[Web-cyradm] testing SASL+web-cyradm patches w/ encrypted passwords

OpenMacNews web-cyradm.20.openmacnews at spamgourmet.com
Tue Nov 9 23:13:29 CET 2004 

hi cheetoh,

bottom line --> test of simple auth on patched sys fails

the details:

i've successfully clean-rebuilt all:

	mysql-4.1.7
	cyrus-sasl-2.1.20
	cyrus-imap-2.2.8
	postfix-2.2-20041030
	web-cyradm-0.5.4-CVS (11/9/04 20:36:15)

on OSX 10.3.6

(1) SASL was patched with:

	http://frost.ath.cx/software/cyrus-sasl-patches/dist/2.1.19/cyrus-sasl-2.1.19-checkpw.c.patch

and,

	http://frost.ath.cx/software/cyrus-sasl-patches/dist/2.1.19/cyrus-sasl-2.1.19-sql.c.patch

(2) Web-CyrAdm was patched with:

	http://www.shaolinux.org/web-cyradm-0.5.4-1.FQUN.20041109.diff

(3) Web-Cyradm's conf.php includes:

	...
	$DOMAIN_AS_PREFIX = 0;
	...
	$ENABLE_FQUN = 0;
	...

(4) --> cyrus-imap's imapd.conf:

	postmaster: postmaster
	admins: postmaster
	virtdomains: yes
	
	defaultdomain: testserver.internal.testdomain.com
	servername: testserver.internal.testdomain.com
	
	configdirectory: /var/imap
	partition-default: /var/spool/imap
	sievedir: /var/sieve

	sasl_pwcheck_method: auxprop
	allowanonymouslogin: no
	allowplaintext: yes
	sasl_mech_list: PLAIN
	sasl_auxprop_plugin: sql
	sasl_password_format: crypt
	sasl_sql_user: mail
	sasl_sql_passwd: gnarly_password
	sasl_sql_hostnames: localhost
	sasl_sql_database: mail
	sasl_sql_statement: select password from accountuser where username='%u@%r' or (username='%u' and domain_name='')
	sasl_sql_verbose: true

	#unixhierarchysep: yes
	loginrealms: internal.testdomain.com testserver.internal.testdomain.com mail2.internal.testdomain.com
	
	tls_ca_file: /var/security/keys/server.pem
	tls_cert_file: /var/security/keys/server.pem
	tls_key_file: /var/security/keys/server.pem
	tls_session_timeout: 0
	
	autocreatequota: 10000
	drachost: localhost
	dracinterval: 0
	poptimeout: 10
	quotawarn: 90
	reject8bit: no
	timeout: 30
	sendmail:  /usr/local/postfix/sbin/sendmail
	sieve_maxscriptsize: 32
	sieve_maxscripts: 5

(5) --> postfix's smtpd.conf symlink'd into lib/sasl2 plug-in dir

	pwcheck_method: auxprop
	allowanonymouslogin: no
	allowplaintext: yes
	mech_list: PLAIN LOGIN
	auxprop_plugin: sql
	password_format: crypt
	sql_user: mail
	sql_passwd: gnarly_password
	sql_hostnames: localhost
	sql_database: mail
	sql_select:  select password from accountuser where username='%u@%r' or (username='%u' and domain_name='')

(6) relevant listeners are 'up':

	netstat -an|grep LISTEN
		# imap
		  tcp4       0      0  *.143                  *.*                    LISTEN
		  tcp6       0      0  *.143                  *.*                    LISTEN
		# smtp
		  tcp4       0      0  172.30.11.6.25         *.*                    LISTEN
		  tcp4       0      0  127.0.0.1.25           *.*                    LISTEN
		# sql
		  tcp4       0      0  *.3306                 *.*                    LISTEN

(7) telnet to localhost 25 & 143 are OK

(8) i've created an admin user via web-cyradm
		u: postmaster
		p: admin!password

(9) i've created a virtual domain & accountuser via web-cyradm
		d: mail2.internal.testdomain.com
		u: testuser
		p: user!password

(10) all traces of pam_mysql have been removed (just in case ...)

(11) saslauthd has been launched as:

	saslauthd -r -a pam -c -n 0

(12) a simple test of imap auth via sasldauthd fails for EITHER the adminuser (postmaster) or the accountuser (testuser)

case #1:
	% testsaslauthd -u postmaster -p admin!\password -r testserver.internal.testdomain.com -s imap
		0: NO "authentication failed"

case #2:
	% testsaslauthd -u testuser -p user\!password -r mail2.internal.testdomain.com -s imap
		0: NO "authentication failed"


in both cases, the error logs show the same:

--> saslauthd.log:
	saslauthd[818]: pam_sm_authenticate called.
	saslauthd[818]: dbuser changed.
	saslauthd[818]: dbpasswd changed.
	saslauthd[818]: host changed.
	saslauthd[818]: database changed.
	saslauthd[818]: table changed.
	saslauthd[818]: usercolumn changed.
	saslauthd[818]: passwdcolumn changed.
	saslauthd[818]: crypt changed.
	saslauthd[818]: logtable changed.
	saslauthd[818]: logmsgcolumn changed.
	saslauthd[818]: logusercolumn changed.
	saslauthd[818]: loghostcolumn changed.
	saslauthd[818]: logpidcolumn changed.
	saslauthd[818]: logtimecolumn changed.
	saslauthd[818]: db_connect  called.
	saslauthd[818]: pam_mysql: MySQL err Access denied for user 'cyrus'@'localhost' (using password: YES)
	saslauthd[818]: returning 7 .
	saslauthd[818]: returning 7 after db_connect.
	saslauthd[818]: DEBUG: auth_pam: pam_authenticate failed: Permission denied
	saslauthd[818]: do_auth         : auth failure: [user=postmaster at testserver.internal.testdomain.com] [service=imap] [realm=testserver.internal.testdomain.com] [mech=pam] [reason=PAM auth error]

last line in case #2, of course is:

	saslauthd[857]: do_auth         : auth failure: [user=testuser at mail2.internal.testdomain.com] [service=imap] [realm=mail2.internal.testdomain.com] [mech=pam] [reason=PAM auth error]

and,
--> mysqld.log

	mysqld.log
041109     126 Connect     Access denied for user 'cyrus'@'localhost' (using password: YES)




i'm unclear as to *why* access is being denied for 'cyrus' (what the hell is "returning 7 ." anyway!?) ... as WebCyrAdm's conf.php contains:

	# The Cyrus login stuff
	$CYRUS = array(
		'HOST'	=> 'localhost',
		'PORT'	=> 143,
		'ADMIN'	=> 'cyrus',
		'PASS'	=> 'cyrus!password'
	);

where, scripts/create_mysql.sql's INSERT statements had been mod'd to:

	INSERT INTO adminuser (username, password) VALUES ('postmaster', ENCRYPT('admin\!password'));
	INSERT INTO domainadmin (domain_name,adminuser) VALUES ('*','postmaster');
	INSERT INTO accountuser (username, password) VALUES ('cyrus', ENCRYPT('cyrus\!password'));

and the subsequent insert:

	mysql mail -h localhost -p < create_mysql.sql

goes without a hitch ...

i may be confused as to what user/pwd comboe is neede/used where .... but, at this hour, i'm not seeing it.

thoughts? ideas?

cheers,


richard

More information about the Web-cyradm mailing list