CentOS 上的 Cyrus 使用 sasl / pam / ldap

tag-icon tag-icon authentication ldap pam sasl cyrus
CentOS 上的 Cyrus 使用 sasl / pam / ldap

SASL/PAM/LDAP 让我抓狂……这是我在谷歌搜索此领域问题时经常看到的内容,也是我自己的亲身经历 :-S 我正在尝试让 Cyrus imap 使用此授权后端在 CentOS 上为虚拟主机工作,但真的不知道发生了什么。在 saslauthd 中,我配置了要使用的 LDAP 搜索过滤器,但看起来 pam 完全忽略了它。

以下是我进行的测试(进行了更多测试但结果都相似):

[root@testserv ~]# imtest -u [email protected] -a [email protected]
WARNING: no hostname supplied, assuming localhost

S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS] testserv. Cyrus IMAP4 v2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH
S: C01 OK Completed
Please enter your password: 
C: L01 LOGIN [email protected] {6}
S: + go ahead
C: <omitted>
S: L01 NO Login failed: authentication failure
Authentication failed. generic failure
Security strength factor: 0
C: Q01 LOGOUT
* BYE LOGOUT received
Q01 OK Completed
Connection closed.

LDAP 条目确实存在(Cyrus 中的邮箱也存在):

[root@testserv ~]# ldapsearch -WxD cn=Manager,o=mydomain,c=com [email protected]
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: [email protected]
# requesting: ALL
#

# myuser, accounts, testserv.mydomain.com, mydomain, com
dn: uid=myuser,ou=accounts,dc=testserv.mydomain.com,o=mydomain,c=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uidNumber: 16
uid: myuser
gidNumber: 5
givenName: My
sn: Name
mail: [email protected]
cn: My Name
userPassword:: dYN5ebB0fXhNRn1pZllhRnJX7Uk=
shadowLastChange: 15176
homeDirectory: /dev/null

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

这是我在 /var/log/messages 中得到的信息

Aug  2 04:00:11 testserv cyrus/imap[12514]: auxpropfunc error invalid parameter supplied 
Aug  2 04:00:19 testserv saslauthd[5926]: do_auth         : auth failure: [[email protected]] [service=imap] [realm=testserv.mydomain.com] [mech=pam] [reason=PAM auth error]

.../var/adm/auth.log

Aug  2 04:00:11 testserv cyrus/imap[12514]: auxpropfunc error invalid parameter supplied 
Aug  2 04:00:11 testserv cyrus/imap[12514]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb 
Aug  2 04:00:19 testserv saslauthd[5926]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
Aug  2 04:00:19 testserv saslauthd[5926]: do_auth         : auth failure: [[email protected]] [service=imap] [realm=testserv.mydomain.com] [mech=pam] [reason=PAM auth error]

(据我所知我可以忽略 auxprop 消息)

...和/var/log/slapd.log:

Aug  2 04:00:19 testserv slapd[5968]: conn=61 fd=27 ACCEPT from IP=127.0.0.1:51403 (IP=0.0.0.0:389) 
Aug  2 04:00:19 testserv slapd[5968]: conn=61 op=0 BIND dn="" method=128 
Aug  2 04:00:19 testserv slapd[5968]: conn=61 op=0 RESULT tag=97 err=0 text= 
Aug  2 04:00:19 testserv slapd[5968]: conn=61 op=1 SRCH base="o=mydomain,c=com" scope=2 deref=0 filter="([email protected])" 
Aug  2 04:00:19 testserv slapd[5968]: conn=61 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text= 
Aug  2 04:00:19 testserv slapd[5968]: conn=61 op=2 UNBIND 
Aug  2 04:00:19 testserv slapd[5968]: conn=61 fd=27 closed

这些是在 /etc/imapd.conf 中的设置:

sasl_mech_list: PLAIN LOGIN
sasl_pwcheck_method: saslauthd
## sasl_auxprop_plugin: sasldb
sasl_auto_transition: no

和我的 sasl 配置:

[root@testserv ~]# cat /etc/sysconfig/saslauthd 
# Directory in which to place saslauthd's listening socket, pid file, and so
# on.  This directory must already exist.
SOCKETDIR=/var/run/saslauthd

# Mechanism to use when checking passwords.  Run "saslauthd -v" to get a list
# of which mechanism your installation was compiled with the ablity to use.
MECH=pam

# Additional flags to pass to saslauthd on the command line.  See saslauthd(8)
# for the list of accepted flags.
FLAGS="-c -r -O /etc/saslauthd.conf"

[root@testserv ~]# cat /etc/saslauthd.conf
ldap_servers: ldap://127.0.0.1/
ldap_search_base: dc=%d,o=mydomain,c=com
ldap_auth_method: bind 
#ldap_filter: (|(uid=%u)((&(mail=%u@%d)(accountStatus=active))) 
ldap_filter: (&(mail=%u@%d)(accountStatus=active)) 
ldap_debug: 1 
ldap_version: 3

accountStatus=active 尚未出现在 ldap 中,但这没什么区别,因为我在过滤器中没有看到它……这不是失败的原因。奇怪的是,当我重命名或删除 /etc/saslauthd.conf 时,我确实会收到错误,但当文件存在时,它似乎被愉快地忽略了……

slapd.log 中的过滤器似乎取自 /etc/ldap.conf。除了一些计时器外,它仅包含:

host 127.0.0.1
base o=mydomain,c=com
pam_login_attribute mail

取消注释 pam_login_attribute 会导致 slapd.log 中出现以下过滤器:

filter="([email protected])"

Pam-imap 如下所示:

[root@testserv ~]# cat /etc/pam.d/imap 
auth       required    pam_ldap.so debug
account       required    pam_ldap.so debug

#auth       sufficient   pam_unix.so likeauth nullok
#auth       sufficient  pam_ldap.so use_first_pass
#auth       required     pam_deny.so
#account    sufficient   pam_unix.so
#account    sufficient   pam_ldap.so

取消注释的内容是因为我没有在 Ldap 中使用 cyrus 管理员用户;这是一个 Linux 用户。取消注释后,它工作正常,但我仍然需要稍微调整一下,首先我想让 imap 正常工作。

最后 nsswitch:

[root@testserv ~]# cat /etc/nsswitch.conf 
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
#       nisplus or nis+         Use NIS+ (NIS version 3)
#       nis or yp               Use NIS (NIS version 2), also called YP
#       dns                     Use DNS (Domain Name Service)
#       files                   Use the local files
#       db                      Use the local database (.db) files
#       compat                  Use NIS on compat mode
#       hesiod                  Use Hesiod for user lookups
#       [NOTFOUND=return]       Stop searching if not found so far
#

# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd:    db files nisplus nis
#shadow:    db files nisplus nis
#group:     db files nisplus nis

passwd: compat ldap
group:  compat ldap
shadow: compat ldap

hosts:      files dns

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files

netgroup:   nisplus

publickey:  nisplus

automount:  files nisplus
aliases:    files nisplus

任何关于从哪里开始查找的信息都将不胜感激!

提前感谢

答案1

今天在升级一些软件包(包括 openldap、nss、kernel 等)后,CentOS 5.8 遇到了类似的问题。就我而言,pam 甚至无法连接到 LDAP 服务器。尚未发现原因。但找到了一种解决方法 - 通过在 /etc/sysconfig/saslauthd 中将 MECH=pam 更改为 MECH=ldap,告诉 saslauthd 直接连接到 LDAP,而不是通过 PAM。

答案2

从您的slapd.log:与目录服务器的会话使用""作为绑定 DN,搜索返回零个条目。您确定该条目存在吗?您确定要使用零长度 DN 进行绑定吗?您可以使用 搜索条目并返回它吗ldapsearchldapsearch您用于显示条目的 未使用零长度绑定 DN)?例如:

ldapsearch -x -b o=mydomain,c=com -s sub '([email protected])'

顺便说一句,这与您的问题无关,您不应该使用c (countryName)带有三个字母代码的属性。corcountryName属性是来自 ISO3166 的两个字母国家代码。正如我所说,它与您的问题无关,尽管一些现代目录服务器会(正确地)拒绝三个字母的国家代码。

相关内容