- Previous message: Bill MacAllister: "More Virtual Domains, SASL and LDAP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
|
|
|
(no email)
Date: Tue May 17 2005 - 17:13:53 EDT
Here is my solution (plain text password passing only.....hm):
1. /etc/imapd.conf:
sasl_pwcheck_method: auxprop # NOT saslauthd
sasl_mech_list: PLAIN
allowplaintext: yes
2. service saslauthd stop # saslauthd is not needed
3. /etc/pam.d/imap:
#%PAM-1.0
auth required /lib/security/pam_stack.so service=system-auth
#account required /lib/security/pam_stack.so service=system-auth
## the account line would require a real system/UNIX account
## the auth line lets me create "virtual users"
4. create users / passwords in sasldb2:
# saslpasswd2 -c feedback
Password:
Again (for verification):
# sasldblistusers2
feedback at localhost dot localdomain: userPassword
5. test username / password:
# /usr/lib/cyrus-imapd/imtest -a feedback -w PASSWORDHERE localhost
S: * OK localhost.localdomain Cyrus IMAP4
v2.2.6-Invoca-RPM-2.2.6-2.FC3.6 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND
BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE
STARTTLS LISTEXT LIST-SUBSCRIBED X-NETSCAPES: C01 OK Completed
C: L01 LOGIN feedback {12}
S: + go ahead
C: <omitted>
S: L01 OK User logged in
Authenticated.
Security strength factor: 0
C: Q01 LOGOUT
Connection closed.
So that works without actually having "feedback" system user:
# finger feedback
finger: feedback: no such user.
Now ... this uses plain-text passwords, from what I understand. I
assume that refers to how they are stored in /etc/sasldb2 - Oh, yes,
"strings /etc/sasldb2" shows them all very clearly! :(((
Hm, how does one go about encrypting that...
Thanks,
Otis
--- Michael King <> wrote:
> PAM has always confused me, but I recently had some issues with it,
> myself.
>
> I think you're supposed to do it the other way around - configure
> SASL to
> use PAM - but that won't work unless you have a mechanism set up
> (like
> mysql, etc) in PAM.
>
> If the logins are just stored in SASL, why use PAM at all?
>
>
> Michael King
> Systems Administrator
> Web International, Inc.
> www.webinternational.net
>
> > -----Original Message-----
> > From: [mailto:owner-info-
> > ] On Behalf Of
> > Sent: Tuesday, May 17, 2005 2:54 PM
> > To:
> > Subject: Re: Configuring Cyrus IMAP for multiple domains
> (virtdomains
> > problem)
> >
> > Hello,
> >
> > My authentication problem is in the saslauthd -> PAM part. I think
> I
> > need to configure PAM to use SASL and /etc/sasldb2 file to
> authenticate
> > users. It look like it is currently checking for UNIX username /
> pass:
> >
> > May 17 15:48:13 localhost unix_chkpwd[28032]: check pass; user
> unknown
> > May 17 15:48:13 localhost imap(pam_unix)[28018]: authentication
> > failure; logname= uid=0 euid=0 tty= ruser= rhost=
> > May 17 15:48:15 localhost saslauthd[28018]: DEBUG: auth_pam:
> > pam_authenticate failed: Authentication failure
> > May 17 15:48:15 localhost saslauthd[28018]: do_auth : auth
> > failure: [user=feedback] [service=imap] [realm=my-domain.com]
> > [mech=pam] [reason=PAM auth error]
> >
> >
> > My /etc/pam.d/imap file looks like this:
> >
> > # cat /etc/pam.d/imap
> > #%PAM-1.0
> > auth required /lib/security/pam_stack.so
> service=system-auth
> > account required /lib/security/pam_stack.so
> service=system-auth
> >
> > I looked at /lib/security/pam_*.so shared libs, but didn't see
> anything
> > with *sasl* in the name.
> >
> > How should I configure PAM to use SASL and /etc/sasldb2? I think
> that
> > is what I need to do.
> >
> >
> > Thanks!
> >
> > Otis
> > P.S.
> > Example of OK when UNIX account exists, and NO when it doesn't:
> >
> > # man /usr/sbin/testsaslauthd
> > # /usr/sbin/testsaslauthd -u feedback -p XXX
> > 0: OK "Success."
> >
> > # userdel feedback
> >
> > # /usr/sbin/testsaslauthd -u feedback -p XXX
> > 0: NO "authentication failed"
> >
> >
> > --- wrote:
> > > Hello,
> > >
> > > (I think this message got pushed down by the recent list spam, so
> I'm
> > > resending it, hoping it will catch somebody's attention)
> > >
> > > I'm trying to configure Cyrus IMAP (cyrus-imapd-2.2.6-2.FC3.6 -
> > > Fedora
> > > Code 3 package) to serve multiple domains. I have it accept
> email
> > > from
> > > Postfix when I don't use multiple (virtual) domains, but not with
> > > "virtdomains: yes" in /etc/imapd.conf.
> > >
> > > Here is what I have in /etc/imapd.conf:
> > >
> > > ... <standard stuff taken out> ...
> > > sasl_pwcheck_method: saslauthd
> > > sasl_mech_list: PLAIN
> > > tls_cert_file: /usr/share/ssl/certs/cyrus-imapd.pem
> > > tls_key_file: /usr/share/ssl/certs/cyrus-imapd.pem
> > > tls_ca_file: /usr/share/ssl/certs/ca-bundle.crt
> > >
> > > # OG: added
> > > virtdomains: on
> > > defaultdomain: my-domain.com
> > > unixhierarchysep: 1
> > > loginrealms: localdomain my-domain.com
> > >
> > > If I comment out the last 4 lines, then I _can_ create new
> mailboxes
> > > with cyradm (e.g. createmailbox user.otis.Trash). However, I
> need
> > > this
> > > server to serve email for multiple domains, so I need to be able
> to
> > > do
> > > "cm user/")
> > >
> > > I've followed this:
> > >
> > >
> http://asg.web.cmu.edu/cyrus/download/imapd/install-virtdomains.html
> > >
> > > But that results in this:
> > >
> > > cyradm -u cyrus localhost 143
> > > IMAP Password:
> > > localhost.localdomain> cm
> > > createmailbox: Invalid mailbox name
> > >
> > > I also tried this:
> > >
> > > localhost.localdomain> cm user/
> > > createmailbox: Invalid mailbox name
> > >
> > > I presume that's because Cyrus doesn't know about
> "my-domain.com".
> > > How
> > > do I tell it about "my-domain.com"?
> > >
> > > I also read this:
> > > http://www.phildev.net/cyrus/cyrus_sasl.html
> > >
> > > But that had a few errors, so I gave up around half of the job.
> > > Perhaps Cyrus and cyradm would know about "my-domain.com" if I
> called
> > > cyradm like this:
> > >
> > > cyradm -u cyrus my-domain.com 143
> > >
> > > ?
> > > I tried that, but my-domain.com domain is not really configured
> yet
> > > (DNS points to a different, old machine), so I can't really try
> that.
> > >
> > > Any help would be appreciated.
> > >
> > > Thanks,
> > > Otis
> > > P.S.
> > > Similar thread is here, but this doesn't seem to work for me:
> > >
> > http://asg.web.cmu.edu/archive/message.php?mailbox=archive.info-
> > cyrus&msg=35013
> > >
> > > ---
> > > Cyrus Home Page: http://asg.web.cmu.edu/cyrus
> > > Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
> > > List Archives/Info:
> http://asg.web.cmu.edu/cyrus/mailing-list.html
> > >
> >
> > ---
> > Cyrus Home Page: http://asg.web.cmu.edu/cyrus
> > Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
> > List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>
>
>
>
--- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
|
|
|