[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Problems Enabling Authentication using Cyrus SASL




Hi all

  I finally got work cyrus-imapd with cyrus-sasl (and with openldap as backend to authenticate users)
I did telnet tests to both pop and imap services from localhost and worked great.
but when I tried to do the same tests from other machine authentication fails:

mail:~ # telnet 192.168.1.1 143
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.
* OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID AUTH=PLAIN AUTH=CRAM-MD5 AUTH=LOGIN AUTH=DIGEST-MD5 SASL-IR COMPRESS=DEFLATE] firewall Cyrus IMAP v2.3.16 server ready
imap LOGIN test secret1       
imap NO Login failed: authentication failure
. logout

I checked logs and found that openldap got authcid as: 'cyrus@joan.com.bo' instead of only 'cyrus' (my new proxyuser) (LOGS below)
I have joan.com.bo configured in other linux server with named service installed and running for the LAN
so  I think that when doing pop and imap tests from any other computer from LAN but localhost, the user sent from telnet to the server is filled up with that domain.

Is there a way to bypass this? or a way to fix this problem?

I know that cyrus-imapd can handle more than 1 domain, so I guess that it's probably a misconfiguration in openldap or cyrus imapd (CONFIGURATION FILES below)
I also left OPENLDAP DATA at the bottom of this mail.

Thanks in advance for any suggestions.

     Fernando

                LOGS
Nov 29 17:25:02 firewall slapd[2887]: conn=1057 op=1 BIND dn="" method=163
Nov 29 17:25:02 firewall slapd[2887]: do_bind: dn () SASL mech DIGEST-MD5
Nov 29 17:25:02 firewall slapd[2887]: ==> sasl_bind: dn="" mech=<continuing> datalen=298
Nov 29 17:25:02 firewall slapd[2887]: SASL [conn=1057] Debug: DIGEST-MD5 server step 2
Nov 29 17:25:02 firewall slapd[2887]: SASL Canonicalize [conn=1057]: authcid="cyrus@joan.com.bo"
Nov 29 17:25:02 firewall slapd[2887]: slap_sasl_getdn: conn 1057 id=cyrus@joan.com.bo [len=17]
Nov 29 17:25:02 firewall slapd[2887]: slap_sasl_getdn: u:id converted to uid=cyrus@joan.com.bo,cn=DIGEST-MD5,cn=auth
Nov 29 17:25:02 firewall slapd[2887]: >>> dnNormalize: <uid=cyrus@joan.com.bo,cn=DIGEST-MD5,cn=auth>
Nov 29 17:25:02 firewall slapd[2887]: <<< dnNormalize: <uid=cyrus@joan.com.bo,cn=digest-md5,cn=auth>
Nov 29 17:25:02 firewall slapd[2887]: ==>slap_sasl2dn: converting SASL name uid=cyrus@joan.com.bo,cn=digest-md5,cn=auth to a DN
Nov 29 17:25:02 firewall slapd[2887]: [rw] authid: "uid=cyrus@joan.com.bo,cn=digest-md5,cn=auth" -> "uid=cyrus@joan.com.bo,ou=people,dc=plainjoe,dc=org"
Nov 29 17:25:02 firewall slapd[2887]: slap_parseURI: parsing uid=cyrus@joan.com.bo,ou=people,dc=plainjoe,dc=org
Nov 29 17:25:02 firewall slapd[2887]: >>> dnNormalize: <uid=cyrus@joan.com.bo,ou=people,dc=plainjoe,dc=org>
Nov 29 17:25:02 firewall slapd[2887]: <<< dnNormalize: <uid=cyrus@joan.com.bo,ou=people,dc=plainjoe,dc=org>
Nov 29 17:25:02 firewall slapd[2887]: <==slap_sasl2dn: Converted SASL name to uid=cyrus@joan.com.bo,ou=people,dc=plainjoe,dc=org
Nov 29 17:25:02 firewall slapd[2887]: slap_sasl_getdn: dn:id converted to uid=cyrus@joan.com.bo,ou=people,dc=plainjoe,dc=org
Nov 29 17:25:02 firewall slapd[2887]: SASL Canonicalize [conn=1057]: slapAuthcDN="uid=cyrus@joan.com.bo,ou=people,dc=plainjoe,dc=org"
Nov 29 17:25:02 firewall slapd[2887]: => bdb_search
Nov 29 17:25:02 firewall slapd[2887]: bdb_dn2entry("uid=cyrus@joan.com.bo,ou=people,dc=plainjoe,dc=org")
Nov 29 17:25:02 firewall slapd[2887]: => bdb_dn2id("uid=cyrus@joan.com.bo,ou=people,dc=plainjoe,dc=org")
Nov 29 17:25:02 firewall slapd[2887]: daemon: activity on 1 descriptor
Nov 29 17:25:02 firewall slapd[2887]: daemon: activity on:
Nov 29 17:25:02 firewall slapd[2887]:
Nov 29 17:25:02 firewall slapd[2887]: daemon: epoll: listen=7 active_threads=0 tvp=zero
Nov 29 17:25:02 firewall slapd[2887]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Nov 29 17:25:02 firewall slapd[2887]: <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30989)
Nov 29 17:25:02 firewall slapd[2887]: => access_allowed: disclose access to "ou=people,dc=plainjoe,dc=org" "entry" requested
Nov 29 17:25:02 firewall slapd[2887]: => acl_get: [2] attr entry
Nov 29 17:25:02 firewall slapd[2887]: => acl_mask: access to entry "ou=people,dc=plainjoe,dc=org", attr "entry" requested
Nov 29 17:25:02 firewall slapd[2887]: => acl_mask: to all values by "", (=0)

CONFIGURATION FILES
                                /etc/openldap/slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/rfc2307bis.schema
include         /etc/openldap/schema/yast.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org

loglevel        -1
pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args

# Load dynamic backend modules:
# modulepath    /usr/lib/openldap/modules
# moduleload    back_bdb.la
# moduleload    back_hdb.la
# moduleload    back_ldap.la

# Sample security restrictions
#       Require integrity protection (prevent hijacking)
#       Require 112-bit (3DES or better) encryption for updates
#       Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
#       Root DSE: allow anyone to read it
#       Subschema (sub)entry DSE: allow anyone to read it
#       Other DSEs:
#               Allow self write access to user password
#               Allow anonymous users to authenticate
#               Allow read access to everything else
#       Directives needed to implement policy:
#access to dn.base=""
#        by * read

#access to dn.base="cn=Subschema"
#        by * read

access to attrs=userPassword,userPKCS12
        by self write
        by anonymous auth
        by dn.base="uid=proxyuser,ou=people,dc=plainjoe,dc=org" manage
        by dn.base="uid=cyrus,ou=people,dc=plainjoe,dc=org" manage
        by users read
        by * none
#        by * auth

#access to attrs=shadowLastChange
#        by self write
#        by * read

access to *
        by * read

# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

#######################################################################
# BDB database definitions
#######################################################################

database        bdb
suffix          "dc=plainjoe,dc=org"
checkpoint      1024    5
cachesize       10000
rootdn          "cn=Manager,dc=plainjoe,dc=org"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# la clave es: secret    (en ssha)
#rootpw {MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ==
rootpw          secret1
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /var/lib/ldap
# Indices to maintain
index   objectClass         eq
index   cn,sn,mail          eq,sub
index   departmentNumber    eq

## -- master slapd --
# Specify the location of the file to append changes to.
#replogfile     /var/log/slapd.replog
## -- master slapd --
# Set the hostname and bind credentials used to propagate the changes in the
# replogfile.
#replica      host=replica1.plainjoe.org:389
#             suffix="dc=plainjoe,dc=org"
#             binddn="cn=replica,dc=plainjoe,dc=org"
#             credentials=MyPass
#             bindmethod=simple
#             tls=no

#To use secrets stored in the LDAP directory, place plaintext passwords in the userPassword attribute
password-hash {CLEARTEXT}

# haciendo un proxy de usuarios para usar sasl
authz-policy to
authz-regexp
   uid=([^,]*),cn=[^,]*,cn=auth
   uid=$1,ou=people,dc=plainjoe,dc=org
#   ldap:///dc=plainjoe,dc=org??sub?(|(uniqueIdentifier=$1)(mail=$1))
#   uid=$1,ou=people,dc=plainjoe,dc=org
#   uid=(.*),cn=.*,cn=auth
#binddn "uid=proxyuser,ou=people,dc=plainjoe,dc=org" credentials=proxyuser mode=self

#sasl-authz-policy to
#sasl-regexp
#   uid=(.*),cn=DIGEST-MD5,cn=auth
#   uid=$1,ou=people,dc=plainjoe,dc=org
#sasl-auxprops slapd
#sasl-host localhost


#sasl-secprops
# 2 intento con sasl
#sasl-regexp uid=(.*),cn=firewall,cn=DIGEST-MD5,cn=auth uid=$1,ou=People,dc=plainjoe,dc=org



                                      /etc/imapd.conf
configdirectory: /var/lib/imap
partition-default: /var/spool/imap
sievedir: /var/lib/sieve
admins: cyrus proxyuser
allowanonymouslogin: no
allowplaintext: yes
autocreatequota: 10000
reject8bit: no
quotawarn: 90
timeout: 30
poptimeout: 10
dracinterval: 0
drachost: localhost
unixhierarchysep: 1
virtdomains: yes
defaultdomain: plainjoe.org
#sasl_pwcheck_method: saslauthd

# esta seccion es para la autenticacion
sasl_mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 EXTERNAL
sasl_pwcheck_method: auxprop
sasl_auxprop_plugin: ldapdb
sasl_ldapdb_uri: ldap://localhost
sasl_ldapdb_id: cyrus
sasl_ldapdb_pw: secret
sasl_ldapdb_mech: DIGEST-MD5

lmtp_overquota_perm_failure: no
lmtp_downcase_rcpt: yes

OPENLDAP DATA
firewall:~ # slapcat
bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
dn: dc=plainjoe,dc=org
dc: plainjoe
objectClass: dcObject
objectClass: organizationalUnit
ou: PlainJoe Dot Org
structuralObjectClass: organizationalUnit
entryUUID: 0335be26-7c73-102f-8bd2-599020d843b8
creatorsName: cn=Manager,dc=plainjoe,dc=org
createTimestamp: 20101104152159Z
entryCSN: 20101104152159.733766Z#000000#000#000000
modifiersName: cn=Manager,dc=plainjoe,dc=org
modifyTimestamp: 20101104152159Z

dn: ou=people,dc=plainjoe,dc=org
ou: people
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit
entryUUID: 033e9352-7c73-102f-8bd3-599020d843b8
creatorsName: cn=Manager,dc=plainjoe,dc=org
createTimestamp: 20101104152159Z
entryCSN: 20101105231448.878588Z#000000#000#000000
modifiersName: cn=Manager,dc=plainjoe,dc=org
modifyTimestamp: 20101105231448Z

dn: uid=test,ou=people,dc=plainjoe,dc=org
uid: test
cn: testeo principal
gidNumber: 10001
uidNumber: 10001
homeDirectory: /dev/null
objectClass: account
objectClass: posixAccount
userPassword:: c2VjcmV0MQ==
structuralObjectClass: account
entryUUID: 56c7ff24-86d5-102f-9775-4f0c54ef34bf
creatorsName: cn=Manager,dc=plainjoe,dc=org
createTimestamp: 20101117203102Z
entryCSN: 20101117203102.250410Z#000000#000#000000
modifiersName: cn=Manager,dc=plainjoe,dc=org
modifyTimestamp: 20101117203102Z

dn: uid=cyrus,ou=people,dc=plainjoe,dc=org
uid: cyrus
cn: cyrus
gidNumber: 10003
uidNumber: 10003
homeDirectory: /dev/bash
objectClass: account
objectClass: posixAccount
userPassword:: c2VjcmV0
authzTo: ldap:///ou=people,dc=plainjoe,dc=org??sub?(objectClass=account)
structuralObjectClass: account
entryUUID: 634b9642-8acd-102f-9384-2ba12314497c
creatorsName: cn=Manager,dc=plainjoe,dc=org
createTimestamp: 20101122214411Z
entryCSN: 20101122214411.922672Z#000000#000#000000
modifiersName: cn=Manager,dc=plainjoe,dc=org
modifyTimestamp: 20101122214411Z

dn: uid=fernandito,ou=people,dc=plainjoe,dc=org
uid: fernandito
cn: Fernandito Torrez
gidNumber: 10000
uidNumber: 10000
homeDirectory: /dev/null
objectClass: account
objectClass: posixAccount
userPassword:: ZmVybmFuZGl0bw==
structuralObjectClass: account
entryUUID: 8a28b1a4-9046-102f-9ec3-c13bc8bd451e
creatorsName: cn=Manager,dc=plainjoe,dc=org
createTimestamp: 20101129205402Z
entryCSN: 20101129205402.043371Z#000000#000#000000
modifiersName: cn=Manager,dc=plainjoe,dc=org
modifyTimestamp: 20101129205402Z