SASL Authentication Problem

Thomas Spuhler thomas.spuhler at btspuhler.com
Tue Aug 25 02:24:55 CEST 2015 

On Monday, August 24, 2015 08:21:09 PM Paul Bronson wrote:
> So I am running into a whirlwind of issues with my cyrus install. I am
> setting up a multi-domain kolab groupware solution. I am on centos 6.7
> 
> I am getting this flooding my error logs when I try to make a new user on a
> fresh multi domain setup:
> 
>     Aug 24 19:01:19 gmx1 imaps[1911]: badlogin: localhost [::1] PLAIN
> [SASL(-13): authentication failure: bad userid authenticated]
>     Aug 24 19:01:23 gmx1 imaps[1916]: starttls: TLSv1.2 with cipher
> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new) no authentication
>     Aug 24 19:01:23 gmx1 imaps[1916]: SASL unable to open Berkeley db
> /etc/sasldb2: No such file or directory
>     Aug 24 19:01:23 gmx1 imaps[1916]: SASL unable to open Berkeley db
> /etc/sasldb2: No such file or directory
>     Aug 24 19:01:23 gmx1 imaps[1916]: ptload(): bad response from ptloader
> server: ptsmodule_canonifyid() failed
>     Aug 24 19:01:23 gmx1 imaps[1916]: ptload completely failed: unable to
> canonify identifier: 'john'[0:1]doe at domain.com
>     Aug 24 19:01:23 gmx1 imaps[1916]: SASL bad userid authenticated
> 
> 
> The users do NOT show up on kolab webadmin... It keeps trying to add a test
> user I made and won't stop trying.  I reboot the server and it goes away.
> 
> I tried playing with:
> 
> /etc/imapd.conf
> 
>     ldap_domain_base_dn: cn=kolab,cn=config
>     ldap_domain_filter:
> (&(objectclass=domainrelatedobject)(associateddomain=%s))
>     ldap_domain_name_attribute: associatedDomain
>     ldap_domain_scope: sub
>     ldap_domain_result_attribute: inetdomainbasedn
> 
> 
> I also noticed these at the top.. Should this be "PLAIN" ? see below..
> 
>     sasl_pwcheck_method: auxprop saslauthd
>     sasl_mech_list: PLAIN LOGIN
>     allowplaintext: no
I have (Mageia5)
pwcheck_method: saslauthd
mech_list: plain login


> 
> 
> My imapd config:
> 
>     configdirectory: /var/lib/imap
>     partition-default: /var/spool/imap
>     admins: cyrus-admin
>     sievedir: /var/lib/imap/sieve
>     sendmail: /usr/sbin/sendmail
>     sasl_pwcheck_method: auxprop saslauthd
>     sasl_mech_list: PLAIN LOGIN
>     allowplaintext: no
>     tls_server_cert: /etc/pki/cyrus-imapd/cyrus-imapd.pem
>     tls_server_key: /etc/pki/cyrus-imapd/cyrus-imapd.pem
>     # uncomment this if you're operating in a DSCP environment (RFC-4594)
>     # qosmarking: af13
>     auth_mech: pts
>     pts_module: ldap
>     ldap_servers: ldap://localhost:389
>     ldap_sasl: 0
>     ldap_base: dc=domain,dc=com
>     ldap_bind_dn: uid=kolab-service,ou=Special Users,dc=domain,dc=com
>     ldap_password: WIY0DNbAYPc8uY5
>     ldap_filter:
> (|(&(|(uid=cyrus-admin)(uid=cyrus-murder))(uid=%U))(&(|(uid=%U)(mail=%U@
> %d)(mail=%U@%r))(objectclass=kolabinetorgperson)))
>     ldap_user_attribute: mail
>     ldap_group_base: dc=domain,dc=com
>     ldap_group_filter:
> (&(cn=%u)(objectclass=ldapsubentry)(objectclass=nsroledefinition))
>     ldap_group_scope: one
>     ldap_member_base: ou=People,dc=domain,dc=com
>     ldap_member_method: attribute
>     ldap_member_attribute: nsrole
>     ldap_restart: 1
>     ldap_timeout: 10
>     ldap_time_limit: 10
>     unixhierarchysep: 1
>     virtdomains: userid
>     annotation_definitions: /etc/imapd.annotations.conf
>     sieve_extensions: fileinto reject envelope body vacation imapflags
> notify include regex subaddress relational copy date index
>     allowallsubscribe: 0
>     allowusermoves: 1
>     altnamespace: 1
>     hashimapspool: 1
>     anysievefolder: 1
>     fulldirhash: 0
>     sieveusehomedir: 0
>     sieve_allowreferrals: 0
>     lmtp_downcase_rcpt: 1
>     lmtp_fuzzy_mailbox_match: 1
>     username_tolower: 1
>     deletedprefix: DELETED
>     delete_mode: delayed
>     expunge_mode: delayed
>     postuser: shared
> 
>     ldap_domain_base_dn: cn=kolab,cn=config
>     ldap_domain_filter:
> (&(objectclass=domainrelatedobject)(associateddomain=%s))
>     ldap_domain_name_attribute: associatedDomain
>     ldap_domain_scope: sub
>     ldap_domain_result_attribute: inetdomainbasedn
> 
> 
> Cyrus version:
> 
>     name       : Cyrus IMAPD
>     version    : git2.5+0-Kolab-2.5-108.1.el6.kolab_3.4
>     vendor     : Project Cyrus
>     support-url: http://www.cyrusimap.org
>     os         : Linux
>     os-version : 2.6.32-042stab108.7
>     environment: Built w/Cyrus SASL 2.1.23
>                  Running w/Cyrus SASL 2.1.23
>                  Built w/OpenSSL 1.0.1e-fips 11 Feb 2013
>                  Running w/OpenSSL 1.0.1e-fips 11 Feb 2013
>                  Built w/zlib 1.2.3
>                  Running w/zlib 1.2.3
>                  CMU Sieve 2.4
>                  TCP Wrappers
>                  NET-SNMP
>                  mmap = shared
>                  lock = fcntl
>                  nonblock = fcntl
>                  idle = idled
> 
> 
> 
> Kolab web-admin is in turn unable to write the entry to Cyrus as the user
> doesn't showing the roundcube DB.
> 
> 
> I think my main problem is that this "ptloader" cannot canonify the user.
> Should I turn on canonicalization?
> 
> This article states to use it:
> https://docs.kolab.org/howtos/multi-domain.html#cyrus-imap-changes
> 
> This one does not:
> http://bmts.us/wiki/doku.php?id=article:kolab:multidomain

-- 
Best regards
Thomas Spuhler

All of my e-mails have a valid digital signature
ID 60114E63
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.kolab.org/pipermail/users/attachments/20150824/4cb9265f/attachment.sig>

More information about the users mailing list