SASL Authentication Problem

Paul Bronson signaldeveloper at gmail.com
Tue Aug 25 02:21:09 CEST 2015 

So I am running into a whirlwind of issues with my cyrus install. I am
setting up a multi-domain kolab groupware solution. I am on centos 6.7

I am getting this flooding my error logs when I try to make a new user on a
fresh multi domain setup:

    Aug 24 19:01:19 gmx1 imaps[1911]: badlogin: localhost [::1] PLAIN
[SASL(-13): authentication failure: bad userid authenticated]
    Aug 24 19:01:23 gmx1 imaps[1916]: starttls: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new) no authentication
    Aug 24 19:01:23 gmx1 imaps[1916]: SASL unable to open Berkeley db
/etc/sasldb2: No such file or directory
    Aug 24 19:01:23 gmx1 imaps[1916]: SASL unable to open Berkeley db
/etc/sasldb2: No such file or directory
    Aug 24 19:01:23 gmx1 imaps[1916]: ptload(): bad response from ptloader
server: ptsmodule_canonifyid() failed
    Aug 24 19:01:23 gmx1 imaps[1916]: ptload completely failed: unable to
canonify identifier: 'john'[0:1]doe at domain.com
    Aug 24 19:01:23 gmx1 imaps[1916]: SASL bad userid authenticated


The users do NOT show up on kolab webadmin... It keeps trying to add a test
user I made and won't stop trying.  I reboot the server and it goes away.

I tried playing with:

/etc/imapd.conf

    ldap_domain_base_dn: cn=kolab,cn=config
    ldap_domain_filter:
(&(objectclass=domainrelatedobject)(associateddomain=%s))
    ldap_domain_name_attribute: associatedDomain
    ldap_domain_scope: sub
    ldap_domain_result_attribute: inetdomainbasedn


I also noticed these at the top.. Should this be "PLAIN" ? see below..

    sasl_pwcheck_method: auxprop saslauthd
    sasl_mech_list: PLAIN LOGIN
    allowplaintext: no


My imapd config:

    configdirectory: /var/lib/imap
    partition-default: /var/spool/imap
    admins: cyrus-admin
    sievedir: /var/lib/imap/sieve
    sendmail: /usr/sbin/sendmail
    sasl_pwcheck_method: auxprop saslauthd
    sasl_mech_list: PLAIN LOGIN
    allowplaintext: no
    tls_server_cert: /etc/pki/cyrus-imapd/cyrus-imapd.pem
    tls_server_key: /etc/pki/cyrus-imapd/cyrus-imapd.pem
    # uncomment this if you're operating in a DSCP environment (RFC-4594)
    # qosmarking: af13
    auth_mech: pts
    pts_module: ldap
    ldap_servers: ldap://localhost:389
    ldap_sasl: 0
    ldap_base: dc=domain,dc=com
    ldap_bind_dn: uid=kolab-service,ou=Special Users,dc=domain,dc=com
    ldap_password: WIY0DNbAYPc8uY5
    ldap_filter:
(|(&(|(uid=cyrus-admin)(uid=cyrus-murder))(uid=%U))(&(|(uid=%U)(mail=%U@
%d)(mail=%U@%r))(objectclass=kolabinetorgperson)))
    ldap_user_attribute: mail
    ldap_group_base: dc=domain,dc=com
    ldap_group_filter:
(&(cn=%u)(objectclass=ldapsubentry)(objectclass=nsroledefinition))
    ldap_group_scope: one
    ldap_member_base: ou=People,dc=domain,dc=com
    ldap_member_method: attribute
    ldap_member_attribute: nsrole
    ldap_restart: 1
    ldap_timeout: 10
    ldap_time_limit: 10
    unixhierarchysep: 1
    virtdomains: userid
    annotation_definitions: /etc/imapd.annotations.conf
    sieve_extensions: fileinto reject envelope body vacation imapflags
notify include regex subaddress relational copy date index
    allowallsubscribe: 0
    allowusermoves: 1
    altnamespace: 1
    hashimapspool: 1
    anysievefolder: 1
    fulldirhash: 0
    sieveusehomedir: 0
    sieve_allowreferrals: 0
    lmtp_downcase_rcpt: 1
    lmtp_fuzzy_mailbox_match: 1
    username_tolower: 1
    deletedprefix: DELETED
    delete_mode: delayed
    expunge_mode: delayed
    postuser: shared

    ldap_domain_base_dn: cn=kolab,cn=config
    ldap_domain_filter:
(&(objectclass=domainrelatedobject)(associateddomain=%s))
    ldap_domain_name_attribute: associatedDomain
    ldap_domain_scope: sub
    ldap_domain_result_attribute: inetdomainbasedn


Cyrus version:

    name       : Cyrus IMAPD
    version    : git2.5+0-Kolab-2.5-108.1.el6.kolab_3.4
    vendor     : Project Cyrus
    support-url: http://www.cyrusimap.org
    os         : Linux
    os-version : 2.6.32-042stab108.7
    environment: Built w/Cyrus SASL 2.1.23
                 Running w/Cyrus SASL 2.1.23
                 Built w/OpenSSL 1.0.1e-fips 11 Feb 2013
                 Running w/OpenSSL 1.0.1e-fips 11 Feb 2013
                 Built w/zlib 1.2.3
                 Running w/zlib 1.2.3
                 CMU Sieve 2.4
                 TCP Wrappers
                 NET-SNMP
                 mmap = shared
                 lock = fcntl
                 nonblock = fcntl
                 idle = idled



Kolab web-admin is in turn unable to write the entry to Cyrus as the user
doesn't showing the roundcube DB.


I think my main problem is that this "ptloader" cannot canonify the user.
Should I turn on canonicalization?

This article states to use it:
https://docs.kolab.org/howtos/multi-domain.html#cyrus-imap-changes

This one does not:
http://bmts.us/wiki/doku.php?id=article:kolab:multidomain
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kolab.org/pipermail/users/attachments/20150824/0b7be181/attachment-0001.html>

More information about the users mailing list