Cyrus-SASL
What is Cyrus-SASL ?
SASL is a protocol to manage authentication between clients and servers. It is used in messaging to authenticate clients to smtp pop3 imap ldap servers. SASL is specified in RFC 2222 (Simple Authentication and Security Layer). SASL defines how authentication information is exchanged, but lets other specifications define the authentication methods really used.
Among these, CRAM-MD5 and its successor DIGEST-MD5 use a shared secret (a password) and a challenge that affords proving that the other side owns the password without actually needing to send it over the wire. GSSAPI is the method for KERBEROS V5. PLAIN use a plaintext password. Microsoft Outlook Express uses only proprietary methods, LOGIN uses a base 64-coded plaintext password, NTLM is the Microsoft NT Lan Manager Authentication and SPA stands for secure password authentication.
Cyrus-SASL, an Open Source software developped by the Carnegie-Mellon University, implements the standard methods, and also includes plugins to handle proprietary authentication methods such as Microsoft NTLM/SPA.
Cyrus-SASL offers several options to check the real passwords. saslauthd affords using the saslauthd daemon to check cleartext-only passwords against PAM (the system passwords and /etc/shadow), LDAP, Kerberos, and others. auxprop affords using external modules for passwords stored in an external SASLdb (using Berkeley db) or SQL database, or in an LDAP directory.
Installing Cyrus-SASL
Download, untar to /usr/local then install as below. The authentication methods used are CRAM-MD5 (needed? for Thunderbird), DIGEST-MD5, PLAIN, LOGIN (needed for Microsoft Outlook Express), the password checking methods used are saslauthd (with PAM or LDAP) and ldapdb. There's support for OpenSSL (not sure if this is used as SASL includes its own encryption routines), and random number generation uses /dev/urandom to avoid authentication severe slowdowns observed when using /dev/random (but should not be used for OTP of SRP).
# tar -C /usr/local -xvf cyrus-sasl-x.y.z.tar.gz # cd /usr/local # chmod -R go-w cyrus-sasl-x.y.z # cd cyrus-sasl-x.y.z # ./configure --help | less # ./configure --libdir=/usr/local/lib64 --disable-alwaystrue --disable-checkapop \ --disable-otp --disable-gssapi --disable-anon --enable-login --with-devrandom=/dev/urandom \ --with-saslauthd=/var/state/saslauthd --with-openssl=/usr/local --with-ldap=/usr/local \ --enable-ldapdb # make # removepkg /var/log/packages/qca-cyrus-sasl-x.y.z_betat-x86_64-1 # removepkg /var/log/packages/cyrus-sasl-x.y.z-x86_64-2 # make install # make clean # mkdir /var/state/saslauthd # ln -s /usr/local/lib/sasl2 /usr/lib/sasl2 # ln -sf /usr/local/lib64/libsasl2.la /usr/lib64/libsasl2.la # ln -sf /usr/local/lib64/libsasl2.so.3 /usr/lib64/libsasl2.so.2 # ldconfig
Reinstalling OpenLDAP
There is a chicken-and-egg problem with OpenLDAP and Cyrus-SASL as they reference each other. At previous chapter we installed OpenLDAP without --enable-spasswd --with-cyrus-sasl. We now reinstall OpenLDAP with --enable-spasswd --with-cyrus-sasl :
# cd /usr/local/openldap-x.y.z # make distclean # ./configure --help | less # ./configure --libdir=/usr/local/lib64 --mandir=/usr/local/man \ --disable-ipv6 --with-tls --enable-spasswd --with-cyrus-sasl # make depend # make # make test # make install # make clean
Configuring Cyrus-SASL
Applications that use SASL are advised to use an Application.conf file in /usr/lib/sasl2, with a mech_list line defining a subset of the authentication methods defined for the site, and a pwcheck_method line defining the password checking method. If all authentication methods defined for the site can be used by the application then it is not necessary to use mech_list. log_level is between 0 and 7 (default 1, log unusual errors) and defines the verbosity of the logs produced under /var/log in files auth.log, debug, maillog and syslog.
Known issue
Applications using SASL authentication (e.g. OpenLdap, Cyrus-IMAP) expect to find a GuessMyName.conf file in /usr/lib/sasl2 to work properly. If this file cannot be found, there will be messages _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: in /var/log/debug and auxpropfunc error invalid parameter supplied in /var/log/syslog. To find the name of the missing file, re-make install SASL after adding line _sasl_log (NULL, SASL_LOG_ERR, "File %s could not be fopened\n", filename); in lib/config.c just after the call to fopen. Known SASL configuration filenames are :
- Cyrus.conf
- INN.conf
- Sendmail.conf
- slapd.conf
Using saslauthd
An Application.conf file to use saslauthd could be :
log_level: 0 mech_list: PLAIN LOGIN pwcheck_method: saslauthd
Specify the saslauthd options in file /etc/rc.d/rc.saslauthd. -a ldap affords using ldap and -n is the number of waiting processes. Put 0 to create authentication processes only on demand. chmod u+x /etc/rc.d/rc.saslauthd to afford automatically launching saslauthd at startup. For more saslauthd options, see the man saslauthd page.
saslauthd_start() { # If saslauthd is not running, start it: if [ ! -r /var/state/saslauthd/saslauthd.pid ]; then echo "Starting SASL authentication daemon: /usr/local/sbin/saslauthd -a ldap -n 0" /usr/local/sbin/saslauthd -a ldap -n 0 fi }
When using ldap, file /usr/local/etc/saslauthd.conf defines the LDAP access parameters :
ldap_auth_method: custom ldap_authz: proxyUser ldap_filter: cn=%u ldap_id: proxyUser ldap_mech: DIGEST-MD5 ldap_password: proxyPassword ldap_search_base: dc=domain,dc=com ldap_servers: ldap://localhost ldap_use_sasl: yes
Restart slapd and use testsaslauthd to make sure is works :
# killall slapd # /usr/local/libexec/slapd -u ldap -g ldap -h ldap://localhost/ # testsaslauthd -u myUser -p myPassword 0: OK “Success.”
Note : as already noted above when introducing the password checking methods, saslauthd affords using only cleartext passwords (even if it uses digest-md5 when talking to slapd). So only the PLAIN and LOGIN mechanisms can be used with saslauthd. For security, any such connection should be encapsulated within TLS when used over the wire.
Using sasldb
An Application.conf file to use sasldb could be:
auxprop_plugin: sasldb mech_list: CRAM-MD5 DIGEST-MD5 PLAIN LOGIN pwcheck_method: auxprop
sasldb affords storing a list of users/passwords in the /etc/sasldb2 password database. The tools to maintain this database are sasldblistusers2, that affords listing the users, and saslpasswd2, that affords adding or removing users/passwords. For more options, see the man pages. Note : when creating users, it might be necessary to append the domain name for the password checking to work.
# saslpasswd2 -c myUser@myDomain.com Password: # sasldblistusers2 myUser@myDomain.com: userPassword # saslpasswd2 -d myUser@myDomain.com
Using ldapdb
This is our preferred method, as it affords using the LDAP directory as a single and direct (saslauthd is not needed when using the ldapdb auxprop) source of authentication for all applications. We will use it later in this document for Sendmail and Cyrus-IMAP authentication. As we are authenticating against localhost we are using interprocess communication only so there is no need for encryption and we use the PLAIN mechanism. An Application.conf file to use ldapdb is as below :
auxprop_plugin: ldapdb ldapdb_id: proxyUser ldapdb_mech: DIGEST-MD5 ldapdb_pw: proxyPassword ldapdb_uri: ldap://localhost log_level: 0 mech_list: PLAIN pwcheck_method: auxprop
File /usr/local/lib/sasl2/slapd.conf tells slapd to use its own internal auxprop_plugin module slapd to authenticate proxyUser :
auxprop_plugin: slapd log_level: 0 mech_list: DIGEST-MD5 pwcheck_method: auxprop
As they contain sensitive information, the owner and rights of these files should be set so that they can be read only by their user ldap:ldap.
OpenLDAP | Main Page | Sendmail |