamart saslauthd[16123]: pam_mysql - pam_sm_authenticate() returning 0. Apr 17 07:17:56 indiamart saslauthd[16123]: pam_mysql - pam_mysql_release_ctx() called. Apr 17 07:17:56 indiamart saslauthd[16123]: pam_mysql - pam_mysql_destroy_ctx() called. Apr 17 07:17:56 indiamart saslauthd[16123]: pam_mysql - pam_mysql_close_db() called. --- Thanks Ram Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Cyrus imap, saslauthd and case sensitive gssapi realm
I'm attempting to upgrade an older Cyrus IMAP server (using virtual domains) from 2.1 to 2.2. The new server is running Debian Etch with the cyrus-imapd-2.2 packages (currently version 2.2.13-10). While most of the upgrade has gone relatively smoothly, I'm having problems with authentication. Previously, I was using saslauthd against an sasldb2 database. This worked well, but I would like to migrate from this to our Kerberos 5 infrastructure (multiple domains with cross-domain authentication working). Unfortunately, it appears there isn't any means to force an upper-case realm for logins. In fact, the only way I can get everything working seems to be with the following configuration: lmtp_downcase_rcpt: yes username_tolower: no loginrealms: virtdomains: userid sasl_pwcheck_method: saslauthd In this configuration, I can authenticate IF I provide a username such as [EMAIL PROTECTED] However, it fails if I try to use [EMAIL PROTECTED] Even worse, I have some customers using [EMAIL PROTECTED] for their login. Because of this, I would like to enable the 'username_tolower' option, but this ALSO lowers the case of the realm! Any suggestions on how to get IMAP working for virtual domains against multiple Kerberos domains? Ideally, there should be an option such as 'realmname_toupper' that could be combined with 'username_tolower' to resolve the entire case issue! Does such an option exist? Is there a recommended solution? Ideas? Tony Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: LDAP + saslauthd problems
Am Tuesday 12 September 2006 15:16 schrieb AJ: >I am using saslauthd 2.1.19 w/ RHEL4 and I am trying to > authenticate to an ldap server via the user's mail attribute and > userPassword. I am using the -r flag w/ saslauthd and here is my > saslauthd.conf file: > > ldap_servers: ldap://148.4.5.111 > ldap_search_base: ou=Users,dc=domain,dc=com > ldap_filter: (&([EMAIL PROTECTED])) > ldap_use_sasl: yes > > Trying to test w/ testsaslauthd via: > > testsaslauthd -u [EMAIL PROTECTED] -p test > > does not work. > > Am I using the correct ldap_filter and saslauthd syntax? Stop saslauthd and start it from a shell with an additional "-d": # saslauthd -d -a ldap ... Check the Output after another try with testsaslauthd. Check the Log of slapd. Maybe turn on verbose logging. -- Andreas Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
LDAP + saslauthd problems
Hi, I am using saslauthd 2.1.19 w/ RHEL4 and I am trying to authenticate to an ldap server via the user's mail attribute and userPassword. I am using the -r flag w/ saslauthd and here is my saslauthd.conf file: ldap_servers: ldap://148.4.5.111 ldap_search_base: ou=Users,dc=domain,dc=com ldap_filter: (&([EMAIL PROTECTED])) ldap_use_sasl: yes Trying to test w/ testsaslauthd via: testsaslauthd -u [EMAIL PROTECTED] -p test does not work. Am I using the correct ldap_filter and saslauthd syntax? Thanks. AJ Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Problems authenticating using saslauthd w/LDAP
On Wed, 2006-08-30 at 20:13 +0200, Kjetil Torgrim Homme wrote: > On Mon, 2006-08-28 at 13:39 -0700, Rob Tanner wrote: > > I've setup an IMAP server using Cyrus IMAP4 v2.2.3 which I've setup > > before without a problem. Authentication is handles through saslauthd. > > When I use /etc/shadow as the authentication mechanism (-a shadow), my > > test accounts log in just fine. When, instead, I startup saslauthd > > using LDAP (-a ldap), I get the famous "generic failure" error. But at > > the same time, when saslauthd is running with the -a ldap option, > > testsaslauthd -u ,user -p returns an "OK" for the right > > password and a "NO" for the wrong password. That in itself should > > validate the saslauthd.conf file, but I also compared it to the > > saslauthd.conf file on another system which is working correctly. > > > > I am confused. Any ideas? > > check the permissions on the saslauthd mux. you probably run > testsaslauthd as root. never mind me, this can't be it since Cyrus is able to communicate with saslauthd in the shadow case. -- sorry for the noise, Kjetil T. Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Problems authenticating using saslauthd w/LDAP
On Mon, 2006-08-28 at 13:39 -0700, Rob Tanner wrote: > I've setup an IMAP server using Cyrus IMAP4 v2.2.3 which I've setup > before without a problem. Authentication is handles through saslauthd. > When I use /etc/shadow as the authentication mechanism (-a shadow), my > test accounts log in just fine. When, instead, I startup saslauthd > using LDAP (-a ldap), I get the famous "generic failure" error. But at > the same time, when saslauthd is running with the -a ldap option, > testsaslauthd -u ,user -p returns an "OK" for the right > password and a "NO" for the wrong password. That in itself should > validate the saslauthd.conf file, but I also compared it to the > saslauthd.conf file on another system which is working correctly. > > I am confused. Any ideas? check the permissions on the saslauthd mux. you probably run testsaslauthd as root. -- Kjetil T. Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Problems authenticating using saslauthd w/LDAP
Hi, I've setup an IMAP server using Cyrus IMAP4 v2.2.3 which I've setup before without a problem. Authentication is handles through saslauthd. When I use /etc/shadow as the authentication mechanism (-a shadow), my test accounts log in just fine. When, instead, I startup saslauthd using LDAP (-a ldap), I get the famous "generic failure" error. But at the same time, when saslauthd is running with the -a ldap option, testsaslauthd -u ,user -p returns an "OK" for the right password and a "NO" for the wrong password. That in itself should validate the saslauthd.conf file, but I also compared it to the saslauthd.conf file on another system which is working correctly. I am confused. Any ideas? Thanks, Rob -- Rob Tanner UNIX Services Manager Linfield College, McMinnville OR Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
RE: Cyrus saslauthd PAM authentication Issue
I have resolved this problem now. It is a 64 bit SASL/PAM library configuration problem. I correct the file /etc/pam.d/imap to use /lib64/security/pam_stack.so instead of the /lib/security/pam_stack.so library. Thanks. -Original Message- From: Simon Matter [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 14, 2006 11:36 AM To: Xue, Jack C Cc: info-cyrus@lists.andrew.cmu.edu Subject: Re: Cyrus saslauthd PAM authentication Issue > I am experiencing a Cyrus-SASL and PAM authentication issue here: > > I have configured a Cyrus-IMAP Server to use saslauthd for authentication. > The system is a RHEL4 Update 3 64bit and runs the RPM package comes with > Redhat. The Cyrus-SASL version is 2.1.19, Cyrus-IMAP version is 2.2.12-3. > > Here is my /etc/imapd.conf: > > configdirectory: /imapconfig > partition-default: /imapstore/imap01 > partition-1: /imapstore/imap01 > partition-2: /imapstore/imap02 > defaultpartition: default > > admins: cyrus_admin cyrus_murder > sievedir: /imapconfig/sieve > sendmail: /usr/sbin/sendmail > > hashimapspool: true > sasl_pwcheck_method: saslauthd > sasl_mech_list: plain > > When I do a: > $ imtest -u username -a username localhost > > This is what I see in the /var/log/messages Log: > > saslauthd[6586]: PAM unable to dlopen(/lib/security/pam_stack.so) > saslauthd[6586]: PAM [dlerror: /lib/security/pam_stack.so: cannot open > shared object file: No such file or directory] > saslauthd[6586]: PAM adding faulty module: /lib/security/pam_stack.so > saslauthd[6586]: do_auth: auth failure: [user=username] [service=imap] > [realm=] [mech=pam] [reason=PAM auth error] > > I checked and there is a /lib/security/pam_stack.so on the server. The > rest of PAM authentication process is working correctly as it should be. > > Also the server has both /lib/security/pam_stack.so and > /lib64/security/pam_stack.so. Will that be problem when the 64bit sasl > library tries to use 32bit pam library? > > I am confused. I am hoping someone can give me some advice. Hi, 1) The whole x86_64 thing is a mess, but that seems to be normal in the PC world since the old 80286 days (no wait, it has already started with the 8086/8088 cpus). 2) I'm quite sure we need the following files to help in any way: /etc/sysconfig/saslauthd /etc/pam.d/imap Regards, Simon Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Cyrus saslauthd PAM authentication Issue
> I am experiencing a Cyrus-SASL and PAM authentication issue here: > > I have configured a Cyrus-IMAP Server to use saslauthd for authentication. > The system is a RHEL4 Update 3 64bit and runs the RPM package comes with > Redhat. The Cyrus-SASL version is 2.1.19, Cyrus-IMAP version is 2.2.12-3. > > Here is my /etc/imapd.conf: > > configdirectory: /imapconfig > partition-default: /imapstore/imap01 > partition-1: /imapstore/imap01 > partition-2: /imapstore/imap02 > defaultpartition: default > > admins: cyrus_admin cyrus_murder > sievedir: /imapconfig/sieve > sendmail: /usr/sbin/sendmail > > hashimapspool: true > sasl_pwcheck_method: saslauthd > sasl_mech_list: plain > > When I do a: > $ imtest -u username -a username localhost > > This is what I see in the /var/log/messages Log: > > saslauthd[6586]: PAM unable to dlopen(/lib/security/pam_stack.so) > saslauthd[6586]: PAM [dlerror: /lib/security/pam_stack.so: cannot open > shared object file: No such file or directory] > saslauthd[6586]: PAM adding faulty module: /lib/security/pam_stack.so > saslauthd[6586]: do_auth: auth failure: [user=username] [service=imap] > [realm=] [mech=pam] [reason=PAM auth error] > > I checked and there is a /lib/security/pam_stack.so on the server. The > rest of PAM authentication process is working correctly as it should be. > > Also the server has both /lib/security/pam_stack.so and > /lib64/security/pam_stack.so. Will that be problem when the 64bit sasl > library tries to use 32bit pam library? > > I am confused. I am hoping someone can give me some advice. Hi, 1) The whole x86_64 thing is a mess, but that seems to be normal in the PC world since the old 80286 days (no wait, it has already started with the 8086/8088 cpus). 2) I'm quite sure we need the following files to help in any way: /etc/sysconfig/saslauthd /etc/pam.d/imap Regards, Simon Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Cyrus saslauthd PAM authentication Issue
I am experiencing a Cyrus-SASL and PAM authentication issue here: I have configured a Cyrus-IMAP Server to use saslauthd for authentication. The system is a RHEL4 Update 3 64bit and runs the RPM package comes with Redhat. The Cyrus-SASL version is 2.1.19, Cyrus-IMAP version is 2.2.12-3. Here is my /etc/imapd.conf: configdirectory: /imapconfig partition-default: /imapstore/imap01 partition-1: /imapstore/imap01 partition-2: /imapstore/imap02 defaultpartition: default admins: cyrus_admin cyrus_murder sievedir: /imapconfig/sieve sendmail: /usr/sbin/sendmail hashimapspool: true sasl_pwcheck_method: saslauthd sasl_mech_list: plain When I do a: $ imtest -u username -a username localhost This is what I see in the /var/log/messages Log: saslauthd[6586]: PAM unable to dlopen(/lib/security/pam_stack.so) saslauthd[6586]: PAM [dlerror: /lib/security/pam_stack.so: cannot open shared object file: No such file or directory] saslauthd[6586]: PAM adding faulty module: /lib/security/pam_stack.so saslauthd[6586]: do_auth: auth failure: [user=username] [service=imap] [realm=] [mech=pam] [reason=PAM auth error] I checked and there is a /lib/security/pam_stack.so on the server. The rest of PAM authentication process is working correctly as it should be. Also the server has both /lib/security/pam_stack.so and /lib64/security/pam_stack.so. Will that be problem when the 64bit sasl library tries to use 32bit pam library? I am confused. I am hoping someone can give me some advice. Thanks. Jack C. Xue RHCT Computing Services Systems Group Marshall University Drinko Library 423C 1 John Marshall Drive Huntington, WV 25755-5320 E-mail: [EMAIL PROTECTED] Phone: (304)696-6396 http://JackXue.GooglePages.com Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: cyrus virtual domains -- real not passed to saslauthd with virtdomains: userid
hi igor, thanks for your note -- yes i have the -r flag, but still no realm coming thru. this morning, i added ldap_default_realm and ldap_realm to my saslauthd.conf, and all is happy. thanks charles On Fri, 2006-04-07 at 15:13 -0400, Igor Brezac wrote: > On Fri, 7 Apr 2006, lartc wrote: > > > hi all, > > > > no joy even after googling for hours and looking thru the archives ... > > > > i cannot get imap to pass the realm either in the userid or realm field > > to saslauthd. > > > > i can successfully authenticate [EMAIL PROTECTED] using testsaslauthd, > > however, imtest test fails and debugging saslauthd does not show the > > realm. > > Use saslauthd -r or use %r or %R tokens in ldap_filter: > (ldap_filter: ( & (mail=%u%R) (uid=%U) ) > > -Igor > > > > > below are my configs. > > > > any help greatly appreciated :-) > > > > cheers > > > > charles > > > > /etc/saslauthd.conf > > ldap_servers: ldap://ldap.domain.com/ > > ldap_search_base: dc=domain,dc=com > > ldap_version: 3 > > ldap_filter: ( & (mail=%u) (uid=%U) )altnamespace: yes > > > > /etc/imapd.conf > > allowanonymouslogin: no > > allowapop: no > > allowplaintext: yes > > annotation_db: berkeley > > anysievefolder: yes > > autocreatequota: 10240 > > configdirectory: /var/lib/imap > > createonpost: true > > defaultdomain: domain.com > > duplicate_db: berkeley-nosync > > duplicatesuppression: no > > hashimapspool: yes > > idlesocket: /var/lib/imap/socket/idle > > imapidresponse: no > > ldap_realm: domain.com > > lmtp_downcase_rcpt: yes > > lmtp_over_quota_perm_failure: yes > > lmtpsocket: /var/spool/postfix/public/lmtp > > loginrealms: domain.com domain2.com > > mboxlist_db: berkeley > > partition-default: /var/spool/imap > > reject8bit: no > > sasl_mech_list: PLAIN > > sasl_pwcheck_method: saslauthd > > sasl_ldap_realm: domain.com > > sendmail: /usr/sbin/sendmail.postfix > > servername: domain.com > > sievedir: /var/lib/imap/sieve > > subscription_db: berkeley > > tls_ca_file: /etc/x509/ca.service/domain.com.pem > > tls_cert_file: /etc/x509/service.cyrus/public/service.cyrus.domain.com.pem > > tls_key_file: /etc/x509/service.cyrus/private/service.cyrus.domain.com.pem > > tls_require_cert: no > > tlscache_db: berkeley > > username_tolower: yes > > unixhierarchysep: yes > > virtdomains: userid > > > > > > > > > > > > > > Cyrus Home Page: http://asg.web.cmu.edu/cyrus > > Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu > > List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html > > > -- "simplified chinese" is not nearly as easy as they would have you believe ... a superlative oxymoron" --anonymous Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: cyrus virtual domains -- real not passed to saslauthd with virtdomains: userid
On Fri, 7 Apr 2006, lartc wrote: hi all, no joy even after googling for hours and looking thru the archives ... i cannot get imap to pass the realm either in the userid or realm field to saslauthd. i can successfully authenticate [EMAIL PROTECTED] using testsaslauthd, however, imtest test fails and debugging saslauthd does not show the realm. Use saslauthd -r or use %r or %R tokens in ldap_filter: (ldap_filter: ( & (mail=%u%R) (uid=%U) ) -Igor below are my configs. any help greatly appreciated :-) cheers charles /etc/saslauthd.conf ldap_servers: ldap://ldap.domain.com/ ldap_search_base: dc=domain,dc=com ldap_version: 3 ldap_filter: ( & (mail=%u) (uid=%U) )altnamespace: yes /etc/imapd.conf allowanonymouslogin: no allowapop: no allowplaintext: yes annotation_db: berkeley anysievefolder: yes autocreatequota: 10240 configdirectory: /var/lib/imap createonpost: true defaultdomain: domain.com duplicate_db: berkeley-nosync duplicatesuppression: no hashimapspool: yes idlesocket: /var/lib/imap/socket/idle imapidresponse: no ldap_realm: domain.com lmtp_downcase_rcpt: yes lmtp_over_quota_perm_failure: yes lmtpsocket: /var/spool/postfix/public/lmtp loginrealms: domain.com domain2.com mboxlist_db: berkeley partition-default: /var/spool/imap reject8bit: no sasl_mech_list: PLAIN sasl_pwcheck_method: saslauthd sasl_ldap_realm: domain.com sendmail: /usr/sbin/sendmail.postfix servername: domain.com sievedir: /var/lib/imap/sieve subscription_db: berkeley tls_ca_file: /etc/x509/ca.service/domain.com.pem tls_cert_file: /etc/x509/service.cyrus/public/service.cyrus.domain.com.pem tls_key_file: /etc/x509/service.cyrus/private/service.cyrus.domain.com.pem tls_require_cert: no tlscache_db: berkeley username_tolower: yes unixhierarchysep: yes virtdomains: userid Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html -- Igor Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: cyrus virtual domains -- real not passed to saslauthd with virtdomains: userid
Am Fr, den 07.04.2006 schrieb lartc um 19:05: > i cannot get imap to pass the realm either in the userid or realm field > to saslauthd. saslauthd runs with parameter "-r"? Alexander -- Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773 legal statement: http://www.uni-x.org/legal.html Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp Serendipity 19:49:59 up 24 days, 20:37, load average: 0.76, 1.25, 1.02 signature.asc Description: Dies ist ein digital signierter Nachrichtenteil Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
cyrus virtual domains -- real not passed to saslauthd with virtdomains: userid
hi all, no joy even after googling for hours and looking thru the archives ... i cannot get imap to pass the realm either in the userid or realm field to saslauthd. i can successfully authenticate [EMAIL PROTECTED] using testsaslauthd, however, imtest test fails and debugging saslauthd does not show the realm. below are my configs. any help greatly appreciated :-) cheers charles /etc/saslauthd.conf ldap_servers: ldap://ldap.domain.com/ ldap_search_base: dc=domain,dc=com ldap_version: 3 ldap_filter: ( & (mail=%u) (uid=%U) )altnamespace: yes /etc/imapd.conf allowanonymouslogin: no allowapop: no allowplaintext: yes annotation_db: berkeley anysievefolder: yes autocreatequota: 10240 configdirectory: /var/lib/imap createonpost: true defaultdomain: domain.com duplicate_db: berkeley-nosync duplicatesuppression: no hashimapspool: yes idlesocket: /var/lib/imap/socket/idle imapidresponse: no ldap_realm: domain.com lmtp_downcase_rcpt: yes lmtp_over_quota_perm_failure: yes lmtpsocket: /var/spool/postfix/public/lmtp loginrealms: domain.com domain2.com mboxlist_db: berkeley partition-default: /var/spool/imap reject8bit: no sasl_mech_list: PLAIN sasl_pwcheck_method: saslauthd sasl_ldap_realm: domain.com sendmail: /usr/sbin/sendmail.postfix servername: domain.com sievedir: /var/lib/imap/sieve subscription_db: berkeley tls_ca_file: /etc/x509/ca.service/domain.com.pem tls_cert_file: /etc/x509/service.cyrus/public/service.cyrus.domain.com.pem tls_key_file: /etc/x509/service.cyrus/private/service.cyrus.domain.com.pem tls_require_cert: no tlscache_db: berkeley username_tolower: yes unixhierarchysep: yes virtdomains: userid Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Cyrus-IMAP, saslauthd, Problems with DIGEST/CRAM-MD5
On Tuesday 21 February 2006 03:00, Sebastian Hagedorn wrote: > --On 20. Februar 2006 22:08:04 -0600 Eric Renfro <[EMAIL PROTECTED]> wrote: > > Hello. I'm having a problem with Cyrus-IMAPD 2.2.12 with Cyrus-SASL > > 2.1.19's saslauthd. > > > > When I login using the LOGIN method, I see saslauthd doing it's lookup, > > and OpenLDAP logs show it as well, and it's all successfull. However, > > when trying to do a PLAIN, DIGEST-MD5, or CRAM-MD5 auth to the IMAP > > server, it fails. cyrus/imapd shows up in the logs, but saslauthd does > > not. > > You can't use DIGEST-MD5 or CRAM-MD5 with saslauthd. I use sasldb myself, > so I'm no expert on the other mechanisms, but I think the ldap auxprop > works with challenge-response mechanisms. I'm not sure why PLAIN would > fail, though. > > Cheers, Sebastian Hagedorn Ahh, I just recently read up about that. Kinda makes sense, at least in that sense. Kinda makes me wonder. What would be the difference between using ldap and pam in saslauthd, in that case. :) PAM would be more capable of different authentication methods, while ldap is strictly just ldap. -- Eric Renfro === You had some happiness once, but your parents moved away, and you had to leave it behind. pgpBe5v3IEg5c.pgp Description: PGP signature Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Cyrus-IMAP, saslauthd, Problems with DIGEST/CRAM-MD5
--On 20. Februar 2006 22:08:04 -0600 Eric Renfro <[EMAIL PROTECTED]> wrote: Hello. I'm having a problem with Cyrus-IMAPD 2.2.12 with Cyrus-SASL 2.1.19's saslauthd. When I login using the LOGIN method, I see saslauthd doing it's lookup, and OpenLDAP logs show it as well, and it's all successfull. However, when trying to do a PLAIN, DIGEST-MD5, or CRAM-MD5 auth to the IMAP server, it fails. cyrus/imapd shows up in the logs, but saslauthd does not. You can't use DIGEST-MD5 or CRAM-MD5 with saslauthd. I use sasldb myself, so I'm no expert on the other mechanisms, but I think the ldap auxprop works with challenge-response mechanisms. I'm not sure why PLAIN would fail, though. Cheers, Sebastian Hagedorn -- .:.Sebastian Hagedorn - RZKR-R1 (Gebäude 52), Zimmer 18.:. Zentrum für angewandte Informatik - Universitätsweiter Service RRZK .:.Universität zu Köln / Cologne University - Tel. +49-221-478-5587.:. .:.:.:.Skype: shagedorn.:.:.:. pgpVe7uDE9c1y.pgp Description: PGP signature Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Cyrus-IMAP, saslauthd, Problems with DIGEST/CRAM-MD5
Hello. I'm having a problem with Cyrus-IMAPD 2.2.12 with Cyrus-SASL 2.1.19's saslauthd. When I login using the LOGIN method, I see saslauthd doing it's lookup, and OpenLDAP logs show it as well, and it's all successfull. However, when trying to do a PLAIN, DIGEST-MD5, or CRAM-MD5 auth to the IMAP server, it fails. cyrus/imapd shows up in the logs, but saslauthd does not. Feb 20 19:22:27 ragnarok cyrus/imap[8274]: DIGEST-MD5 server step 1 Feb 20 19:22:33 ragnarok cyrus/imap[8274]: DIGEST-MD5 server step 2 Feb 20 19:22:33 ragnarok cyrus/imap[8274]: no secret in database Feb 20 19:22:37 ragnarok cyrus/imap[8274]: DIGEST-MD5 server step 1 Feb 20 19:22:37 ragnarok cyrus/imap[8274]: DIGEST-MD5 server step 2 Feb 20 19:22:37 ragnarok cyrus/imap[8274]: no secret in database That's the logs of my attempt to login using DIGEST-MD5, from the authlog. Feb 20 19:22:27 ragnarok cyrus/imap[8274]: accepted connection Feb 20 19:22:33 ragnarok cyrus/imap[8274]: badlogin: midgard.furreville.net [192.168.1.10] DIGEST-MD5 [SASL(-13): user not found: no secret in database] Feb 20 19:22:37 ragnarok cyrus/imap[8274]: accepted connection Feb 20 19:22:37 ragnarok cyrus/imap[8274]: badlogin: midgard.furreville.net [192.168.1.10] DIGEST-MD5 [SASL(-13): user not found: no secret in database] And that's from the mail log. A successfull LOGIN auth: Feb 20 19:24:20 ragnarok saslauthd[8281]: DIGEST-MD5 client step 2 Feb 20 19:24:20 ragnarok saslauthd[8281]: DIGEST-MD5 client step 2 Feb 20 19:24:20 ragnarok saslauthd[8281]: DIGEST-MD5 client step 3 And from maillog: Feb 20 19:24:20 ragnarok cyrus/imap[8274]: accepted connection Feb 20 19:24:20 ragnarok cyrus/imap[8274]: login: midgard.furreville.net [192.168.1.10] psi-jack plaintext User logged in What could be wrong here? saslauthd is configured to use ldap, and only that. And it is successfully using a sasl fastbind to openldap for login auths. But LDAP is never even touched with any other methods. This is on Ubuntu Dapper 6.04's edition of Cyrus-IMAPD. -- Eric Renfro === Conscience doth make cowards of us all. -- Shakespeare pgpnyulliwLS8.pgp Description: PGP signature Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Cyrus imapd LDAP connection without saslauthd?
On Thu, 26 Jan 2006, Patrick T. Tsang wrote: Hello, I have seen there are some parameters in /etc/imapd.conf for LDAP connection. However I cannot see any for user password login. This is for ptloader (authorization module) How can I connect to LDAP server without saslauthd? ldapdb auxprop plugin. Please see cyrus-sasl docs. -- Igor Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Cyrus imapd LDAP connection without saslauthd?
> I have seen there are some parameters in /etc/imapd.conf for > LDAP connection. How can I connect to LDAP server without saslauthd? And once you connected, what can you actually do with it? What feature does the LDAP connection support? Cap __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Cyrus imapd LDAP connection without saslauthd?
Hello, I have seen there are some parameters in /etc/imapd.conf for LDAP connection. However I cannot see any for user password login. How can I connect to LDAP server without saslauthd? Regards Patrick Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Global admin fails via saslauthd and ldap
> >> We have the following set in the imapd.conf for 2.3.1 install: > >> virtdomains: on > >> admins: globaladmin [EMAIL PROTECTED] > >> defaultdomain: xyz.com > >> > >> and in saslauthd.conf: > >> ldap_default_realm: xyz.com > >> > >> Following cyradm logins fail for the 'globaladmin', whether or not > >> FQDN is passed as an option of '-u' argument: > >> > >> cyradm -u globaladmin localhost > >> cyradm -u [EMAIL PROTECTED] localhost > >> > >> However [EMAIL PROTECTED] succeeds in login. Ldap logs indicate > >> that the domain passed for 'globaladmin' is 'adari.net' and not > >> xyz.com. It appears that the application is doing a reverse dns > >> and obtaining the domain 'adari.net' instead of using the > >> defaultdomain (ldap_default_realm). > >> > >> Any other parameters to set for the system to pick the right domain > >> (ie xyz.com) for the globaladmin? > > > > A bit of debugging the saslauth revealed that it is not going to > > use "ldap_default_realm" value unless it gets a null ("") realm > > from imap. I have not looked into the imap code, but it appears > > that it is sending the "reverse dns" host name as the realm. > > > > Anyway to force imap to use passed fqdn as the realm for following > > case: cyradm -u [EMAIL PROTECTED] localhost > > > > Alternatively, is there anyway to make imap send null ("") to sasl > > when global admin logins as: cyradm -u globaladmin localhost > > > > About a year half ago, when we looked to migrate to 2.2.x from 2.1.x, > > above scenario (cyradm -u globaladmin localhost) worked. Something > > may have changed since then. Docs and mail archives have no references. > > Appreciate any pointers. > > > > Use virtdomains: userid > > -- > Igor That worked. Thanks Igor! __ Seva Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Global admin fails via saslauthd and ldap
On Thu, 29 Dec 2005 [EMAIL PROTECTED] wrote: We have the following set in the imapd.conf for 2.3.1 install: virtdomains: on admins: globaladmin [EMAIL PROTECTED] defaultdomain: xyz.com and in saslauthd.conf: ldap_default_realm: xyz.com Following cyradm logins fail for the 'globaladmin', whether or not FQDN is passed as an option of '-u' argument: cyradm -u globaladmin localhost cyradm -u [EMAIL PROTECTED] localhost However [EMAIL PROTECTED] succeeds in login. Ldap logs indicate that the domain passed for 'globaladmin' is 'adari.net' and not xyz.com. It appears that the application is doing a reverse dns and obtaining the domain 'adari.net' instead of using the defaultdomain (ldap_default_realm). Any other parameters to set for the system to pick the right domain (ie xyz.com) for the globaladmin? A bit of debugging the saslauth revealed that it is not going to use "ldap_default_realm" value unless it gets a null ("") realm from imap. I have not looked into the imap code, but it appears that it is sending the "reverse dns" host name as the realm. Anyway to force imap to use passed fqdn as the realm for following case: cyradm -u [EMAIL PROTECTED] localhost Alternatively, is there anyway to make imap send null ("") to sasl when global admin logins as: cyradm -u globaladmin localhost About a year half ago, when we looked to migrate to 2.2.x from 2.1.x, above scenario (cyradm -u globaladmin localhost) worked. Something may have changed since then. Docs and mail archives have no references. Appreciate any pointers. Use virtdomains: userid -- Igor Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Global admin fails via saslauthd and ldap
> We have the following set in the imapd.conf for 2.3.1 install: > virtdomains: on > admins: globaladmin [EMAIL PROTECTED] > defaultdomain: xyz.com > > and in saslauthd.conf: > ldap_default_realm: xyz.com > > Following cyradm logins fail for the 'globaladmin', whether or not > FQDN is passed as an option of '-u' argument: > > cyradm -u globaladmin localhost > cyradm -u [EMAIL PROTECTED] localhost > > However [EMAIL PROTECTED] succeeds in login. Ldap logs indicate > that the domain passed for 'globaladmin' is 'adari.net' and not > xyz.com. It appears that the application is doing a reverse dns > and obtaining the domain 'adari.net' instead of using the > defaultdomain (ldap_default_realm). > > Any other parameters to set for the system to pick the right domain > (ie xyz.com) for the globaladmin? A bit of debugging the saslauth revealed that it is not going to use "ldap_default_realm" value unless it gets a null ("") realm from imap. I have not looked into the imap code, but it appears that it is sending the "reverse dns" host name as the realm. Anyway to force imap to use passed fqdn as the realm for following case: cyradm -u [EMAIL PROTECTED] localhost Alternatively, is there anyway to make imap send null ("") to sasl when global admin logins as: cyradm -u globaladmin localhost About a year half ago, when we looked to migrate to 2.2.x from 2.1.x, above scenario (cyradm -u globaladmin localhost) worked. Something may have changed since then. Docs and mail archives have no references. Appreciate any pointers. Thanks __ Seva Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Global admin fails via saslauthd and ldap
Hello, We have the following set in the imapd.conf for 2.3.1 install: virtdomains: on admins: globaladmin [EMAIL PROTECTED] defaultdomain: xyz.com and in saslauthd.conf: ldap_default_realm: xyz.com Following cyradm logins fail for the 'globaladmin', whether or not FQDN is passed as an option of '-u' argument: cyradm -u globaladmin localhost cyradm -u [EMAIL PROTECTED] localhost However [EMAIL PROTECTED] succeeds in login. Ldap logs indicate that the domain passed for 'globaladmin' is 'adari.net' and not xyz.com. It appears that the application is doing a reverse dns and obtaining the domain 'adari.net' instead of using the defaultdomain (ldap_default_realm). Any other parameters to set for the system to pick the right domain (ie xyz.com) for the globaladmin? Thanks __ Seva Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: HELP - why is saslauthd trying to use an auxprocfunc / sql_select ??
Am Mi, den 07.12.2005 schrieb Joseph Silverman um 1:03: > Using cyrus-imapd on linux (fc3) - also using sendmail (not postfix): > > 1) /etc/sysconfig/saslauthd: MECH=pam > > 2) /etc/imapd.conf - no auxprocfunc or anything along those lines > > So, HOW COME I get tons of these in /var/log/messages? (also from > lmtpd, pop3, imaps) > > Dec 6 15:58:49 hedwig pop3s[28013]: unable to open Berkeley db /etc/ > sasldb2: No such file or directory > Dec 6 15:58:49 hedwig pop3s[28013]: could not find password > Dec 6 15:58:51 hedwig imaps[28104]: sql_select option missing > Dec 6 15:58:51 hedwig imaps[28104]: auxpropfunc error no mechanism > available > Dec 6 15:58:52 hedwig pop3s[28013]: unable to open Berkeley db /etc/ > sasldb2: No such file or directory > Dec 6 15:59:18 hedwig imap[28111]: sql_select option missing > Dec 6 15:59:18 hedwig imap[28111]: auxpropfunc error no mechanism > available > Dec 6 15:59:21 hedwig pop3s[27974]: unable to open Berkeley db /etc/ > sasldb2: No such file or directory > Dec 6 15:59:21 hedwig pop3s[27974]: could not find password > Dec 6 15:59:24 hedwig pop3s[27974]: unable to open Berkeley db /etc/ > sasldb2: No such file or directory > > Thanks - Yossie yum remove cyrus-sasl-sql You may also create an empty /etc/sasldb2 using saslpasswd2 by adding a dummy user first and then removing it. A better approach is to first not offer MD5 mechs if your system can't handle them (in your case by saslauthd). Hint: searching the list archive would have told you that. Alexander -- Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773 legal statement: http://www.uni-x.org/legal.html Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp Serendipity 05:18:35 up 2 days, 9:55, load average: 0.11, 0.09, 0.19 signature.asc Description: Dies ist ein digital signierter Nachrichtenteil Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
HELP - why is saslauthd trying to use an auxprocfunc / sql_select ??
Using cyrus-imapd on linux (fc3) - also using sendmail (not postfix): 1) /etc/sysconfig/saslauthd: MECH=pam 2) /etc/imapd.conf - no auxprocfunc or anything along those lines So, HOW COME I get tons of these in /var/log/messages? (also from lmtpd, pop3, imaps) Dec 6 15:58:49 hedwig pop3s[28013]: unable to open Berkeley db /etc/ sasldb2: No such file or directory Dec 6 15:58:49 hedwig pop3s[28013]: could not find password Dec 6 15:58:51 hedwig imaps[28104]: sql_select option missing Dec 6 15:58:51 hedwig imaps[28104]: auxpropfunc error no mechanism available Dec 6 15:58:52 hedwig pop3s[28013]: unable to open Berkeley db /etc/ sasldb2: No such file or directory Dec 6 15:59:18 hedwig imap[28111]: sql_select option missing Dec 6 15:59:18 hedwig imap[28111]: auxpropfunc error no mechanism available Dec 6 15:59:21 hedwig pop3s[27974]: unable to open Berkeley db /etc/ sasldb2: No such file or directory Dec 6 15:59:21 hedwig pop3s[27974]: could not find password Dec 6 15:59:24 hedwig pop3s[27974]: unable to open Berkeley db /etc/ sasldb2: No such file or directory Thanks - Yossie Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
right way to call saslauthd from cyrus?
I've asked similar question over in cyrus-sasl but that's about postfix, this is about cyrus itself. What's the current state of how to tell cyrus to authenticate using mysql? In the past it seems the combination was to have cyrus call saslauthd, which is turn uses PAM via pam_mysql to the database itself. This seemed to work fine using sasl1 but I cannot seem to make it work with sasl2. Old box had both, new box has only sasl2. I'm using these versions pam_mysql 0.8pre3, postfix-2.2.5, cyrus-sasl-2.1.21, cyrus-imap-2.1.12, mysaql-4.1.12, centos-4.2 (rhel4 So main.cf would have various lines like this: sender_canonical_maps = mysql:/etc/postfix/mysql-canonical.cf And :/etc/postfix/mysql-canonical.cf contains: hosts = localhost user = mail password = secret dbname = mail table = virtual select_field = alias where_field = username additional_conditions = and status = '1' limit 1 And /etc/pam.d/imap contains (edited for username/passwd of course and all each on a full line, no trailing \ char) auth sufficient pam_mysql.so verbose=1 sqllog=true user=mail passwd=secret \ host=localhost db=mail table=accountuser usercolumn=username \ passwdcolumn=password crypt=1 logtable=log logmsgcolumn=msg \ logusercolumn=user loghostcolumn=host logpidcolumn=pid logtimecolumn=time account required pam_mysql.so verbose=1 sqllog=true user=mail passwd=secret \ host=localhost db=mail table=accountuser usercolumn=username \ passwdcolumn=password crypt=1 logtable=log logmsgcolumn=msg \ logusercolumn=user loghostcolumn=host logpidcolumn=pid logtimecolumn=time But this causes a whole raft of errors in maillog: (more than this quantity appear, it may be related to the number of daemon spawned?) Nov 17 19:17:07 cbox imap[19003]: sql_select option missing Nov 17 19:17:07 cbox imap[19002]: auxpropfunc error no mechanism available Nov 17 19:17:07 cbox imaps[19003]: sql_select option missing Nov 17 19:17:07 cbox imaps[19002]: auxpropfunc error no mechanism available Nov 17 19:17:07 cbox lmtpunix[19003]: sql_select option missing Nov 17 19:17:07 cbox lmtpunix[19003]: auxpropfunc error no mechanism available Am I calling things wrong? Well, obviously I've got something wrong but I just can't seem to hit upon the right combination to get this thing running. I think it's a case to too many HOWTO docs spanning too many different versions all adding up to a mess. I sort of like how pam_mysql has logging options. Thus I thought using saslauthd and on to pam was the right means to maintain that functionality. HELP! -Bill Kearney Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: cyrus-sasl saslauthd and pgsql/mysql
2005/8/8, Andrzej Kwiatkowski <[EMAIL PROTECTED]>: > Hello. > > I've found that saslauthd is doing native authentication only in LDAP. > Mysql i Pgsql authentication can't be done by saslauthd. > Is one interested in using such configuration ? > > Now i'm thinking if write patch for saslauthd to support Pgsql. > > Or someone know how to make in sasl native pgsql authentication > to authenticate 2 kinds of users: > > 1. if i want to authenticate user: username > 2. if i want to authenticate user: [EMAIL PROTECTED] > > Or in short: how to completely disable realms ? > > for example sql_filter should be: select password from users where uid='%s' > > and i don't want to worry if user is entered in database with domain or not. So nobody want to help me, so i have to write patch for saslauthd. Now is available on my homepage: http://kwiatek.tpi.pl/ I someone have any ideas about this patch , please send it to me. Greets AK Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
is there a way to make saslauthd always return true?
thx in advance! Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
[PATCH] saslauthd realm as mech param
I've been used a configuration where realm was different than hostname() (a mailserver + a backup), I wrote this small patch to pass realm as mech param. It can be usefull. Bye -- Gianluigi Tiesi <[EMAIL PROTECTED]> EDP Project Leader Netfarm S.r.l. - http://www.netfarm.it/ Free Software: http://oss.netfarm.it/ Index: saslauthd/auth_sasldb.c === RCS file: /cvs/src/sasl/saslauthd/auth_sasldb.c,v retrieving revision 1.5 diff -u -r1.5 auth_sasldb.c --- saslauthd/auth_sasldb.c 27 Jul 2002 18:44:46 - 1.5 +++ saslauthd/auth_sasldb.c 25 Sep 2005 09:56:57 - @@ -50,6 +50,7 @@ #include "../include/sasl.h" #include "../include/saslplug.h" #include "../sasldb/sasldb.h" +#include "globals.h" static int vf(void *context __attribute__((unused)), @@ -140,14 +141,20 @@ _sasl_check_db(&utils, (void *)0x1); -if(!realm || !strlen(realm)) { +/* Forcing a realm */ +if (mech_option && strlen(mech_option) && (strlen(mech_option) < MAXHOSTNAMELEN)) +{ +memcpy(realm_buf, mech_option, strlen(mech_option)+1); +use_realm = realm_buf; +} else { + if(!realm || !strlen(realm)) { ret = gethostname(realm_buf,MAXHOSTNAMELEN); if(ret) RETURN("NO"); use_realm = realm_buf; -} else { + } else { use_realm = realm; + } } - ret = _sasldb_getdata(&utils, (void *)0x1, login, use_realm, "userPassword", pw, 1024, &outsize); Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: saslauthd
On Tue, 2005-08-23 at 14:31 +0530, Gobbledegeek wrote: > OK I got it working with sasl_pwcheck-method = auxprop in /etc/imapd.conf. > But why isn't there a simple statement advising this in the loads of > documentation? So much time wasted for want of a simple communiqe. > > [...useless rant...] > > [EMAIL PROTECTED] programmers! [EMAIL PROTECTED] users who cannot read documentation? Even if somebody recommends them to read it? from doc/sysadmin.html (from cyrus-sasl distribution tarball): --cut here-- The principal concern for system administrators is how the authentication identifier and password are verified. The Cyrus SASL library is flexible in this regard: auxprop checks passwords agains the userPassword attribute supplied by an auxiliary property plugin. For example, SASL ships with a sasldb auxiliary property plugin, that can be used to authenticate against the passwords stored in /etc/sasldb2. Since other mechanisms also use this database for passwords, using this method will allow SASL to provide a uniform password database to a large number of mechanisms. saslauthd contacts the saslauthd daemon to to check passwords using a variety of mechanisms. More information about the various invocations of saslauthd can be can be found in saslauthd(8). Generally you want something like saslauthd -a pam. If plaintext authentications seem to be taking some time under load, increasing the value of the -n parameter can help. Saslauthd keeps its named socket in "/var/state/saslauthd" by default. This can be overridden by specifying an alternate value to --with-saslauthd=/foo/bar at compile time, or by passing the -m parameter to saslauthd (along with setting the saslauthd_path SASL option). Whatever directory this is, it must exist in order for saslauthd to function. Once you configure (and start) saslauthd, there is a testsaslauthd program that can be built with make testsaslauthd in the saslauthd subdirectory of the source. This can be used to check that that the saslauthd daemon is installed and running properly. An invocation like testsaslauthd -u rjs3 -p 1234 with appropriate values for the username and password should do the trick. If you are using the PAM method to verify passwords with saslauthd, keep in mind that your PAM configuration will need to be configured for each service name that is using saslauthd for authentication. Common service names are "imap", "sieve", and "smtp". Courier-IMAP authdaemond contacts Courier-IMAP's authdaemond daemon to check passwords. This daemon is simliar in functionality to saslauthd, and is shipped separately with the Courier mail server. Note: this feature is not compiled in the library by default, and its provided for sites with custom/special requirements only (because the internal authentication protocol its not documented anywhere so it could change at any time). We have tested against the authdaemond included with Courier-IMAP 2.2.1. To enable authdaemond support, pass --with-authdaemon to the configuration script, set pwcheck_method to ``authdaemond'' and point authdaemon_path to authdaemond's unix socket. Optionally, you can specify --with-authdaemond=PATH to the configure script so that authdaemond_path points to a default, static, location. pwcheck checks passwords with the use of a separate, helper daemon. This feature is for backwards-compatibility only. New installations should use saslauthd. --cut here-- -- Ondrej Sury <[EMAIL PROTECTED]> signature.asc Description: This is a digitally signed message part Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: saslauthd
OK I got it working with sasl_pwcheck-method = auxprop in /etc/imapd.conf. But why isn't there a simple statement advising this in the loads of documentation? So much time wasted for want of a simple communiqe. I think Open source programmers need to be kicked off their high chairs and put in labor camps en masse - where they will be chained and forced to rewite thier documentation day and night - the entire man/info pages and other docs - on a diet of single bowl of gruel, until they complete the work. [EMAIL PROTECTED] programmers! On 8/23/05, Gobbledegeek <[EMAIL PROTECTED]> wrote: > > You are mixing auxprop and saslauthd methods. It looks like your > > saslauthd is using pam database, which is really different > > from /etc/sasldb2 > > > > I recommend you to read carefully documentation to Cyrus IMAP and Cyrus > > SASL (which are two different things). > > > > Ondrej. > > -- > > Ondrej Sury <[EMAIL PROTECTED]> > > I tried both shadow and pam for .../pam.d/saslauthd. Neither worked. > I got it working allright without meddling with this last week. So I > wonder whats the magic directive that will make everything fall in > place... I'll have a look at sasl docs now. Thanks > > Rgrds > > -- > Nonchalantly yours > GobbledeGeek > [Every thing but Gobbledegook.. !!] > -- Nonchalantly yours GobbledeGeek [Every thing but Gobbledegook.. !!] Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: saslauthd
Pardon - I mentioned the wrong file name. I meant /etc/sysconfig/saslauthd. Rgrds On 8/23/05, Gobbledegeek <[EMAIL PROTECTED]> wrote: > > You are mixing auxprop and saslauthd methods. It looks like your > > saslauthd is using pam database, which is really different > > from /etc/sasldb2 > > > > I recommend you to read carefully documentation to Cyrus IMAP and Cyrus > > SASL (which are two different things). > > > > Ondrej. > > -- > > Ondrej Sury <[EMAIL PROTECTED]> > > I tried both shadow and pam for .../pam.d/saslauthd. Neither worked. > I got it working allright without meddling with this last week. So I > wonder whats the magic directive that will make everything fall in > place... I'll have a look at sasl docs now. Thanks > > Rgrds > > -- > Nonchalantly yours > GobbledeGeek > [Every thing but Gobbledegook.. !!] > -- Nonchalantly yours GobbledeGeek [Every thing but Gobbledegook.. !!] Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: saslauthd auth failure PAM auth error
On Mon, 2005-08-22 at 16:57 +0530, Gobbledegeek wrote: > Hello >I reinstalled cyrus-imapd, after deleting spool/imap and > lib/imap folders. Now again I'm struggling with getting saslauthd to > work with cyrus. I managed to get root and cyrus user successfully > login with testsaslauthd - but they are local users. cyradm is also > working for cyrus user. I'm unable to get cyrus imap only users to > authenticate from mail client or testsaslauthd. I've created > "saslpasswd2 -c ", and "saslpasswd -c " for each user > but to no avail. I had got it working yesterday but today is a > different day... (duh! maybe thats it...!! ) . Pls help. You are mixing auxprop and saslauthd methods. It looks like your saslauthd is using pam database, which is really different from /etc/sasldb2 I recommend you to read carefully documentation to Cyrus IMAP and Cyrus SASL (which are two different things). Ondrej. -- Ondrej Sury <[EMAIL PROTECTED]> signature.asc Description: This is a digitally signed message part Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html