How to use LDAP with cyrus?

jbakshi12 2007-02-28 07:10:05 UTC #1

OK list,

now I hv LDAP as authentication backend. now how to configure cyrus to
use LDAP
users data for authentication ??

thanks in advanced.

Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net’s Techsay panel and you’ll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

eGroupWare-users mailing list
eGroupWare-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-users

haary 2007-02-28 07:28:22 UTC #2

Hello,

OK list, now I hv LDAP as authentication backend. now how to configure cyrus to use LDAP users data for authentication ??

thanks in advanced.
[/quote]

I experimented with this quite a while. The best thing is to
use saslauthd with pam and let pam do the LDAP stuff.

Otherwise - if you want to use auxprop-based SASL mechanism with
ldapdb - you have to use plain text passwords in your LDAP directory,
which was not acceptable for me.

Regards,

Henry

jbakshi12 2007-02-28 08:40:26 UTC #3

haary wrote:

Hello,

JOYDEEP-3 wrote:

OK list,
now I hv LDAP as authentication backend. now how to configure cyrus to
use LDAP
users data for authentication ??

thanks in advanced.

I experimented with this quite a while. The best thing is to
use saslauthd with pam and let pam do the LDAP stuff.

Otherwise - if you want to use auxprop-based SASL mechanism with
ldapdb - you have to use plain text passwords in your LDAP directory,
which was not acceptable for me.

Regards,

Dear Henry,

thanks for your response. Could u kindly suggest how to utilise PAM to
do LDAP stuff ?

here I have set my saslauthd as SASLAUTHD_AUTHMECH=ldap

then I have created /etc/saslauthd.conf with the following

ldap_servers: ldap://localhost:389
ldap_bind_dn: cn=Manager,dc=kolkatainfoservices,dc=in
ldap_bind_pw: secret
ldap_search_base: ou=Users,dc=kolkatainfoservices,dc=in
ldap_version: 3
ldap_filter: uid=%U
ldap_default_domain: kolkatainfoservices.in

now I have tested some existing account with testsaslauthd command ( I
have migrated from mysql to LDAP authentication)
and got the success

but when I try to create a new account from egw ( now the authentication
backend is LDAP) the account’s authentication is not
there in LDAP that’s why user can’t login. but the account is created in
mysql ( used as storage back end)

here is the error from the log.

Feb 28 13:36:51 linux slapd[4103]: conn=141 op=0 BIND
dn=“cn=Manager,dc=kolkatainfoservices,dc=in” method=128
Feb 28 13:36:51 linux slapd[4103]: conn=141 op=0 BIND
dn=“cn=Manager,dc=kolkatainfoservices,dc=in” mech=SIMPLE ssf=0
Feb 28 13:36:51 linux slapd[4103]: conn=141 op=0 RESULT tag=97 err=0 text=
Feb 28 13:36:51 linux slapd[4103]: conn=141 op=1 SRCH
base=“ou=Users,dc=kolkatainfoservices,dc=in” scope=2 deref=0
filter="(uid=cyrus)"
Feb 28 13:36:51 linux slapd[4103]: conn=141 op=1 SRCH attr=dn
Feb 28 13:36:51 linux slapd[4103]: <= bdb_equality_candidates: (uid)
index_param failed (18)
Feb 28 13:36:51 linux slapd[4103]: conn=141 op=1 SEARCH RESULT tag=101
err=0 nentries=0 text=
Feb 28 13:36:51 linux saslauthd[8976]: Entry not found (uid=cyrus).
Feb 28 13:36:51 linux saslauthd[8976]: Authentication failed for
cyrus/kolkatainfoservices.in: User not found

I can’t understand why it is showing Entry not found (uid=cyrus).
because I am craeting a user with a diofferent name
than cyrus. so could any one kindly point out what I am missing here ?
thanks for your kind help

Henry

eGroupWare-users mailing list
eGroupWare-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-users

haary 2007-02-28 09:03:21 UTC #4

Hello,

thanks for your response. Could u kindly suggest how to utilise PAM to do LDAP stuff ?

here I have set my saslauthd as SASLAUTHD_AUTHMECH=ldap
[/quote]

Don’t use LDAP mechanism in saslauthd, use pam (LDAP mechanism wasn’t working for me either).

Enter in /etc/imapd.conf:

sasl_mech_list: PLAIN LOGIN
sasl_pwcheck_method: saslauthd

then in /etc/pam.d/imap:

auth sufficient /lib/security/pam_ldap.so
auth required /lib/security/pam_unix_auth.so try_first_pass
account sufficient /lib/security/pam_ldap.so
account required /lib/security/pam_unix_acct.so

Then start saslauthd with “/usr/sbin/saslauthd -a pam -c -n 5”.

Regards,
Henry

jbakshi12 2007-02-28 10:16:11 UTC #5

haary wrote:

Hello,

JOYDEEP-3 wrote:

thanks for your response. Could u kindly suggest how to utilise PAM to
do LDAP stuff ?

here I have set my saslauthd as SASLAUTHD_AUTHMECH=ldap

Don’t use LDAP mechanism in saslauthd, use pam (LDAP mechanism wasn’t
working for me either).

Enter in /etc/imapd.conf:

sasl_mech_list: PLAIN LOGIN
sasl_pwcheck_method: saslauthd

then in /etc/pam.d/imap:

auth sufficient /lib/security/pam_ldap.so
auth required /lib/security/pam_unix_auth.so try_first_pass
account sufficient /lib/security/pam_ldap.so
account required /lib/security/pam_unix_acct.so

Then start saslauthd with “/usr/sbin/saslauthd -a pam -c -n 5”.

Regards,
Henry

Dear Henry,

Thanks for your guidance. I have the following entries in my
/etc/pam.d/imap

auth include common-auth
account include common-account
password include common-password
session include common-session

I have just added the configs u have suggested. I already have
pam_ldap.so. but the testsaslauthd on a
know LDAP account and a know unix account were failed. then I have
commented the existing lines and restarted the saslauthd but
no success this time too

can you kindly suggest me to fix the problem.

here are some error logs ( when using the config as u suggested) to make
tour tracing easier

pam_ldap: ldap_starttls_s: Protocol error
Feb 28 15:37:23 linux saslauthd[12161]: pam_unix_auth(imap:auth): check
pass; user unknown
Feb 28 15:37:23 linux saslauthd[12161]: pam_unix_auth(imap:auth):
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=

with best wishes

eGroupWare-users mailing list
eGroupWare-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-users

jbakshi12 2007-02-28 11:06:06 UTC #6

haary wrote:

Hello,

JOYDEEP-3 wrote:

thanks for your response. Could u kindly suggest how to utilise PAM to
do LDAP stuff ?

here I have set my saslauthd as SASLAUTHD_AUTHMECH=ldap

Don’t use LDAP mechanism in saslauthd, use pam (LDAP mechanism wasn’t
working for me either).

Enter in /etc/imapd.conf:

sasl_mech_list: PLAIN LOGIN
sasl_pwcheck_method: saslauthd

then in /etc/pam.d/imap:

auth sufficient /lib/security/pam_ldap.so
auth required /lib/security/pam_unix_auth.so try_first_pass
account sufficient /lib/security/pam_ldap.so
account required /lib/security/pam_unix_acct.so

Then start saslauthd with “/usr/sbin/saslauthd -a pam -c -n 5”.

Dear Henry and lists,

as the configs suggested by Henry is not working for me and having no
solution yet; I have come back to my previous setting.
that is SASLAUTHD_AUTHMECH=ldap in the saslauthd file.
so no problem to authenticate the know accounts stored in LDAP. Though I
hv missed the pam to authenticate the accounts in
my linux box. any how since ldap authentication is working I hv
tried to create accoun in egw.
BUT no information is entered into the ldap tree though in mysql and
fudforum the account details are shown. so could any one
kiiiinnndddly suggest any fix. it is really urgent. As if this will not
work then spending somuch of time to use LDAP as backend
will be useless. plese guide me to fix the problem.
thanks for your time.

Regards,
Henry

eGroupWare-users mailing list
eGroupWare-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-users

Alexei_Larionov 2007-02-28 11:15:25 UTC #7

haary пишет:

Hello,

JOYDEEP-3 wrote:

thanks for your response. Could u kindly suggest how to utilise PAM to
do LDAP stuff ?

here I have set my saslauthd as SASLAUTHD_AUTHMECH=ldap

Don’t use LDAP mechanism in saslauthd, use pam (LDAP mechanism wasn’t
working for me either).

Enter in /etc/imapd.conf:

sasl_mech_list: PLAIN LOGIN
sasl_pwcheck_method: saslauthd

then in /etc/pam.d/imap:

auth sufficient /lib/security/pam_ldap.so
auth required /lib/security/pam_unix_auth.so try_first_pass
account sufficient /lib/security/pam_ldap.so
account required /lib/security/pam_unix_acct.so

Then start saslauthd with “/usr/sbin/saslauthd -a pam -c -n 5”.

Regards,
Henry

Hi!

I am using ldap mechanism in saslauthd:

/usr/sbin/saslauthd -a ldap -O /etc/saslauthd.conf

imapd.conf:

ldap_sasl: 1
ldap_servers: ldap://ldap.domain.com/
ldap_base: dc=domain,dc=com
sasl_pwcheck_method: saslauthd
sasl_mech_list: LOGIN PLAIN

Looks like first 3 lines does not matter.

saslauthd.conf:

ldap_servers: ldap://ldap.domain.com/
ldap_filter: uid=%u%R
ldap_search_base: dc=domain,dc=com

my LDIF file in LDAP:

dn: cn=Alexei Larionov, ou=People, dc=internews,dc=ru
homePhone: +7 495 000-00-00
givenName: Alexei
mobile: +7 916 000-00-00
postalCode: 119019
objectClass: top
objectClass: organizationalPerson
objectClass: officePerson
objectClass: inetOrgPerson
URL: http://www.internews.ru
userPassword: mypassword
facsimileTelephoneNumber: +7 495 000-00-00
ou: IT department
uid: larionov@internews.ru
mail: larionov@internews.ru
cn: Alexei Larionov
telephoneNumber: +7 495 000-00-00
physicalDeliveryOfficeName: room 5
pager: 752
o: Internews
l: Moscow
postalAddress: mypostal adress
sn: Larionov
c: Russia
title: IT Director

eGroupWare-users mailing list
eGroupWare-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-users

haary 2007-02-28 12:34:29 UTC #8

Hello,

userPassword: mypassword [/quote]

Do you store your password as plain text in LDAP?

Regards,

Henry

jbakshi12 2007-02-28 12:44:29 UTC #9

haary wrote:

Hello,

Alexei Larionov wrote:

userPassword: mypassword

Do you store your password as plain text in LDAP?

Regards,

Henry

No, it is in encrypted form. I have checked the password field bu
php-ldap-admin and seen it as {crypt} form.
I like to inform you that when I create a new froup I can see its entry
in LDAP but when I create a new it is not
created in LDAP PLEASE suggest me to fix it.

thanks for your guidance so long.

eGroupWare-users mailing list
eGroupWare-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-users

Alexei_Larionov 2007-02-28 14:31:23 UTC #10

haary пишет:

Hello,

Alexei Larionov wrote:

userPassword: mypassword

Do you store your password as plain text in LDAP?

Of course no. My real password there
’{SSHA}QA9KiZNdPQ/jOYH8rm2PUVzHPdDR6XOJ’
But you can store password as plain text if you need. I am use free tool

LDAP Browser/Editor http://www-unix.mcs.anl.gov/~gawor/ldap/
It has embeded PasswordEditor for verifying and generating MD5, SHA and
Unix Crypt passwords.

Regards,

Henry

eGroupWare-users mailing list
eGroupWare-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-users