Cyrus-SASL

From Wikislax
Jump to: navigation, search

What is Cyrus-SASL ?

SASL is a protocol to manage authentication between clients and servers. It is used in messaging to authenticate clients to smtp pop3 imap ldap servers. SASL is specified in RFC 2222 (Simple Authentication and Security Layer). SASL defines how authentication information is exchanged, but lets other specifications define the authentication methods really used.

Among these, CRAM-MD5 and its successor DIGEST-MD5 use a shared secret (a password) and a challenge that affords proving that the other side owns the password without actually needing to send it over the wire. GSSAPI is the method for KERBEROS V5. PLAIN use a plaintext password. Microsoft Outlook Express uses only proprietary methods, LOGIN uses a base 64-coded plaintext password, NTLM is the Microsoft NT Lan Manager Authentication and SPA stands for secure password authentication.

Cyrus-SASL, an Open Source software developped by the Carnegie-Mellon University, implements the standard methods, and also includes plugins to handle proprietary authentication methods such as Microsoft NTLM/SPA.

Cyrus-SASL offers several options to check the real passwords. saslauthd affords using the saslauthd daemon to check cleartext-only passwords against PAM (the system passwords and /etc/shadow), LDAP, Kerberos, and others. auxprop affords using external modules for passwords stored in an external SASLdb (using Berkeley db) or SQL database, or in an LDAP directory.

Installing Cyrus-SASL

Download, untar to /usr/local then install as below. The authentication methods used are CRAM-MD5 (needed? for Thunderbird), DIGEST-MD5, PLAIN, LOGIN (needed for Microsoft Outlook Express), the password checking methods used are saslauthd (with PAM or LDAP) and ldapdb. There's support for OpenSSL (not sure if this is used as SASL includes its own encryption routines), and random number generation uses /dev/urandom to avoid authentication severe slowdowns observed when using /dev/random (but should not be used for OTP of SRP).

# tar -C /usr/local -xvf cyrus-sasl-x.y.z.tar.gz
# cd /usr/local
# chmod -R go-w cyrus-sasl-x.y.z
# cd cyrus-sasl-x.y.z
# ./configure --help | less
# ./configure --libdir=/usr/local/lib64 --disable-alwaystrue --disable-checkapop \
--disable-otp --disable-gssapi --disable-anon --enable-login --with-devrandom=/dev/urandom \
--with-saslauthd=/var/state/saslauthd --with-openssl=/usr/local --with-ldap=/usr/local \
--enable-ldapdb
# make
# removepkg /var/log/packages/qca-cyrus-sasl-x.y.z_betat-x86_64-1
# removepkg /var/log/packages/cyrus-sasl-x.y.z-x86_64-2
# make install
# make clean
# mkdir /var/state/saslauthd
# ln -s /usr/local/lib/sasl2 /usr/lib/sasl2
# ln -sf /usr/local/lib64/libsasl2.la /usr/lib64/libsasl2.la
# ln -sf /usr/local/lib64/libsasl2.so.3 /usr/lib64/libsasl2.so.2
# ldconfig

Reinstalling OpenLDAP

There is a chicken-and-egg problem with OpenLDAP and Cyrus-SASL as they reference each other. At previous chapter we installed OpenLDAP without --enable-spasswd --with-cyrus-sasl. We now reinstall OpenLDAP with --enable-spasswd --with-cyrus-sasl :

# cd /usr/local/openldap-x.y.z
# make distclean
# ./configure --help | less
# ./configure --libdir=/usr/local/lib64 --mandir=/usr/local/man \
--disable-ipv6 --with-tls --enable-spasswd --with-cyrus-sasl
# make depend
# make
# make test
# make install
# make clean

Configuring Cyrus-SASL

Applications that use SASL are advised to use an Application.conf file in /usr/lib/sasl2, with a mech_list line defining a subset of the authentication methods defined for the site, and a pwcheck_method line defining the password checking method. If all authentication methods defined for the site can be used by the application then it is not necessary to use mech_list. log_level is between 0 and 7 (default 1, log unusual errors) and defines the verbosity of the logs produced under /var/log in files auth.log, debug, maillog and syslog.

Known issue

Applications using SASL authentication (e.g. OpenLdap, Cyrus-IMAP) expect to find a GuessMyName.conf file in /usr/lib/sasl2 to work properly. If this file cannot be found, there will be messages _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: in /var/log/debug and auxpropfunc error invalid parameter supplied in /var/log/syslog. To find the name of the missing file, re-make install SASL after adding line _sasl_log (NULL, SASL_LOG_ERR, "File %s could not be fopened\n", filename); in lib/config.c just after the call to fopen. Known SASL configuration filenames are :

  • Cyrus.conf
  • INN.conf
  • Sendmail.conf
  • slapd.conf

Using saslauthd

An Application.conf file to use saslauthd could be :

log_level: 0
mech_list: PLAIN LOGIN
pwcheck_method: saslauthd

Specify the saslauthd options in file /etc/rc.d/rc.saslauthd. -a ldap affords using ldap and -n is the number of waiting processes. Put 0 to create authentication processes only on demand. chmod u+x /etc/rc.d/rc.saslauthd to afford automatically launching saslauthd at startup. For more saslauthd options, see the man saslauthd page.

saslauthd_start() {
  # If saslauthd is not running, start it:
  if [ ! -r /var/state/saslauthd/saslauthd.pid ]; then
    echo "Starting SASL authentication daemon:  /usr/local/sbin/saslauthd -a ldap -n 0"
    /usr/local/sbin/saslauthd -a ldap -n 0
  fi
}

When using ldap, file /usr/local/etc/saslauthd.conf defines the LDAP access parameters :

ldap_auth_method: custom
ldap_authz: proxyUser
ldap_filter: cn=%u
ldap_id: proxyUser
ldap_mech: DIGEST-MD5
ldap_password: proxyPassword
ldap_search_base: dc=domain,dc=com
ldap_servers: ldap://localhost
ldap_use_sasl: yes

Restart slapd and use testsaslauthd to make sure is works :

# killall slapd
# /usr/local/libexec/slapd -u ldap -g ldap -h ldap://localhost/
# testsaslauthd -u myUser -p myPassword
0: OK “Success.”

Note : as already noted above when introducing the password checking methods, saslauthd affords using only cleartext passwords (even if it uses digest-md5 when talking to slapd). So only the PLAIN and LOGIN mechanisms can be used with saslauthd. For security, any such connection should be encapsulated within TLS when used over the wire.

Using sasldb

An Application.conf file to use sasldb could be:

auxprop_plugin: sasldb
mech_list: CRAM-MD5 DIGEST-MD5 PLAIN LOGIN
pwcheck_method: auxprop

sasldb affords storing a list of users/passwords in the /etc/sasldb2 password database. The tools to maintain this database are sasldblistusers2, that affords listing the users, and saslpasswd2, that affords adding or removing users/passwords. For more options, see the man pages. Note : when creating users, it might be necessary to append the domain name for the password checking to work.

# saslpasswd2 -c myUser@myDomain.com
Password: 
# sasldblistusers2
myUser@myDomain.com: userPassword
# saslpasswd2 -d myUser@myDomain.com

Using ldapdb

This is our preferred method, as it affords using the LDAP directory as a single and direct (saslauthd is not needed when using the ldapdb auxprop) source of authentication for all applications. We will use it later in this document for Sendmail and Cyrus-IMAP authentication. As we are authenticating against localhost we are using interprocess communication only so there is no need for encryption and we use the PLAIN mechanism. An Application.conf file to use ldapdb is as below :

auxprop_plugin: ldapdb
ldapdb_id: proxyUser
ldapdb_mech: DIGEST-MD5
ldapdb_pw: proxyPassword
ldapdb_uri: ldap://localhost
log_level: 0
mech_list: PLAIN
pwcheck_method: auxprop

File /usr/local/lib/sasl2/slapd.conf tells slapd to use its own internal auxprop_plugin module slapd to authenticate proxyUser :

auxprop_plugin: slapd
log_level: 0
mech_list: DIGEST-MD5
pwcheck_method: auxprop

As they contain sensitive information, the owner and rights of these files should be set so that they can be read only by their user ldap:ldap.


OpenLDAP Main Page Sendmail