Announcement

**motin** · 09-26-2008, 01:38 PM

The current problem is that pam still doesn't authenticate against the OX database: saslauthd[8487]: pam_mysql - SELECT returned no result.

This is due to he fact that pam and ox hashes the passwords differently. That much is evident, but I don't understand in what format OX stores it's passwords... As seen in the script, the default method of SHA is changed to CRYPT, as this is the only method we have got to work with pam-mysql... Still, after this change, a restart and a new user creation, the password in the database doesn't match any of the following hashing methods:

Code:

mysql> select l.uid, u.userPassword from login2user l LEFT JOIN user u on l.id=u.id and l.cid=u.cid WHERE u.cid=1 AND l.uid='testuser';
+----------+---------------+
| uid      | userPassword  |
+----------+---------------+
| testuser | PmJ.sS6RSS1io |
+----------+---------------+
1 row in set (0.00 sec)

mysql> select sha('secret');
+------------------------------------------+
| sha('secret')                            |
+------------------------------------------+
| e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4 |
+------------------------------------------+
1 row in set (0.00 sec)

mysql> select encrypt('secret');
+-------------------+
| encrypt('secret') |
+-------------------+
| KCuK/kHIq6f2Y     |
+-------------------+
1 row in set (0.00 sec)

mysql> SELECT password('secret');
+-------------------------------------------+
| password('secret')                        |
+-------------------------------------------+
| *14E65567ABDB5135D0CFD9A70B3032C179A49EE7 |
+-------------------------------------------+
1 row in set (0.00 sec)

mysql> SELECT md5('secret');
+----------------------------------+
| md5('secret')                    |
+----------------------------------+
| 5ebe2294ecd0e0f08eab7690d2a6ee69 |
+----------------------------------+
1 row in set (0.00 sec)

Still, as encrypt() produces a string with the same length, I guess OX is indeed using encrypt() - but possibly with some seed/salt added to the password. Can anyone confirm this and possible instruct how to tell pam how to authenticate against this?

EDIT: Even more confusing:
Creating a second testuser with the same password ("secret") produces yet another hash in the password field:

Code:

/etc/init.d/open-xchange-admin restart
/etc/init.d/open-xchange-groupware restart
/opt/open-xchange/sbin/createuser -c 1 -A oxadmin -P $OX_ADMIN_PASSWORD -u testuser2 -d "Test User 2" -g Test -s User -p secret -e testuser2@$DOMAIN --imaplogin testuser2 --imapserver 127.0.0.1 --smtpserver 127.0.0.1 

mysql -D oxdatabase_6 -u openexchange -p

mysql> select l.uid, u.userPassword from login2user l LEFT JOIN user u on l.id=u.id and l.cid=u.cid WHERE u.cid=1 AND l.uid='testuser2';
+-----------+---------------+
| uid       | userPassword  |
+-----------+---------------+
| testuser2 | 7rw6tPeKns97A |
+-----------+---------------+
1 row in set (0.00 sec)

**motin** · 09-26-2008, 01:58 PM

Originally posted by Martin Braun View Post

b) Use CRYPT and set this mech as default when creating the database (look at the manual at http://software.open-xchange.com/ox6docs/ or the command line tool --help)

I checked the administration manuals and also the --help commands of initconfigdb and oxinstaller without finding any option to set CRYPT as the default mech. Could you be more specific? Thanks man!

EDIT: After some investigation, I conclude that the User.properties setting must be the one that you are referring to.

**motin** · 09-26-2008, 02:49 PM

Originally posted by motin View Post

Still, as encrypt() produces a string with the same length, I guess OX is indeed using encrypt() - but possibly with some seed/salt added to the password. Can anyone confirm this and possible instruct how to tell pam how to authenticate against this?

Delving into the source code, the 6.6 authentication method becomes apparent:

./server/src/com/openexchange/groupware/ldap/UserStorage.java

Code:

    public static final boolean authenticate(final User user,
        final String password) throws UserException {
        boolean retval = false;
        if ("{CRYPT}".equals(user.getPasswordMech())) {
            retval = UnixCrypt.matches(user.getUserPassword(), password);
        } else if ("{SHA}".equals(user.getPasswordMech())) {
            retval = UserTools.hashPassword(password).equals(user
                .getUserPassword());
        }
        return retval;
    }

./server/src/com/openexchange/passwordchange/mechs/UnixCrypt.java

Code:

    public final static boolean matches(final String encryptedPassword, final String enteredPassword) throws UnsupportedEncodingException
    {
      final String salt = encryptedPassword.substring(0, 3);
      final String newCrypt = crypt(salt, enteredPassword);

      return newCrypt.equals(encryptedPassword);
    }

So the password is salted with the first three characters of the encrypted password string... Great to know - but how do we tell pam to understand this?

**motin** · 09-26-2008, 03:04 PM

Delving into the latest pam_mysql.c, it is apparent that

1. sha is NOT supported by pam_mysql
2. the crypt salting method is NOT the same as OX uses:

Code:

                        if (strncmp("$1$", row[0], 3) == 0) {
                                /* A MD5 salt starts with "$1$" and is 12 bytes long */
                                strncpy(salt, row[0], 12);
                                salt[12] = '\0';
                        } else {
                                /* If it's not MD5, assume DES and a 2 byte salt.  */
                                strncpy(salt, row[0], 2);
                                salt[2] = '\0';
                        }

OX uses a 3-byte salt...

Check out pam_mysql.c for yourselves:

Code:

cvs -d:pserver:anonymous@pam-mysql.cvs.sourceforge.net:/cvsroot/pam-mysql login
# Press enter on password prompt
cvs -z3 -d:pserver:anonymous@pam-mysql.cvs.sourceforge.net:/cvsroot/pam-mysql co pam_mysql

EDIT: Sorry, that was the 0.7 branch. The 0.6.2 version is the one used in hardy. Looking into this source code, we can still conclude:

1. SHA is not supported
2. No other methods than CRYPT in pam_mysql is supported by OX
3. The Crypt:ing code looks like:

Code:

                        /* ENCRYPT */
                        case 1:
                                vresult = strcmp(row[0], crypt(passwd, row[0]));
                                if (errno) {
                                        syslog(LOG_AUTHPRIV | LOG_ERR, PAM_MYSQL_LOG_PREFIX "something went wrong when invoking crypt() - %s", strerror(errn$
                                }
                                break;

**Martin Heiland** · 09-26-2008, 03:07 PM

Okay, it seems my assumtion was wrong, the setting for the password mech is set at the file:
/opt/open-xchange/etc/admindaemon/User.properties:
DEFAULT_PASSWORD_MECHANISM=SHA

Of course this will not change your existing crypted passwords to the new mech, but this setting is applied when creating a new context. It should be configured before creating the first context.

If you like to create users with a different mech to a existing context, you can overwrite the settings in User.properties by using the commandline parameter --passwordmech at the changeuser command.
For example:
/opt/open-xchange/sbin/changeuser -c 1 -u testuser --passwordmech {CRYPT} -p secret

Note that {CRYPT} and {SHA} are valid options to the passwordmech command.

Hope that helps

**motin** · 09-26-2008, 03:29 PM

Originally posted by Martin Braun View Post

Okay, it seems my assumtion was wrong, the setting for the password mech is set at the file:
/opt/open-xchange/etc/admindaemon/User.properties:
DEFAULT_PASSWORD_MECHANISM=SHA

Of course this will not change your existing crypted passwords to the new mech, but this setting is applied when creating a new context. It should be configured before creating the first context.

If you like to create users with a different mech to a existing context, you can overwrite the settings in User.properties by using the commandline parameter --passwordmech at the changeuser command.
For example:
/opt/open-xchange/sbin/changeuser -c 1 -u testuser --passwordmech {CRYPT} -p secret

Note that {CRYPT} and {SHA} are valid options to the passwordmech command.

Hope that helps

Thanks man, but unfortunately, as concluded above, pam_mysql's interpretation of "CRYPT" is different from OX's interpretation of the same. So until this is fixed somehow, we cannot authenticate against the OX database using pam_mysql...

EDIT: Sorry for jumping to conclusions! Thanks for the changuser suggestion - it is much shorter than the corresponding sql...

**motin** · 09-26-2008, 03:54 PM

I attempted to create a new option for pam_mysql in the form of "crypt=99":

Code:

# diff org/pam-mysql-0.6.2/pam_mysql.c pam-mysql-0.6.2/pam_mysql.c
489a490,493
>               case 99:
>                       *pretval = "ox";
>                       break;
>
520a525,528
>       if (strcmp(newval_str, "99") == 0 || strcasecmp(newval_str, "ox") == 0) {
>               *(int *)val = 99;
>               return PAM_MYSQL_ERR_SUCCESS;
>       }
1248a1257,1258
>         char *salt = NULL;              /* Buffer for salt */
>         char *crypted = NULL;              /* Buffer for crypted password */
1328a1339,1364
>                       /* OPEN XCHANGE CRYPT */
>                       case 99:
>
>                               salt = malloc(sizeof(char) * strlen(row[0]) + 1);
>
>                               if (salt == NULL) {
>                                       syslog(LOG_ERR, "%s", "pam_mysql: Insufficient memory to allocate salt");
>                                       return PAM_BUF_ERR;
>                               }
>
>                               /* OX compatibility - 3-byte salt */
>                               strncpy(salt, row[0], 3);
>                               salt[3] = '\0';
>
>                               crypted = crypt(passwd, salt);
>
>                               /* crypted = crypt(passwd, row[0]) */
>                               vresult = strcmp(row[0], crypted);
>                               /* debug: */
>                               syslog(LOG_AUTHPRIV | LOG_ERR, PAM_MYSQL_LOG_PREFIX "DEBUG crypt() - %s, %s, %s, %s, %s", row[0], passwd, vresult, crypted, salt);
>
>                               if (errno) {
>                                       syslog(LOG_AUTHPRIV | LOG_ERR, PAM_MYSQL_LOG_PREFIX "something went wrong when invoking crypt() - %s", strerror(errno));
>                               }
>                               break;
>

Feel free to try it out:

Code:

apt-get install build-essential fakeroot
apt-get build-dep libpam-mysql
apt-get source libpam-mysql
# apply the patch here
dpkg-buildpackage -rfakeroot -uc -b
dpkg -i ../libpam*.deb
/etc/init.d/saslauthd restart
/etc/init.d/cyrus2.2 restart
imtest -m login -u testuser2

Don't forget to change your crypt=1 setting in /etc/pam.d/imap to crypt=99

Unfortunately:
1. I still don't get it to authenticate:

Code:

# tail -f /var/log/syslog
Sep 26 15:49:44 pija-mail1 cyrus/imap[4571]: executed
Sep 26 15:49:44 pija-mail1 cyrus/imap[4571]: accepted connection
Sep 26 15:49:47 pija-mail1 cyrus/imap[4571]: badlogin: localhost [127.0.0.1] plaintext root SASL(-13): authentication failure: checkpass failed

# tail -f /var/log/auth.log
Sep 26 15:59:12 pija-mail1 saslauthd[10551]: pam_mysql - SELECT returned no result.
Sep 26 15:59:12 pija-mail1 saslauthd[10551]: DEBUG: auth_pam: pam_authenticate failed: Permission denied
Sep 26 15:59:12 pija-mail1 saslauthd[10551]: do_auth         : auth failure: [user=root] [service=imap] [realm=] [mech=pam] [reason=PAM auth error]

2. It may be very little needed to get the patch to work, but I have never before coded in C and don't know how to debug things like this. Any suggestions? Any developer that I may contact?

**Martin Heiland** · 09-26-2008, 04:29 PM

I'm no pam expert, but auth=root seems to be suspicious

**motin** · 09-26-2008, 05:48 PM

Originally posted by Martin Braun View Post

I'm no pam expert, but auth=root seems to be suspicious

I was running imtest as root.

Nevertheless - I now have working authentication! It turns out that there is no incompatibility issue between OX 6.6 and pam_mysql... More about it in my upcoming post.

**motin** · 09-26-2008, 06:04 PM

Originally posted by motin View Post

I have now finished the script as to how far we have come in this matter and have installed an 8.04 Groupware server from scratch exactly following the current version of the script at http://www.open-xchange.com/wiki/ind....04#The_Script

After logging in as a test user, the following error messages are reported:

1. Before clicking anywhere: Invalid sieve credentials (MAIL_FILTER-0002,-669174025-50)
2. After clicking on the mail icon: Missing parameter folder (MSG-0001,-669174025-51)
3. After clicking back to the dashboard, then the mail icon again: No connection available to access mailbox (IMAP-2001,-669174025-57)

How do we fix these issues? Any ideas?

I'd suggest the following

:

1. Go wonder... I went back to a virtual server that I configured _before_ finding this thread and/or started summarizing the 6.6 installation script. Somehow I got pam_mysql authentication against the OX 6.6 database working... So I am sticking to this setup!
2. Now here is a real solution: createuser won't create your IMAP mailbox for you, so you need to set it up yourself:

Code:

cyradm -user oxadmin 127.0.0.1 # Periods or frontslashes depends on your settings... only one should be necessary
cm user.testuser
cm user.testuser.INBOX
cm user/testuser
cm user/testuser/INBOX

3. Solve point 1 and re-login - when you have authentication setup - this issue will not appear.

**Martin Heiland** · 09-26-2008, 08:37 PM

Oh, nice - i'll add this to the E-Mail setup guide

**jastorino** · 09-29-2008, 08:13 PM

Originally posted by motin View Post

I'd suggest the following

:

1. Go wonder... I went back to a virtual server that I configured _before_ finding this thread and/or started summarizing the 6.6 installation script. Somehow I got pam_mysql authentication against the OX 6.6 database working... So I am sticking to this setup!
2. Now here is a real solution: createuser won't create your IMAP mailbox for you, so you need to set it up yourself:

Code:

cyradm -user oxadmin 127.0.0.1 # Periods or frontslashes depends on your settings... only one should be necessary
cm user.testuser
cm user.testuser.INBOX
cm user/testuser
cm user/testuser/INBOX

3. Solve point 1 and re-login - when you have authentication setup - this issue will not appear.

First, thanks for all the work you put into a solution for the installation of OpenExchange.

I have tried to run the above commands, but when I try to run "cyradm -user oxadmin 127.0.0.1" it tells me "cannot authenticate to server as oxadmin".

Am I using the wrong password for this? Does the oxadmin account get created by the script with the same password I define at the top of the script?

Thanks for your help.

**sedeke** · 09-29-2008, 08:36 PM

Sorry may a stupid question, but I'm not familiar with filtering.

I use the Courier-IMAP server with maildrop.
Does your filter plugin work with it, or only with sieve?
Is sieve a product of cyrus??

**motin** · 09-29-2008, 11:00 PM

Originally posted by jastorino View Post

First, thanks for all the work you put into a solution for the installation of OpenExchange.

I have tried to run the above commands, but when I try to run "cyradm -user oxadmin 127.0.0.1" it tells me "cannot authenticate to server as oxadmin".

Am I using the wrong password for this? Does the oxadmin account get created by the script with the same password I define at the top of the script?

Thanks for your help.

Can you perform a test-login with your user as follows?

Code:

imtest -m login -u oxadmin -a oxadmin

If not, have you set up CRYPT as OX authentication method, as well as the mech method for oxadmin?

Code:

/opt/open-xchange/sbin/changeuser -c 1 -A oxadmin -P oxadmin_password_changeme -u oxadmin --passwordmech {CRYPT} -p oxadmin_password_changeme

Originally posted by sedeke View Post

Sorry may a stupid question, but I'm not familiar with filtering.

I use the Courier-IMAP server with maildrop.
Does your filter plugin work with it, or only with sieve?
Is sieve a product of cyrus??

Sorry, but this question is off-topic and not related to the solutions discussed in this thread. Please start a new thread to get the necessary attention for your case.

**jastorino** · 09-29-2008, 11:43 PM

Originally posted by motin View Post

Can you perform a test-login with your user as follows?

Code:

imtest -m login -u oxadmin -a oxadmin

If not, have you set up CRYPT as OX authentication method, as well as the mech method for oxadmin?

Code:

/opt/open-xchange/sbin/changeuser -c 1 -A oxadmin -P oxadmin_password_changeme -u oxadmin --passwordmech {CRYPT} -p oxadmin_password_changeme

attention for your case.

I tried the imtest command as per your suggestion and it failed the authentication. I also ran the changeuser command as per your suggestion above and imtest still fails. See output of imtest below:

WARNING: no hostname supplied, assuming localhost

S: * OK mailserver Cyrus IMAP4 v2.2.13-Debian-2.2.13-13ubuntu3 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM SASL-IR
S: C01 OK Completed
Please enter your password:
C: L01 LOGIN oxadmin {10}
S: + go ahead
C: <omitted>
S: L01 NO Login failed: authentication failure
Authentication failed. generic failure
Security strength factor: 0

-----

I basically installed Ubuntu server 8.04
I ran the install script (I believe created by yourself)
and after reading this post I am trying to get the email component by running the Cyradm command.

Any further suggestions would be greatly appreciated.

Thanks

Announcement

Problem after installing OX6

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment