Wikislax: /* Using ldapdb */

2024-12-27T15:04:25Z

‎Using ldapdb

Wikislax at 15:03, 27 December 2024

2024-12-27T15:03:41Z

Wikislax: Created page with "{{RightTOC}} == What is Cyrus-SASL ? == [http://www.cyrusimap.org/#sasl SASL] is a protocol to manage authentication between clients and servers. It is used in messaging to..."

2017-12-06T21:30:13Z

Created page with "{{RightTOC}} == What is Cyrus-SASL ? == [http://www.cyrusimap.org/#sasl SASL] is a protocol to manage authentication between clients and servers. It is used in messaging to..."

New page

{{RightTOC}}

== What is Cyrus-SASL ? ==

[http://www.cyrusimap.org/#sasl SASL] is a protocol to manage authentication between clients and servers. It is used in messaging to authenticate clients to '''smtp pop3 imap ldap servers'''. SASL is specified in RFC 2222 (Simple Authentication and Security Layer). SASL defines how authentication information is exchanged, but lets other specifications define the authentication methods really used.

Among these, '''CRAM-MD5''' and its successor '''DIGEST-MD5''' use a shared secret (a password) and a challenge that affords proving that the other side owns the password without actually needing to send it over the wire. '''GSSAPI''' is the method for '''KERBEROS V5'''. '''PLAIN''' use a plaintext password. Microsoft Outlook Express uses only proprietary methods, '''LOGIN''' uses a base 64-coded plaintext password, '''NTLM''' is the Microsoft NT Lan Manager Authentication and '''SPA''' stands for secure password authentication.

'''Cyrus-SASL''', an Open Source software developped by the Carnegie-Mellon University, implements the standard methods, and also includes plugins to handle proprietary authentication methods such as Microsoft '''NTLM/SPA'''.

'''Cyrus-SASL''' offers several options to check the real passwords. '''saslauthd''' affords using the '''saslauthd''' daemon to check cleartext-only passwords against '''PAM''' (the system passwords and '''/etc/shadow'''), '''LDAP''', '''Kerberos''', and others. '''auxprop''' affords using external modules for passwords stored in an external '''SASLdb''' (using '''Berkeley db''') or '''SQL''' database, or in an '''LDAP''' directory.

== Installing Cyrus-SASL ==

[http://www.cyrusimap.org/mediawiki/index.php/Downloads#SASL_Library Download], untar to /usr/local then install as below. The authentication methods used are '''CRAM-MD5''' (needed? for '''Thunderbird'''), '''DIGEST-MD5''', '''PLAIN''', '''LOGIN''' (needed for '''Microsoft Outlook Express'''), the password checking methods used are '''saslauthd''' (with PAM or LDAP) and '''ldapdb'''. There's support for OpenSSL (not sure if this is used as SASL includes its own encryption routines), and random number generation uses '''/dev/urandom''' to avoid authentication severe slowdowns observed when using '''/dev/random''' (but should not be used for OTP of SRP).

# tar -C /usr/local -xvf cyrus-sasl-x.y.z.tar.gz
# cd /usr/local
# chmod -R go-w cyrus-sasl-x.y.z
# cd cyrus-sasl-x.y.z
# ./configure --help | less
# ./configure --libdir=/usr/local/lib64 --disable-alwaystrue --disable-checkapop \
--disable-otp --disable-gssapi --disable-anon --enable-login --with-devrandom=/dev/urandom \
--with-saslauthd=/var/state/saslauthd --with-openssl=/usr/local --with-ldap=/usr/local \
--enable-ldapdb
# make
# removepkg /var/log/packages/qca-cyrus-sasl-x.y.z_betat-x86_64-1
# removepkg /var/log/packages/cyrus-sasl-x.y.z-x86_64-2
# make install
# make clean
# mkdir /var/state/saslauthd
# ln -s /usr/local/lib/sasl2 /usr/lib/sasl2
# ln -sf /usr/local/lib64/libsasl2.la /usr/lib64/libsasl2.la
# ln -sf /usr/local/lib64/libsasl2.so.3 /usr/lib64/libsasl2.so.2
# ldconfig

== Reinstalling OpenLDAP ==

There is a chicken-and-egg problem with OpenLDAP and Cyrus-SASL as they reference each other. At previous chapter we installed OpenLDAP without '''--enable-spasswd --with-cyrus-sasl'''. We now reinstall OpenLDAP with '''--enable-spasswd --with-cyrus-sasl''' :

# cd /usr/local/openldap-x.y.z
# make distclean
# ./configure --help | less
# ./configure --libdir=/usr/local/lib64 --mandir=/usr/local/man \
--disable-ipv6 --with-tls --enable-spasswd --with-cyrus-sasl
# make depend
# make
# make test
# make install
# make clean

== Configuring Cyrus-SASL ==

Applications that use SASL are advised to use an '''Application.conf''' file in '''/usr/lib/sasl2''', with a '''mech_list''' line defining a subset of the authentication methods defined for the site, and a '''pwcheck_method''' line defining the password checking method. If all authentication methods defined for the site can be used by the application then it is not necessary to use '''mech_list'''. log_level is between 0 and 7 (default 1, log unusual errors) and defines the verbosity of the logs produced under '''/var/log''' in files '''auth.log''', '''debug''', '''maillog''' and '''syslog'''.

== Known issue ==

Applications using SASL authentication (e.g. OpenLdap, Cyrus-IMAP) expect to find a ''GuessMyName.conf'' file in /usr/lib/sasl2 to work properly. If this file cannot be found, there will be messages ''_sasl_plugin_load failed on sasl_auxprop_plug_init for plugin:'' in /var/log/debug and ''auxpropfunc error invalid parameter supplied'' in /var/log/syslog. To find the name of the missing file, re-make install SASL after adding line '''_sasl_log (NULL, SASL_LOG_ERR, "File %s could not be fopened\n", filename);''' in lib/config.c just after the call to fopen. Known SASL configuration filenames are :

* Cyrus.conf
* INN.conf
* Sendmail.conf
* slapd.conf

== Using saslauthd ==

An Application.conf file to use '''saslauthd''' could be :

log_level: 0
mech_list: PLAIN LOGIN
pwcheck_method: saslauthd

Specify the '''saslauthd''' options in file '''/etc/rc.d/rc.saslauthd'''. '''-a ldap''' affords using ldap and '''-n''' is the number of waiting processes. Put 0 to create authentication processes only on demand. chmod u+x /etc/rc.d/rc.saslauthd to afford automatically launching saslauthd at startup. For more saslauthd options, see the '''man saslauthd''' page.

saslauthd_start() {
# If saslauthd is not running, start it:
if [ ! -r /var/state/saslauthd/saslauthd.pid ]; then
echo "Starting SASL authentication daemon: /usr/local/sbin/saslauthd -a ldap -n 0"
/usr/local/sbin/saslauthd -a ldap -n 0
fi
}

When using ldap, file '''/usr/local/etc/saslauthd.conf''' defines the LDAP access parameters :

ldap_auth_method: custom
ldap_authz: proxyUser
ldap_filter: cn=%u
ldap_id: proxyUser
ldap_mech: DIGEST-MD5
ldap_password: proxyPassword
ldap_search_base: dc=domain,dc=com
ldap_servers: ldap://localhost
ldap_use_sasl: yes

Restart '''slapd''' and use '''testsaslauthd''' to make sure is works :

# killall slapd
# /usr/local/libexec/slapd -u ldap -g ldap -h ldap://localhost/
# testsaslauthd -u myUser -p myPassword
0: OK “Success.”

Note : as already noted above when introducing the password checking methods, '''saslauthd''' affords using only cleartext passwords (even if it uses digest-md5 when talking to slapd). So only the PLAIN and LOGIN mechanisms can be used with '''saslauthd'''. For security, any such connection should be encapsulated within TLS when used over the wire.

== Using sasldb ==

An Application.conf file to use sasldb could be:

auxprop_plugin: sasldb
mech_list: CRAM-MD5 DIGEST-MD5 PLAIN LOGIN
pwcheck_method: auxprop

'''sasldb''' affords storing a list of users/passwords in the '''/etc/sasldb2''' password database. The tools to maintain this database are '''sasldblistusers2''', that affords listing the users, and '''saslpasswd2''', that affords adding or removing users/passwords. For more options, see the man pages. Note : when creating users, it might be necessary to append the domain name for the password checking to work.

# saslpasswd2 -c myUser@myDomain.com
Password:
# sasldblistusers2
myUser@myDomain.com: userPassword
# saslpasswd2 -d myUser@myDomain.com

== Using ldapdb ==

This is our preferred method, as it affords using the LDAP directory as a single and direct (saslauthd is not needed when using the ldapdb auxprop) source of authentication for all applications. We will use it later in this document for Sendmail and Cyrus-IMAP authentication. As we are authenticating against localhost we are using interprocess communication only so there is no need for encryption and we use the PLAIN mechanism. An Application.conf file to use '''ldapdb''' is as below :

auxprop_plugin: ldapdb
ldapdb_id: proxyUser
ldapdb_mech: DIGEST-MD5
ldapdb_pw: proxyPassword
ldapdb_uri: ldap://localhost
log_level: 0
mech_list: PLAIN
pwcheck_method: auxprop

File '''/usr/local/lib/sasl2/slapd.conf''' tells slapd to use its own internal auxprop_plugin module slapd to authenticate proxyUser :

auxprop_plugin: slapd
log_level: 0
mech_list: DIGEST-MD5
pwcheck_method: auxprop

As they contain sensitive information, the owner and rights of these files should be set so that they can be read only by their user ldap:ldap.

 

{{pFoot|[[OpenLDAP]]|[[Main Page]]|[[Sendmail]]}}

@@ Line 125: / Line 125: @@
   ldapdb_id: proxyUser
   ldapdb_mech: DIGEST-MD5
-  ldapdb_pw: proxyPassword
+  ldapdb_pw: proxyUserPassword
   ldapdb_uri: ldap://localhost
   log_level: 0

@@ Line 88: / Line 88: @@
   ldap_id: proxyUser
   ldap_mech: DIGEST-MD5
-  ldap_password: proxyPassword
+  ldap_password: proxyUserPassword
   ldap_search_base: dc=domain,dc=com
   ldap_servers: ldap://localhost

Cyrus-SASL - Revision history

Wikislax: /* Using ldapdb */

Wikislax at 15:03, 27 December 2024

Wikislax: Created page with "{{RightTOC}} == What is Cyrus-SASL ? == [http://www.cyrusimap.org/#sasl SASL] is a protocol to manage authentication between clients and servers. It is used in messaging to..."