Description of problem: I've the following error message in syslog (/var/log/messages) after updating to Rawhide and restarting saslauthd and sendmail: [...] sendmail[18698]: auxpropfunc error invalid parameter supplied Version-Release number of selected component (if applicable): sendmail-8.13.4-2 cyrus-sasl-2.1.21-2 cyrus-sasl-2.1.21-3 openldap-2.2.26-1 Steps to Reproduce & how reproducible: Everytime, restart sendmail. Actual results: I searched a bit in the Internet and only got, that the problem is ldapdb related. When I built cyrus-sasl myself with --disable-ldapdb, the problem disappeared. Expected results: No error message in syslog! ;-) Additional info: I filed this bug against cyrus-sasl, because I think this problem caused by cyrus-sasl and not by sendmail.
The ldapdb plugin gets loaded, and I don't see any way to disable it in your configuration without also disabling sasldb support. As a temporary workaround, try adding "ldapdb_uri: ldapi:///" to /usr/lib/sasl2/Sendmail.conf.
I guess moving the ldapdb auxprop module into yet another subpackage is the most workable solution. |
I try to set up saslauthd
for the XMPP server prosody
but got stuck somewhere. I used the following documentation:
- http://blogs.mafia-server.net/nur-bahnhof/2013/12/prosody-authentification-ldapactivedirectory/
- http://prosody.im/doc/cyrus_sasl
- https://wiki.debian.org/InstallingProsody
My problem is that I can’t get connected. The XMPP client always gets stuck somewhere while exchanging authentication information.
Test using testsaslauthd
was successful:
testsaslauthd -u theuser -p "$pw"
0: OK "Success."
I assume this means that the /etc/saslauthd.conf
file is correct in this case.
Test using sasl-sample-server
/sasl-sample-client
(called in different terminals and copy-pasting the S:
and C:
lines):
root@xmpp:~# sasl-sample-server -s "xmpp" -m plain
Forcing use of mechanism plain
Sending list of 1 mechanism(s)
S: cGxhaW4=
Waiting for client mechanism...
C: U......................=
got 'PLAIN'
sasl-sample-server: SASL Other: Password verification failed
sasl-sample-server: Starting SASL negotiation: user not found (user not found)
<terminates>
root@xmpp:~# sasl-sample-client -s xmpp -a theuser
service=xmpp
Waiting for mechanism list from server...
S: cGxhaW4=
recieved 5 byte message
Choosing best mechanism from: plain
returning OK: theuser
Password:
Using mechanism PLAIN
Preparing initial.
Sending initial response...
C: U......................=
Negotiation complete
Username: theuser
SSF: 0
Waiting for encoded message...
I don’t understand why testsaslauthd
succeeds while the other tool combo can’t find the user.
After running /usr/sbin/saslauthd -d
I found the following block in /var/log/auth.log
. Maybe that’s the problem. But whatever I tried, I can’t find out what’s supplying the invalid parameter:
Dec 2 15:42:14 xmpp sasl-sample-server: auxpropfunc error invalid parameter supplied
Dec 2 15:42:14 xmpp sasl-sample-server: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb
Dec 2 15:42:14 xmpp sasl-sample-server: ldapdb_canonuser_plug_init() failed in sasl_canonuser_add_plugin(): invalid parameter supplied
Dec 2 15:42:14 xmpp sasl-sample-server: _sasl_plugin_load failed on sasl_canonuser_init for plugin: ldapdb
Dec 2 15:42:20 xmpp sasl-sample-client: ldapdb_canonuser_plug_init() failed in sasl_canonuser_add_plugin(): invalid parameter supplied
Dec 2 15:42:20 xmpp sasl-sample-client: _sasl_plugin_load failed on sasl_canonuser_init for plugin: ldapdb
Dec 2 15:42:34 xmpp sasl-sample-server: DIGEST-MD5 common mech free
Also, I found that sasl-sample-server
and sasl-sample-client
use a list of several methods when using without -m
option but in the file /usr/lib/sasl2/xmpp.conf
I explicitly select the PLAIN
method:
pwcheck_method: saslauthd
mech_list: PLAIN
Probably I got the wrong path so I copied the file also to /etc/sasl/xmpp.conf
and /etc/sasl2/xmpp.conf
just for case. Unfortunately, I can’t find any piece of documentation which tells the paths explicitly for Debian 8.
Also testsaslauthd doesn’t seem to care about the service:
root@xmpp:~# testsaslauthd -s xmpp -u theuser -p "$pw"
0: OK "Success."
root@xmpp:~# testsaslauthd -s nonexistingservice -u theuser -p "$pw"
0: OK "Success."
Any idea what else I can to do find the reason?
Update:
Obviously, sasl-sample-server
accesses the file /etc/sasldb2
which should not happen in ldap mode, I think. Is it possible that this tool doesn’t care about configuration and that it doesn’t support ldap? Output from strace:
stat("/etc/sasldb2", {st_mode=S_IFREG|0640, st_size=12288, ...}) = 0
open("/etc/sasldb2", O_RDONLY) = 3
fcntl(3, F_GETFD) = 0
fcntl(3, F_SETFD, FD_CLOEXEC) = 0
read(3, "1a256t2010"..., 512) = 512
close(3) = 0
View previous topic :: View next topic | |||||||||||||
Author | Message | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
olli.bo Apprentice Joined: 16 Jul 2003 |
|
||||||||||||
Back to top |
|
||||||||||||
|
You cannot post new topics in this forum |
SASL/PAM/LDAP is driving me crazy… that’s what I read a lot when googling for problems in this area, and what I experience myself :-S
I’m trying to get Cyrus imap working for virtual hosting on CentOS with this authorisation backend and really don’t know what’s happening.
In saslauthd I configured the LDAP search filter to use, but it looks like pam completely ignores it.
Here’s what I do for testing (done more tests but all with similar results):
[root@testserv ~]# imtest -u my.Email@testserv.mydomain.com -a my.Email@testserv.mydomain.com
WARNING: no hostname supplied, assuming localhost
S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS] testserv. Cyrus IMAP4 v2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH
S: C01 OK Completed
Please enter your password:
C: L01 LOGIN my.Email@testserv.mydomain.com {6}
S: + go ahead
C: <omitted>
S: L01 NO Login failed: authentication failure
Authentication failed. generic failure
Security strength factor: 0
C: Q01 LOGOUT
* BYE LOGOUT received
Q01 OK Completed
Connection closed.
The LDAP entry does exist (and so does the mailbox in Cyrus):
[root@testserv ~]# ldapsearch -WxD cn=Manager,o=mydomain,c=com mail=my.Email@testserv.mydomain.com
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: mail=my.Email@testserv.mydomain.com
# requesting: ALL
#
# myuser, accounts, testserv.mydomain.com, mydomain, com
dn: uid=myuser,ou=accounts,dc=testserv.mydomain.com,o=mydomain,c=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uidNumber: 16
uid: myuser
gidNumber: 5
givenName: My
sn: Name
mail: my.Email@testserv.mydomain.com
cn: My Name
userPassword:: dYN5ebB0fXhNRn1pZllhRnJX7Uk=
shadowLastChange: 15176
homeDirectory: /dev/null
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
This is what I get in /var/log/messages
Aug 2 04:00:11 testserv cyrus/imap[12514]: auxpropfunc error invalid parameter supplied
Aug 2 04:00:19 testserv saslauthd[5926]: do_auth : auth failure: [user=my.email@testserv.mydomain.com] [service=imap] [realm=testserv.mydomain.com] [mech=pam] [reason=PAM auth error]
… /var/adm/auth.log
Aug 2 04:00:11 testserv cyrus/imap[12514]: auxpropfunc error invalid parameter supplied
Aug 2 04:00:11 testserv cyrus/imap[12514]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb
Aug 2 04:00:19 testserv saslauthd[5926]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
Aug 2 04:00:19 testserv saslauthd[5926]: do_auth : auth failure: [user=my.email@testserv.mydomain.com] [service=imap] [realm=testserv.mydomain.com] [mech=pam] [reason=PAM auth error]
(AFAIK I can ignore the auxprop msg)
… and /var/log/slapd.log:
Aug 2 04:00:19 testserv slapd[5968]: conn=61 fd=27 ACCEPT from IP=127.0.0.1:51403 (IP=0.0.0.0:389)
Aug 2 04:00:19 testserv slapd[5968]: conn=61 op=0 BIND dn="" method=128
Aug 2 04:00:19 testserv slapd[5968]: conn=61 op=0 RESULT tag=97 err=0 text=
Aug 2 04:00:19 testserv slapd[5968]: conn=61 op=1 SRCH base="o=mydomain,c=com" scope=2 deref=0 filter="(mail=my.Email@testserv.mydomain.com)"
Aug 2 04:00:19 testserv slapd[5968]: conn=61 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
Aug 2 04:00:19 testserv slapd[5968]: conn=61 op=2 UNBIND
Aug 2 04:00:19 testserv slapd[5968]: conn=61 fd=27 closed
These are the settings in In /etc/imapd.conf:
sasl_mech_list: PLAIN LOGIN
sasl_pwcheck_method: saslauthd
## sasl_auxprop_plugin: sasldb
sasl_auto_transition: no
and my sasl config:
[root@testserv ~]# cat /etc/sysconfig/saslauthd
# Directory in which to place saslauthd's listening socket, pid file, and so
# on. This directory must already exist.
SOCKETDIR=/var/run/saslauthd
# Mechanism to use when checking passwords. Run "saslauthd -v" to get a list
# of which mechanism your installation was compiled with the ablity to use.
MECH=pam
# Additional flags to pass to saslauthd on the command line. See saslauthd(8)
# for the list of accepted flags.
FLAGS="-c -r -O /etc/saslauthd.conf"
[root@testserv ~]# cat /etc/saslauthd.conf
ldap_servers: ldap://127.0.0.1/
ldap_search_base: dc=%d,o=mydomain,c=com
ldap_auth_method: bind
#ldap_filter: (|(uid=%u)((&(mail=%u@%d)(accountStatus=active)))
ldap_filter: (&(mail=%u@%d)(accountStatus=active))
ldap_debug: 1
ldap_version: 3
The accountStatus=active is not in ldap yet, but that doesn’t make a difference since I don’t see it in the filter… that’s not the reason for the failure.
The weird thing is, I do get an error when I rename or remove /etc/saslauthd.conf, but when the file exists it seems happily ignored…
The filter in slapd.log seems to be taken from /etc/ldap.conf. Apart from some timers, that only contains:
host 127.0.0.1
base o=mydomain,c=com
pam_login_attribute mail
Outcommenting the pam_login_attribute results in this filter in slapd.log:
filter="(uid=my.Email@testserv.mydomain.com)"
Pam-imap looks like this:
[root@testserv ~]# cat /etc/pam.d/imap
auth required pam_ldap.so debug
account required pam_ldap.so debug
#auth sufficient pam_unix.so likeauth nullok
#auth sufficient pam_ldap.so use_first_pass
#auth required pam_deny.so
#account sufficient pam_unix.so
#account sufficient pam_ldap.so
The outcommented stuff is because I don’t have the cyrus admin user in Ldap; that’s a Linux user. That works fine when uncommented, but I still need to play around with that a little and first I wanna get imap working.
Finally nsswitch:
[root@testserv ~]# cat /etc/nsswitch.conf
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
# nisplus or nis+ Use NIS+ (NIS version 3)
# nis or yp Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#
# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis
passwd: compat ldap
group: compat ldap
shadow: compat ldap
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: nisplus
publickey: nisplus
automount: files nisplus
aliases: files nisplus
Any info where to start looking will be greatly appreciated!
Thnx in advance