Hi all
I got work sasl authentication to access ldap server by correcting two things: 1.- inserting the proxyuser's userpassword in clear text (userPassord=secret) 2.- fixing the proxyuser's authzTo atributte to authzTo: ldap:///ou=people,dc=plainjoe,dc=org??sub?(objectClass=account) (results at the end of this mail)
As far as it can be seen, there's no need for cyrus-sasl for these matter
but my final purpose is to enable Cyrus-sasl with openldap as backend to authenticate users for cyrus-imapd and postfix services.
Any hints would be appreciated.
Thanks to all for your support
Fernando
firewall:~ # ldapwhoami -U proxyuser -X u:test -Y digest-md5 SASL/DIGEST-MD5 authentication started Please enter your password: SASL username: u:test SASL SSF: 128 SASL data security layer installed. dn:uid=test,ou=people,dc=plainjoe,dc=org
firewall:~ # ldapsearch -Y digest-md5 -U proxyuser -b 'dc=plainjoe,dc=org' '(objectclass=*)' SASL/DIGEST-MD5 authentication started Please enter your password: SASL username: proxyuser SASL SSF: 128 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <dc=plainjoe,dc=org> with scope subtree # filter: (objectclass=*)
Fernando Torrez fernando_torrez@hotmail.com writes:
Hi all
I got work sasl authentication to access ldap server by correcting two things:
1.- inserting the proxyuser's userpassword in clear text (userPassord=secret) 2.- fixing the proxyuser's authzTo atributte to authzTo: ldap:///ou=people,dc=plainjoe,dc=org??sub?(objectClass=account) (results at the end of this mail)
As far as it can be seen, there's no need for cyrus-sasl for these matter but my final purpose is to enable Cyrus-sasl with openldap as backend to
authenticate users for cyrus-imapd and postfix services. Any hints would be appreciated.
As you have SASL and proxy user running already check whether there is a libldapdb in /usr/lib/sasl2, if so, all you you have to do is edit a smtpd.conf and imapd.conf and allow postfix and cyrus-imapd to to sasl authentication. Just as an example a /etc/sasl2/smtpd.conf
pwcheck_method: auxprop auxprop_plugin: ldapdb mech_list: PLAIN LOGIN DIGEST-MD5 ldapdb_uri: ldap://localhost ldapdb_id: mailadmin ldapdb_pw: xxxxx ldapdb_mech: DIGEST-MD5 ldapdb_rc: /etc/sasl2/ldaprc ldapdb_starttls: demand
The file /etc/sasl2/ldaprc contains TLS configuration.
-Dieter
On 19/11/10 10:31 -0400, Fernando Torrez wrote:
Hi all
I got work sasl authentication to access ldap server by correcting two things: 1.- inserting the proxyuser's userpassword in clear text (userPassord=secret) 2.- fixing the proxyuser's authzTo atributte to authzTo: ldap:///ou=people,dc=plainjoe,dc=org??sub?(objectClass=account) (results at the end of this mail)
As far as it can be seen, there's no need for cyrus-sasl for these matter
but my final purpose is to enable Cyrus-sasl with openldap as
backend to authenticate users for cyrus-imapd and postfix services.
ldapdb is one way to accomplish that.
See:
http://www.cyrusimap.org/docs/cyrus-sasl/2.1.23/options.php
for cyrus options and basic usage documentation.
firewall:~ # ldapwhoami -U proxyuser -X u:test -Y digest-md5 SASL/DIGEST-MD5 authentication started Please enter your password: SASL username: u:test SASL SSF: 128 SASL data security layer installed. dn:uid=test,ou=people,dc=plainjoe,dc=org
If you've got a proxy user set up and authenticating, then you've done most of the work.
In Postfix (/etc/postfix/sasl/smtpd.conf), you could do:
mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 EXTERNAL pwcheck_method: auxprop auxprop_plugin: ldapdb ldapdb_uri: ldap://ldap.example.net ldapdb_id: proxyuser ldapdb_pw: <proxy user's secret> ldapdb_mech: DIGEST-MD5
and in /etc/imapd.conf:
sasl_mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 EXTERNAL sasl_pwcheck_method: auxprop sasl_auxprop_plugin: ldapdb sasl_ldapdb_uri: ldap://ldap.example.net sasl_ldapdb_id: proxyuser sasl_ldapdb_pw: <proxy user's secret> sasl_ldapdb_mech: DIGEST-MD5
Hi all
I finally got work cyrus-imapd with cyrus-sasl (and with openldap as backend to authenticate users) I did telnet tests to both pop and imap services from localhost and worked great. but when I tried to do the same tests from other machine authentication fails:
mail:~ # telnet 192.168.1.1 143 Trying 192.168.1.1... Connected to 192.168.1.1. Escape character is '^]'. * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID AUTH=PLAIN AUTH=CRAM-MD5 AUTH=LOGIN AUTH=DIGEST-MD5 SASL-IR COMPRESS=DEFLATE] firewall Cyrus IMAP v2.3.16 server ready imap LOGIN test secret1 imap NO Login failed: authentication failure . logout
I checked logs and found that openldap got authcid as: 'cyrus@joan.com.bo' instead of only 'cyrus' (my new proxyuser) (LOGS below) I have joan.com.bo configured in other linux server with named service installed and running for the LAN so I think that when doing pop and imap tests from any other computer from LAN but localhost, the user sent from telnet to the server is filled up with that domain.
Is there a way to bypass this? or a way to fix this problem?
I know that cyrus-imapd can handle more than 1 domain, so I guess that it's probably a misconfiguration in openldap or cyrus imapd (CONFIGURATION FILES below) I also left OPENLDAP DATA at the bottom of this mail.
Thanks in advance for any suggestions.
Fernando
LOGS Nov 29 17:25:02 firewall slapd[2887]: conn=1057 op=1 BIND dn="" method=163 Nov 29 17:25:02 firewall slapd[2887]: do_bind: dn () SASL mech DIGEST-MD5 Nov 29 17:25:02 firewall slapd[2887]: ==> sasl_bind: dn="" mech=<continuing> datalen=298 Nov 29 17:25:02 firewall slapd[2887]: SASL [conn=1057] Debug: DIGEST-MD5 server step 2 Nov 29 17:25:02 firewall slapd[2887]: SASL Canonicalize [conn=1057]: authcid="cyrus@joan.com.bo" Nov 29 17:25:02 firewall slapd[2887]: slap_sasl_getdn: conn 1057 id=cyrus@joan.com.bo [len=17] Nov 29 17:25:02 firewall slapd[2887]: slap_sasl_getdn: u:id converted to uid=cyrus@joan.com.bo,cn=DIGEST-MD5,cn=auth Nov 29 17:25:02 firewall slapd[2887]: >>> dnNormalize: <uid=cyrus@joan.com.bo,cn=DIGEST-MD5,cn=auth> Nov 29 17:25:02 firewall slapd[2887]: <<< dnNormalize: <uid=cyrus@joan.com.bo,cn=digest-md5,cn=auth> Nov 29 17:25:02 firewall slapd[2887]: ==>slap_sasl2dn: converting SASL name uid=cyrus@joan.com.bo,cn=digest-md5,cn=auth to a DN Nov 29 17:25:02 firewall slapd[2887]: [rw] authid: "uid=cyrus@joan.com.bo,cn=digest-md5,cn=auth" -> "uid=cyrus@joan.com.bo,ou=people,dc=plainjoe,dc=org" Nov 29 17:25:02 firewall slapd[2887]: slap_parseURI: parsing uid=cyrus@joan.com.bo,ou=people,dc=plainjoe,dc=org Nov 29 17:25:02 firewall slapd[2887]: >>> dnNormalize: <uid=cyrus@joan.com.bo,ou=people,dc=plainjoe,dc=org> Nov 29 17:25:02 firewall slapd[2887]: <<< dnNormalize: <uid=cyrus@joan.com.bo,ou=people,dc=plainjoe,dc=org> Nov 29 17:25:02 firewall slapd[2887]: <==slap_sasl2dn: Converted SASL name to uid=cyrus@joan.com.bo,ou=people,dc=plainjoe,dc=org Nov 29 17:25:02 firewall slapd[2887]: slap_sasl_getdn: dn:id converted to uid=cyrus@joan.com.bo,ou=people,dc=plainjoe,dc=org Nov 29 17:25:02 firewall slapd[2887]: SASL Canonicalize [conn=1057]: slapAuthcDN="uid=cyrus@joan.com.bo,ou=people,dc=plainjoe,dc=org" Nov 29 17:25:02 firewall slapd[2887]: => bdb_search Nov 29 17:25:02 firewall slapd[2887]: bdb_dn2entry("uid=cyrus@joan.com.bo,ou=people,dc=plainjoe,dc=org") Nov 29 17:25:02 firewall slapd[2887]: => bdb_dn2id("uid=cyrus@joan.com.bo,ou=people,dc=plainjoe,dc=org") Nov 29 17:25:02 firewall slapd[2887]: daemon: activity on 1 descriptor Nov 29 17:25:02 firewall slapd[2887]: daemon: activity on: Nov 29 17:25:02 firewall slapd[2887]: Nov 29 17:25:02 firewall slapd[2887]: daemon: epoll: listen=7 active_threads=0 tvp=zero Nov 29 17:25:02 firewall slapd[2887]: daemon: epoll: listen=8 active_threads=0 tvp=zero Nov 29 17:25:02 firewall slapd[2887]: <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30989) Nov 29 17:25:02 firewall slapd[2887]: => access_allowed: disclose access to "ou=people,dc=plainjoe,dc=org" "entry" requested Nov 29 17:25:02 firewall slapd[2887]: => acl_get: [2] attr entry Nov 29 17:25:02 firewall slapd[2887]: => acl_mask: access to entry "ou=people,dc=plainjoe,dc=org", attr "entry" requested Nov 29 17:25:02 firewall slapd[2887]: => acl_mask: to all values by "", (=0)
CONFIGURATION FILES /etc/openldap/slapd.conf # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/rfc2307bis.schema include /etc/openldap/schema/yast.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org
loglevel -1 pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args
# Load dynamic backend modules: # modulepath /usr/lib/openldap/modules # moduleload back_bdb.la # moduleload back_hdb.la # moduleload back_ldap.la
# Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access to user password # Allow anonymous users to authenticate # Allow read access to everything else # Directives needed to implement policy: #access to dn.base="" # by * read
#access to dn.base="cn=Subschema" # by * read
access to attrs=userPassword,userPKCS12 by self write by anonymous auth by dn.base="uid=proxyuser,ou=people,dc=plainjoe,dc=org" manage by dn.base="uid=cyrus,ou=people,dc=plainjoe,dc=org" manage by users read by * none # by * auth
#access to attrs=shadowLastChange # by self write # by * read
access to * by * read
# if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING!
####################################################################### # BDB database definitions #######################################################################
database bdb suffix "dc=plainjoe,dc=org" checkpoint 1024 5 cachesize 10000 rootdn "cn=Manager,dc=plainjoe,dc=org" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. # la clave es: secret (en ssha) #rootpw {MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ== rootpw secret1 # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap # Indices to maintain index objectClass eq index cn,sn,mail eq,sub index departmentNumber eq
## -- master slapd -- # Specify the location of the file to append changes to. #replogfile /var/log/slapd.replog ## -- master slapd -- # Set the hostname and bind credentials used to propagate the changes in the # replogfile. #replica host=replica1.plainjoe.org:389 # suffix="dc=plainjoe,dc=org" # binddn="cn=replica,dc=plainjoe,dc=org" # credentials=MyPass # bindmethod=simple # tls=no
#To use secrets stored in the LDAP directory, place plaintext passwords in the userPassword attribute password-hash {CLEARTEXT}
# haciendo un proxy de usuarios para usar sasl authz-policy to authz-regexp uid=([^,]*),cn=[^,]*,cn=auth uid=$1,ou=people,dc=plainjoe,dc=org # ldap:///dc=plainjoe,dc=org??sub?(|(uniqueIdentifier=$1)(mail=$1)) # uid=$1,ou=people,dc=plainjoe,dc=org # uid=(.*),cn=.*,cn=auth #binddn "uid=proxyuser,ou=people,dc=plainjoe,dc=org" credentials=proxyuser mode=self
#sasl-authz-policy to #sasl-regexp # uid=(.*),cn=DIGEST-MD5,cn=auth # uid=$1,ou=people,dc=plainjoe,dc=org #sasl-auxprops slapd #sasl-host localhost
#sasl-secprops # 2 intento con sasl #sasl-regexp uid=(.*),cn=firewall,cn=DIGEST-MD5,cn=auth uid=$1,ou=People,dc=plainjoe,dc=org
/etc/imapd.conf configdirectory: /var/lib/imap partition-default: /var/spool/imap sievedir: /var/lib/sieve admins: cyrus proxyuser allowanonymouslogin: no allowplaintext: yes autocreatequota: 10000 reject8bit: no quotawarn: 90 timeout: 30 poptimeout: 10 dracinterval: 0 drachost: localhost unixhierarchysep: 1 virtdomains: yes defaultdomain: plainjoe.org #sasl_pwcheck_method: saslauthd
# esta seccion es para la autenticacion sasl_mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 EXTERNAL sasl_pwcheck_method: auxprop sasl_auxprop_plugin: ldapdb sasl_ldapdb_uri: ldap://localhost sasl_ldapdb_id: cyrus sasl_ldapdb_pw: secret sasl_ldapdb_mech: DIGEST-MD5
lmtp_overquota_perm_failure: no lmtp_downcase_rcpt: yes
OPENLDAP DATA firewall:~ # slapcat bdb_monitor_db_open: monitoring disabled; configure monitor database to enable dn: dc=plainjoe,dc=org dc: plainjoe objectClass: dcObject objectClass: organizationalUnit ou: PlainJoe Dot Org structuralObjectClass: organizationalUnit entryUUID: 0335be26-7c73-102f-8bd2-599020d843b8 creatorsName: cn=Manager,dc=plainjoe,dc=org createTimestamp: 20101104152159Z entryCSN: 20101104152159.733766Z#000000#000#000000 modifiersName: cn=Manager,dc=plainjoe,dc=org modifyTimestamp: 20101104152159Z
dn: ou=people,dc=plainjoe,dc=org ou: people objectClass: organizationalUnit structuralObjectClass: organizationalUnit entryUUID: 033e9352-7c73-102f-8bd3-599020d843b8 creatorsName: cn=Manager,dc=plainjoe,dc=org createTimestamp: 20101104152159Z entryCSN: 20101105231448.878588Z#000000#000#000000 modifiersName: cn=Manager,dc=plainjoe,dc=org modifyTimestamp: 20101105231448Z
dn: uid=test,ou=people,dc=plainjoe,dc=org uid: test cn: testeo principal gidNumber: 10001 uidNumber: 10001 homeDirectory: /dev/null objectClass: account objectClass: posixAccount userPassword:: c2VjcmV0MQ== structuralObjectClass: account entryUUID: 56c7ff24-86d5-102f-9775-4f0c54ef34bf creatorsName: cn=Manager,dc=plainjoe,dc=org createTimestamp: 20101117203102Z entryCSN: 20101117203102.250410Z#000000#000#000000 modifiersName: cn=Manager,dc=plainjoe,dc=org modifyTimestamp: 20101117203102Z
dn: uid=cyrus,ou=people,dc=plainjoe,dc=org uid: cyrus cn: cyrus gidNumber: 10003 uidNumber: 10003 homeDirectory: /dev/bash objectClass: account objectClass: posixAccount userPassword:: c2VjcmV0 authzTo: ldap:///ou=people,dc=plainjoe,dc=org??sub?(objectClass=account) structuralObjectClass: account entryUUID: 634b9642-8acd-102f-9384-2ba12314497c creatorsName: cn=Manager,dc=plainjoe,dc=org createTimestamp: 20101122214411Z entryCSN: 20101122214411.922672Z#000000#000#000000 modifiersName: cn=Manager,dc=plainjoe,dc=org modifyTimestamp: 20101122214411Z
dn: uid=fernandito,ou=people,dc=plainjoe,dc=org uid: fernandito cn: Fernandito Torrez gidNumber: 10000 uidNumber: 10000 homeDirectory: /dev/null objectClass: account objectClass: posixAccount userPassword:: ZmVybmFuZGl0bw== structuralObjectClass: account entryUUID: 8a28b1a4-9046-102f-9ec3-c13bc8bd451e creatorsName: cn=Manager,dc=plainjoe,dc=org createTimestamp: 20101129205402Z entryCSN: 20101129205402.043371Z#000000#000#000000 modifiersName: cn=Manager,dc=plainjoe,dc=org modifyTimestamp: 20101129205402Z
Fernando Torrez fernando_torrez@hotmail.com writes:
Hi all
I finally got work cyrus-imapd with cyrus-sasl (and with openldap as backend to authenticate users) I did telnet tests to both pop and imap services from localhost and worked great. but when I tried to do the same tests from other machine authentication fails:
mail:~ # telnet 192.168.1.1 143 Trying 192.168.1.1... Connected to 192.168.1.1. Escape character is '^]'.
- OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID AUTH=PLAIN AUTH=CRAM-MD5 AUTH=
LOGIN AUTH=DIGEST-MD5 SASL-IR COMPRESS=DEFLATE] firewall Cyrus IMAP v2.3.16 server ready imap LOGIN test secret1 imap NO Login failed: authentication failure
this shouldn't be LOGIN but AUTHENTICATE
. logout
I checked logs and found that openldap got authcid as: 'cyrus@joan.com.bo' instead of only 'cyrus' (my new proxyuser) (LOGS below) I have joan.com.bo configured in other linux server with named service installed and running for the LAN so I think that when doing pop and imap tests from any other computer from LAN but localhost, the user sent from telnet to the server is filled up with that domain.
Is there a way to bypass this? or a way to fix this problem?
I know that cyrus-imapd can handle more than 1 domain, so I guess that it's probably a misconfiguration in openldap or cyrus imapd (CONFIGURATION FILES below)
man slapd.conf(5) and ldap.conf(5), you may define and propagate a sasl-realm
-Dieter
openldap-technical@openldap.org