Difference between pages "Creating VMs" and "Cyrus-SASL"

From Wikislax
(Difference between pages)
Jump to: navigation, search
(Creating a PV VM)
 
 
Line 1: Line 1:
 
{{RightTOC}}
 
{{RightTOC}}
  
== the xl tool ==
+
== What is Cyrus-SASL ? ==
  
There is a variety of tools and commands to handle virtual machines. Here we will use the Xen '''xl''' command.
+
[http://www.cyrusimap.org/#sasl SASL] is a protocol to manage authentication between clients and servers. It is used in messaging to authenticate clients to '''smtp pop3 imap ldap servers'''. SASL is specified in RFC 2222 (Simple Authentication and Security Layer). SASL defines how authentication information is exchanged, but lets other specifications define the authentication methods really used.
  
* '''xl create ''file''''' affords creating a virtual machine based on the configuration in file ''file''. A one-starting sequential domain id is created.
+
Among these, '''CRAM-MD5''' and its successor '''DIGEST-MD5''' use a shared secret (a password) and a challenge that affords proving that the other side owns the password without actually needing to send it over the wire. '''GSSAPI''' is the method for '''KERBEROS V5'''. '''PLAIN''' use a plaintext password. Microsoft Outlook Express uses only proprietary methods, '''LOGIN''' uses a base 64-coded plaintext password, '''NTLM''' is the Microsoft NT Lan Manager Authentication and '''SPA''' stands for secure password authentication.
  
* '''xl destroy ''domid''''' affords destroying a virtual machine with domain id ''domid''. Of course using the system in the VM will be a preferred method to terminate.
+
'''Cyrus-SASL''', an Open Source software developped by the Carnegie-Mellon University, implements the standard methods, and also includes plugins to handle proprietary authentication methods such as Microsoft '''NTLM/SPA'''.
  
* '''xl help''' affords getting more information on other xm commands.
+
'''Cyrus-SASL''' offers several options to check the real passwords. '''saslauthd''' affords using the '''saslauthd''' daemon to check cleartext-only passwords against '''PAM''' (the system passwords and '''/etc/shadow'''), '''LDAP''', '''Kerberos''', and others. '''auxprop''' affords using external modules for passwords stored in an external '''SASLdb''' (using '''Berkeley db''') or '''SQL''' database, or in an '''LDAP''' directory.
  
Xen supports paravirtualisation and hardware virtualization. Both can be used at the same time on a single Xen system.
+
== Installing Cyrus-SASL ==
  
== Creating a PV VM ==
+
[http://www.cyrusimap.org/mediawiki/index.php/Downloads#SASL_Library Download], untar to /usr/local then install as below. The authentication methods used are '''CRAM-MD5''' (needed? for '''Thunderbird'''), '''DIGEST-MD5''', '''PLAIN''', '''LOGIN''' (needed for '''Microsoft Outlook Express'''), the password checking methods used are '''saslauthd''' (with PAM or LDAP) and '''ldapdb'''. There's support for OpenSSL (not sure if this is used as SASL includes its own encryption routines), and random number generation uses '''/dev/urandom''' to avoid  authentication severe slowdowns observed when using '''/dev/random''' (but should not be used for OTP of SRP).
  
* in paravirtualization (PV) guest operating systems are modified so they are able to interlock with Xen without emulation or virtual emulated hardware. Xen PV guest kernels exist for Linux, NetBSD, FreeBSD, OpenSolaris and Novell Netware. Upstream kernel.org Linux kernels since Linux 2.6.24 include Xen PV guest (domU) support based on the Linux pvops framework, so every upstream Linux kernel can be automatically used as Xen PV guest kernel without any additional patches or modifications.
+
# tar -C /usr/local -xvf cyrus-sasl-x.y.z.tar.gz
 +
# cd /usr/local
 +
# chmod -R go-w cyrus-sasl-x.y.z
 +
# cd cyrus-sasl-x.y.z
 +
# ./configure --help | less
 +
# ./configure --libdir=/usr/local/lib64 --disable-alwaystrue --disable-checkapop \
 +
--disable-otp --disable-gssapi --disable-anon --enable-login --with-devrandom=/dev/urandom \
 +
--with-saslauthd=/var/state/saslauthd --with-openssl=/usr/local --with-ldap=/usr/local \
 +
--enable-ldapdb
 +
# make
 +
# removepkg /var/log/packages/qca-cyrus-sasl-x.y.z_betat-x86_64-1
 +
# removepkg /var/log/packages/cyrus-sasl-x.y.z-x86_64-2
 +
# make install
 +
# make clean
 +
# mkdir /var/state/saslauthd
 +
# ln -s /usr/local/lib/sasl2 /usr/lib/sasl2
 +
# ln -sf /usr/local/lib64/libsasl2.la /usr/lib64/libsasl2.la
 +
# ln -sf /usr/local/lib64/libsasl2.so.3 /usr/lib64/libsasl2.so.2
 +
# ldconfig
  
Paravirtualization requires storing the kernel to boot in the dom0 filesystem, and populating the system in a virtual partition. The kernel generated must be able to manage [http://wiki.qemu.org/download/qemu-doc.html#QEMU-PC-System-emulator the QEMU devices] and include the .config file [http://wiki.xen.org/wiki/Mainline_Linux_Kernel_Configs#Configuring_the_kernel domU options]. Here is a minimal example of such a [{{SERVER}}/wikislax/download/config-domU .config domU] file. The swap partition and VM filesystem can be created as below. Don't forget to update the root device in fstab :
+
== Reinstalling OpenLDAP ==
  
# dd if=/dev/zero of=sl12.swp bs=1024k count=1024
+
There is a chicken-and-egg problem with OpenLDAP and Cyrus-SASL as they reference each other. At previous chapter we installed OpenLDAP without '''--enable-spasswd --with-cyrus-sasl'''. We now reinstall OpenLDAP with '''--enable-spasswd --with-cyrus-sasl''' :
# mkswap sl12.swp
 
# dd if=/dev/zero of=sl12.img bs=1024k count=16384
 
# mkfs -t ext3 sl12.img
 
# mkdir loop
 
# mount -o loop sl12.img loop
 
# cp -ax /mnt/sl12/{0,bin,boot,etc,home,initrd*,lib,lib64,media,mnt,opt,root,run,sbin,srv,sys,usr,var,vmlinuz*} loop
 
# mkdir loop/{dev,proc,tmp}
 
# chmod 777 loop/tmp
 
# vi loop/etc/fstab
 
# umount loop
 
# dd if=/dev/zero bs=1G count=8 >> sl12.img
 
# e2fsck -f sl12.img
 
# resize2fs sl12.img
 
  
Then a PV config file needs to be created. Samples are available from the /etc/xen directory. Here is an [{{SERVER}}/wikislax/download/sl12 example] running in a X window for slackware 12.1 (32 bits). The main config options to modify are :
+
# cd /usr/local/openldap-x.y.z
 +
# make distclean
 +
# ./configure --help | less
 +
# ./configure --libdir=/usr/local/lib64 --mandir=/usr/local/man \
 +
--disable-ipv6 --with-tls --enable-spasswd --with-cyrus-sasl
 +
# make depend
 +
# make
 +
# make test
 +
# make install
 +
# make clean
  
# Kernel image file in dom0 filesystem
+
== Configuring Cyrus-SASL ==
kernel = "/boot/vmlinuz-3.4.2-domU"
 
# Not using any optional ramdisk
 
#ramdisk = "/boot/initrd.gz"
 
# Initial memory allocation (in megabytes) for the new domain.
 
memory = 2048
 
# A name for the new domain. All domains have to have different names,
 
name = "sl12"
 
# Number of virtual CPUs
 
vcpus = 2
 
# Define network interfaces
 
vif = [ ' ' ]
 
# Define disk devices. Note the device names xvda and xvdb
 
disk = [ 'file:/mnt/xen/sl12.img,xvda1,w', 'file:/mnt/xen/sl12.swap,xvdb,w' ]
 
# Define frame buffer device. Use sdl to view virtual machine in a window
 
vfb = [ 'sdl=1' ]
 
# Set root device.
 
root = "/dev/xvda1 ro"
 
# Window resolution additional parameters
 
extra = "xen-fbfront.video=16,1680,1024"
 
  
The VM can then be launched with '''xl create ''file''''' :
+
Applications that use SASL are advised to use an '''Application.conf''' file in '''/usr/lib/sasl2''', with a '''mech_list''' line defining a subset of the authentication methods defined for the site, and a '''pwcheck_method''' line defining the password checking method. If all authentication methods defined for the site can be used by the application then it is not necessary to use '''mech_list'''. log_level is between 0 and 7 (default 1, log unusual errors) and defines the verbosity of the logs produced under '''/var/log''' in files '''auth.log''', '''debug''', '''maillog''' and '''syslog'''.
  
root@inner:/etc/xen# xl create sl12
+
== Known issue ==
Parsing config from sl12
 
root@inner:/etc/xen#
 
  
== Creating a HVM ==
+
Applications using SASL authentication (e.g. OpenLdap, Cyrus-IMAP) expect to find a ''GuessMyName.conf'' file in /usr/lib/sasl2 to work properly. If this file cannot be found, there will be messages ''_sasl_plugin_load failed on sasl_auxprop_plug_init for plugin:'' in /var/log/debug and ''auxpropfunc error invalid parameter supplied'' in /var/log/syslog. To find the name of the missing file, re-make install SASL after adding line '''_sasl_log (NULL, SASL_LOG_ERR, "File %s could not be fopened\n", filename);''' in lib/config.c just after the call to fopen. Known SASL configuration filenames are :
  
* in full hardware virtualization (HVM) guests require CPU virtualization extensions from the host CPU (Intel VT-x, AMD-V). Xen uses a modified version of Qemu to emulate full PC hardware, including BIOS, IDE disk controller, VGA graphic adapter, USB controller, network adapter etc for HVM guests. CPU virtualization extensions are used to boost performance of the emulation. Fully virtualized guests do not require kernel support, so for example Windows operating systems can be used as Xen HVM guest. Fully virtualized guests are usually slower than paravirtualized guests, because of the required emulation.
+
* Cyrus.conf
 +
* INN.conf
 +
* Sendmail.conf
 +
* slapd.conf
  
Full hardware virtualization requires only a disk image to execute in. Then a HV config file needs to be created. Samples are available from the /etc/xen directory. Here is an [{{SERVER}}/wikislax/download/win7 example] running in a X window for Windows 7. The main config options to modify are :
+
== Using saslauthd ==
  
# Initial memory allocation (in megabytes) for the new domain.
+
An Application.conf file to use '''saslauthd''' could be :
memory = 2048
 
# A name for the new domain. All domains have to have different names,
 
name = "win7"
 
# Number of virtual CPUs
 
vcpus = 4
 
# Define network interfaces
 
vif = [ 'type=ioemu, bridge=br0' ]
 
# Define disk devices. Note the device names xvda and xvdb
 
disk = [ 'file:/mnt/xen/win7.img,hda,w', 'file:/mnt/xen/win7.iso,hdc:cdrom,r' ]
 
# enable SDL library for graphics, default = 0
 
sdl=1
 
# enable VNC library for graphics, default = 1
 
vnc=0
 
# set VNC display number, default = domid
 
vncdisplay=7
 
  
The VM can then be launched with '''xl create ''file''''' :
+
log_level: 0
 +
mech_list: PLAIN LOGIN
 +
pwcheck_method: saslauthd
  
root@inner:/etc/xen# xl create win7
+
Specify the '''saslauthd''' options in file '''/etc/rc.d/rc.saslauthd'''. '''-a ldap''' affords using ldap and '''-n''' is the number of waiting processes. Put 0 to create authentication processes only on demand. chmod u+x /etc/rc.d/rc.saslauthd to afford automatically launching saslauthd at startup. For more saslauthd options, see the '''man saslauthd''' page.
Parsing config from win7
 
root@inner:/etc/xen#
 
  
== A little screen shot ==
+
saslauthd_start() {
 +
  # If saslauthd is not running, start it:
 +
  if [ ! -r /var/state/saslauthd/saslauthd.pid ]; then
 +
    echo "Starting SASL authentication daemon:  /usr/local/sbin/saslauthd -a ldap -n 0"
 +
    /usr/local/sbin/saslauthd -a ldap -n 0
 +
  fi
 +
}
  
The 3 VMs displayed on this slackware 13.37 dom0 are slackware 12.1, windows 7 and windows 8.  
+
When using ldap, file '''/usr/local/etc/saslauthd.conf''' defines the LDAP access parameters :
  
[[file:Screenshot.png]]
+
ldap_auth_method: custom
 +
ldap_authz: proxyUser
 +
ldap_filter: cn=%u
 +
ldap_id: proxyUser
 +
ldap_mech: DIGEST-MD5
 +
ldap_password: proxyUserPassword
 +
ldap_search_base: dc=domain,dc=com
 +
ldap_servers: ldap://localhost
 +
ldap_use_sasl: yes
 +
 
 +
Restart '''slapd''' and use '''testsaslauthd''' to make sure is works :
 +
 
 +
# killall slapd
 +
# /usr/local/libexec/slapd -u ldap -g ldap -h ldap://localhost/
 +
# testsaslauthd -u myUser -p myPassword
 +
0: OK “Success.”
 +
 
 +
<u>Note</u> : as already noted above when introducing the password checking methods, '''saslauthd''' affords using only cleartext passwords (even if it uses digest-md5 when talking to slapd). So only the PLAIN and LOGIN mechanisms can be used with '''saslauthd'''. For security, any such connection should be encapsulated within TLS when used over the wire.
 +
 
 +
== Using sasldb ==
 +
 
 +
An Application.conf file to use sasldb could be:
 +
 
 +
auxprop_plugin: sasldb
 +
mech_list: CRAM-MD5 DIGEST-MD5 PLAIN LOGIN
 +
pwcheck_method: auxprop
 +
 
 +
'''sasldb''' affords storing a list of users/passwords in the '''/etc/sasldb2''' password database. The tools to maintain this database are '''sasldblistusers2''', that affords listing the users, and '''saslpasswd2''', that affords adding or removing users/passwords. For more options, see the man pages. <u>Note</u> : when creating users, it might be necessary to append the domain name for the password checking to work.
 +
 
 +
# saslpasswd2 -c myUser@myDomain.com
 +
Password:
 +
# sasldblistusers2
 +
myUser@myDomain.com: userPassword
 +
# saslpasswd2 -d myUser@myDomain.com
 +
 
 +
== Using ldapdb ==
 +
 
 +
This is our preferred method, as it affords using the LDAP directory as a single and direct (saslauthd is not needed when using the ldapdb auxprop) source of authentication for all applications. We will use it later in this document for Sendmail and Cyrus-IMAP authentication. As we are authenticating against localhost we are using interprocess communication only so there is no need for encryption and we use the PLAIN mechanism. An Application.conf file to use '''ldapdb''' is as below :
 +
 
 +
auxprop_plugin: ldapdb
 +
ldapdb_id: proxyUser
 +
ldapdb_mech: DIGEST-MD5
 +
ldapdb_pw: proxyPassword
 +
ldapdb_uri: ldap://localhost
 +
log_level: 0
 +
mech_list: PLAIN
 +
pwcheck_method: auxprop
 +
 
 +
File '''/usr/local/lib/sasl2/slapd.conf''' tells slapd to use its own internal auxprop_plugin module slapd to authenticate proxyUser :
 +
 
 +
auxprop_plugin: slapd
 +
log_level: 0
 +
mech_list: DIGEST-MD5
 +
pwcheck_method: auxprop
 +
 
 +
As they contain sensitive information, the owner and rights of these files should be set so that they can be read only by their user ldap:ldap.
  
 
<br/>
 
<br/>
  
{{pFoot|[[Using Grub2]]|[[Main Page]]|[[OpenSSL]]}}
+
{{pFoot|[[OpenLDAP]]|[[Main Page]]|[[Sendmail]]}}

Revision as of 17:03, 27 December 2024

What is Cyrus-SASL ?

SASL is a protocol to manage authentication between clients and servers. It is used in messaging to authenticate clients to smtp pop3 imap ldap servers. SASL is specified in RFC 2222 (Simple Authentication and Security Layer). SASL defines how authentication information is exchanged, but lets other specifications define the authentication methods really used.

Among these, CRAM-MD5 and its successor DIGEST-MD5 use a shared secret (a password) and a challenge that affords proving that the other side owns the password without actually needing to send it over the wire. GSSAPI is the method for KERBEROS V5. PLAIN use a plaintext password. Microsoft Outlook Express uses only proprietary methods, LOGIN uses a base 64-coded plaintext password, NTLM is the Microsoft NT Lan Manager Authentication and SPA stands for secure password authentication.

Cyrus-SASL, an Open Source software developped by the Carnegie-Mellon University, implements the standard methods, and also includes plugins to handle proprietary authentication methods such as Microsoft NTLM/SPA.

Cyrus-SASL offers several options to check the real passwords. saslauthd affords using the saslauthd daemon to check cleartext-only passwords against PAM (the system passwords and /etc/shadow), LDAP, Kerberos, and others. auxprop affords using external modules for passwords stored in an external SASLdb (using Berkeley db) or SQL database, or in an LDAP directory.

Installing Cyrus-SASL

Download, untar to /usr/local then install as below. The authentication methods used are CRAM-MD5 (needed? for Thunderbird), DIGEST-MD5, PLAIN, LOGIN (needed for Microsoft Outlook Express), the password checking methods used are saslauthd (with PAM or LDAP) and ldapdb. There's support for OpenSSL (not sure if this is used as SASL includes its own encryption routines), and random number generation uses /dev/urandom to avoid authentication severe slowdowns observed when using /dev/random (but should not be used for OTP of SRP). 

# tar -C /usr/local -xvf cyrus-sasl-x.y.z.tar.gz
# cd /usr/local
# chmod -R go-w cyrus-sasl-x.y.z
# cd cyrus-sasl-x.y.z
# ./configure --help | less
# ./configure --libdir=/usr/local/lib64 --disable-alwaystrue --disable-checkapop \
--disable-otp --disable-gssapi --disable-anon --enable-login --with-devrandom=/dev/urandom \
--with-saslauthd=/var/state/saslauthd --with-openssl=/usr/local --with-ldap=/usr/local \
--enable-ldapdb
# make
# removepkg /var/log/packages/qca-cyrus-sasl-x.y.z_betat-x86_64-1
# removepkg /var/log/packages/cyrus-sasl-x.y.z-x86_64-2
# make install
# make clean
# mkdir /var/state/saslauthd
# ln -s /usr/local/lib/sasl2 /usr/lib/sasl2
# ln -sf /usr/local/lib64/libsasl2.la /usr/lib64/libsasl2.la
# ln -sf /usr/local/lib64/libsasl2.so.3 /usr/lib64/libsasl2.so.2
# ldconfig

Reinstalling OpenLDAP

There is a chicken-and-egg problem with OpenLDAP and Cyrus-SASL as they reference each other. At previous chapter we installed OpenLDAP without --enable-spasswd --with-cyrus-sasl. We now reinstall OpenLDAP with --enable-spasswd --with-cyrus-sasl : 

# cd /usr/local/openldap-x.y.z
# make distclean
# ./configure --help | less
# ./configure --libdir=/usr/local/lib64 --mandir=/usr/local/man \
--disable-ipv6 --with-tls --enable-spasswd --with-cyrus-sasl
# make depend
# make
# make test
# make install
# make clean

Configuring Cyrus-SASL

Applications that use SASL are advised to use an Application.conf file in /usr/lib/sasl2, with a mech_list line defining a subset of the authentication methods defined for the site, and a pwcheck_method line defining the password checking method. If all authentication methods defined for the site can be used by the application then it is not necessary to use mech_list. log_level is between 0 and 7 (default 1, log unusual errors) and defines the verbosity of the logs produced under /var/log in files auth.log, debug, maillog and syslog.

Known issue

Applications using SASL authentication (e.g. OpenLdap, Cyrus-IMAP) expect to find a GuessMyName.conf file in /usr/lib/sasl2 to work properly. If this file cannot be found, there will be messages _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: in /var/log/debug and auxpropfunc error invalid parameter supplied in /var/log/syslog. To find the name of the missing file, re-make install SASL after adding line _sasl_log (NULL, SASL_LOG_ERR, "File %s could not be fopened\n", filename); in lib/config.c just after the call to fopen. Known SASL configuration filenames are :

  • Cyrus.conf
  • INN.conf
  • Sendmail.conf
  • slapd.conf

Using saslauthd

An Application.conf file to use saslauthd could be : 

log_level: 0
mech_list: PLAIN LOGIN
pwcheck_method: saslauthd

Specify the saslauthd options in file /etc/rc.d/rc.saslauthd. -a ldap affords using ldap and -n is the number of waiting processes. Put 0 to create authentication processes only on demand. chmod u+x /etc/rc.d/rc.saslauthd to afford automatically launching saslauthd at startup. For more saslauthd options, see the man saslauthd page. 

saslauthd_start() {
  # If saslauthd is not running, start it:
  if [ ! -r /var/state/saslauthd/saslauthd.pid ]; then
    echo "Starting SASL authentication daemon:  /usr/local/sbin/saslauthd -a ldap -n 0"
    /usr/local/sbin/saslauthd -a ldap -n 0
  fi
}

When using ldap, file /usr/local/etc/saslauthd.conf defines the LDAP access parameters : 

ldap_auth_method: custom
ldap_authz: proxyUser
ldap_filter: cn=%u
ldap_id: proxyUser
ldap_mech: DIGEST-MD5
ldap_password: proxyUserPassword
ldap_search_base: dc=domain,dc=com
ldap_servers: ldap://localhost
ldap_use_sasl: yes

Restart slapd and use testsaslauthd to make sure is works : 

# killall slapd
# /usr/local/libexec/slapd -u ldap -g ldap -h ldap://localhost/
# testsaslauthd -u myUser -p myPassword
0: OK “Success.”

Note : as already noted above when introducing the password checking methods, saslauthd affords using only cleartext passwords (even if it uses digest-md5 when talking to slapd). So only the PLAIN and LOGIN mechanisms can be used with saslauthd. For security, any such connection should be encapsulated within TLS when used over the wire.

Using sasldb

An Application.conf file to use sasldb could be: 

auxprop_plugin: sasldb
mech_list: CRAM-MD5 DIGEST-MD5 PLAIN LOGIN
pwcheck_method: auxprop

sasldb affords storing a list of users/passwords in the /etc/sasldb2 password database. The tools to maintain this database are sasldblistusers2, that affords listing the users, and saslpasswd2, that affords adding or removing users/passwords. For more options, see the man pages. Note : when creating users, it might be necessary to append the domain name for the password checking to work. 

# saslpasswd2 -c myUser@myDomain.com
Password: 
# sasldblistusers2
myUser@myDomain.com: userPassword
# saslpasswd2 -d myUser@myDomain.com

Using ldapdb

This is our preferred method, as it affords using the LDAP directory as a single and direct (saslauthd is not needed when using the ldapdb auxprop) source of authentication for all applications. We will use it later in this document for Sendmail and Cyrus-IMAP authentication. As we are authenticating against localhost we are using interprocess communication only so there is no need for encryption and we use the PLAIN mechanism. An Application.conf file to use ldapdb is as below : 

auxprop_plugin: ldapdb
ldapdb_id: proxyUser
ldapdb_mech: DIGEST-MD5
ldapdb_pw: proxyPassword
ldapdb_uri: ldap://localhost
log_level: 0
mech_list: PLAIN
pwcheck_method: auxprop

File /usr/local/lib/sasl2/slapd.conf tells slapd to use its own internal auxprop_plugin module slapd to authenticate proxyUser : 

auxprop_plugin: slapd
log_level: 0
mech_list: DIGEST-MD5
pwcheck_method: auxprop

As they contain sensitive information, the owner and rights of these files should be set so that they can be read only by their user ldap:ldap.


OpenLDAP Main Page Sendmail
Retrieved from "http://studioware.com/wikislax/index.php?title=Creating_VMs&oldid=87"