Announcement

Collapse
No announcement yet.

PAM_MYSQL and OX6

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • PAM_MYSQL and OX6

    Hello,
    on my debian box I have installed open exchange via the debian packages. As my imap server I use cyrus 2.2.

    No I am trying to get cyrus imap configured to authenticate against the ox6 mysql database.

    Therefore I told cyrus to use saslauthd, and saslauthd to use pam.

    My imap.conf states:
    sasl_mech_list: PLAIN LOGIN
    sasl_pwcheck_method: saslauthd

    My /etc/saslauthd states:
    MECHANISMS="pam"

    In /etc/pam.d/ I created a file called "imap" which looks like:

    Code:
    @include common-auth
    @include common-account
    auth optional pam_mysql.so host=/var/run/mysqld/mysqld.sock user=openexchange p\
    asswd=xxxxx db=oxdatabase_6 [table=login2user LEFT JOIN user ON login2user\
    .id=user.id AND login2user.cid=user.cid] [where=user.cid=1] usercolumn=login2us\
    er.uid passwdcolumn=user.userPassword crypt=1 log=1
    
    account required pam_mysql.so host=/var/run/mysqld/mysqld.sock user=openexchang\
    e passwd=xxxxx db=oxdatabase_6 [table=login2user LEFT JOIN user ON login2u\
    ser.id=user.id AND login2user.cid=user.cid]  [where=user.cid=1] usercolumn=logi\
    n2user.uid passwdcolumn=user.userPassword crypt=1 log=1
    When I try to authenticate against IMAP I get the following messages in my /var/log/auth.log:

    Code:
    cyrus/imap[17633]: badlogin: localhost [127.0.0.1] plaintext gunnarstahl SASL(-13): authentication failure: checkpass failed
    cyrus/imap[17633]: telling master 1
    In the mysql.log I can see the query being executed:
    Code:
    090304  0:30:08	    446 Connect     openexchange@localhost on oxdatabase_6
    		    446 Init DB     oxdatabase_6
    		    446 Query       SELECT user.userPassword FROM login2user LEFT JOIN user ON login2user.id=user.id AND login2user.cid=user.cid WHERE login2user.uid = 'gunnarstahl' AND (user.cid=1)
    		    446 Query       SELECT user.userPassword FROM login2user LEFT JOIN user ON login2user.id=user.id AND login2user.cid=user.cid WHERE login2user.uid = 'gunnarstahl' AND (user.cid=1)
    090304  0:30:10	    446 Quit       
    090304  0:30:15	    443 Quit       
    		    442 Quit
    Does anybody have an idea why the pasword check fails? I am somehow running out of ideas...

    Thanks,


    Gunnar

  • #2
    Hi Gunnar,

    could it be that the user passwords are hashed with SHA1 but pam_mysql is only able to hash crypt()?

    Greetings

    Comment


    • #3
      Yes, pam_mysql can only do crypt.
      Check this thread:

      Comment


      • #4
        First success...

        Hello,
        thanks for the info about the {crypt}-thing. This partially did the trick for me.
        But still, this somehow tries to drive me nuts.

        I have two users which were created via the creatuser-mechanism inside the /opt/open-exchange/sbin folder. These are the users "cyrus" and "gunnarstahl".

        For the user "cyrus" everything works. I can get a connection via imtest and testsaslauthd.

        The user "gunnarstahl" was created by the same means. But it doesn't work.

        The following lines show what happens inside the mysql_pam.
        I am somewhat running out of ideas so any help is appreciated.

        Testsaslauthd with user cyrus:
        Code:
        saslauthd[14450]: rel_accept_lock : released accept lock
        saslauthd[14451]: get_accept_lock : acquired accept lock
        saslauthd[14450]: cache_get_rlock : attempting a read lock on slot: 1013
        saslauthd[14450]: cache_lookup    : [login=cyrus] [service=] [realm=imap]: not found, update pending
        saslauthd[14450]: cache_un_lock   : attempting to release lock on slot: 1013
        saslauthd[14450]: pam_mysql - option verbose is set to "1"
        saslauthd[14450]: pam_mysql - pam_mysql_close_db() called.
        saslauthd[14450]: pam_mysql - pam_sm_authenticate() called.
        saslauthd[14450]: pam_mysql - pam_mysql_open_db() called.
        saslauthd[14450]: pam_mysql - pam_mysql_open_db() returning 0.
        saslauthd[14450]: pam_mysql - pam_mysql_check_passwd() called.
        saslauthd[14450]: pam_mysql - pam_mysql_format_string() called
        saslauthd[14450]: pam_mysql - pam_mysql_quick_escape() called.
        saslauthd[14450]: pam_mysql - SELECT user.userPassword FROM login2user LEFT JOIN user ON login2user.id=user.id AND login2user.cid=user.cid WHERE login2user.uid = 'cyrus' AND (user.cid=1)
        saslauthd[14450]: pam_mysql - pam_mysql_check_passwd() returning 0.
        saslauthd[14450]: pam_mysql - pam_mysql_sql_log() called.
        saslauthd[14450]: pam_mysql - pam_mysql_sql_log() returning 0.
        saslauthd[14450]: pam_mysql - pam_sm_authenticate() returning 0.
        saslauthd[14450]: pam_mysql - option host is set to "/var/run/mysqld/mysqld.sock"
        saslauthd[14450]: pam_mysql - option user is set to "openexchange"
        saslauthd[14450]: pam_mysql - option passwd is set to "xxx"
        saslauthd[14450]: pam_mysql - option db is set to "oxdatabase_6"
        saslauthd[14450]: pam_mysql - option table is set to "login2user LEFT JOIN user ON login2user.id=user.id AND login2user.cid=user.cid"
        saslauthd[14450]: pam_mysql - option where is set to "user.cid=1"
        saslauthd[14450]: pam_mysql - option usercolumn is set to "login2user.uid"
        saslauthd[14450]: pam_mysql - option passwdcolumn is set to "user.userPassword"
        saslauthd[14450]: pam_mysql - option crypt is set to "1"
        saslauthd[14450]: pam_mysql - unknown option: log
        saslauthd[14450]: pam_mysql - option verbose is set to "1"
        saslauthd[14450]: pam_mysql - pam_mysql_close_db() called.
        saslauthd[14450]: pam_mysql - pam_sm_acct_mgmt() called.
        saslauthd[14450]: pam_mysql - pam_mysql_open_db() called.
        saslauthd[14450]: pam_mysql - pam_mysql_open_db() returning 0.
        saslauthd[14450]: pam_mysql - pam_mysql_query_user_stat() called.
        saslauthd[14450]: pam_mysql - pam_mysql_format_string() called
        saslauthd[14450]: pam_mysql - pam_mysql_quick_escape() called.
        saslauthd[14450]: pam_mysql - SELECT 0, user.userPassword FROM login2user LEFT JOIN user ON login2user.id=user.id AND login2user.cid=user.cid WHERE login2user.uid = 'cyrus' AND (user.cid=1)
        saslauthd[14450]: pam_mysql - pam_mysql_query_user_stat() returning 0.
        saslauthd[14450]: pam_mysql - pam_mysql_sql_log() called.
        saslauthd[14450]: pam_mysql - pam_mysql_sql_log() returning 0.
        saslauthd[14450]: pam_mysql - pam_sm_acct_mgmt() returning 0.
        saslauthd[14450]: pam_mysql - pam_mysql_release_ctx() called.
        saslauthd[14450]: pam_mysql - pam_mysql_destroy_ctx() called.
        saslauthd[14450]: pam_mysql - pam_mysql_close_db() called.
        saslauthd[14450]: cache_get_wlock : attempting a write lock on slot: 1013
        saslauthd[14450]: cache_commit    : lookup committed
        saslauthd[14450]: cache_un_lock   : attempting to release lock on slot: 1013
        saslauthd[14450]: do_auth         : auth success: [user=cyrus] [service=imap] [realm=] [mech=pam]
        saslauthd[14450]: do_request      : response: OK
        Testsaslauthd with user gunnarstahl:
        Code:
        saslauthd[14452]: get_accept_lock : acquired accept lock
        saslauthd[14451]: rel_accept_lock : released accept lock
        saslauthd[14451]: cache_get_rlock : attempting a read lock on slot: 1522
        saslauthd[14451]: cache_lookup    : [login=gunnarstahl] [service=] [realm=imap]: not found, update pending
        saslauthd[14451]: cache_un_lock   : attempting to release lock on slot: 1522
        saslauthd[14451]: pam_unix(imap:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=gunnarstahl
        saslauthd[14451]: pam_mysql - option verbose is set to "1"
        saslauthd[14451]: pam_mysql - pam_mysql_close_db() called.
        saslauthd[14451]: pam_mysql - pam_sm_authenticate() called.
        saslauthd[14451]: pam_mysql - pam_mysql_open_db() called.
        saslauthd[14451]: pam_mysql - pam_mysql_open_db() returning 0.
        saslauthd[14451]: pam_mysql - pam_mysql_check_passwd() called.
        saslauthd[14451]: pam_mysql - pam_mysql_format_string() called
        saslauthd[14451]: pam_mysql - pam_mysql_quick_escape() called.
        saslauthd[14451]: pam_mysql - SELECT user.userPassword FROM login2user LEFT JOIN user ON login2user.id=user.id AND login2user.cid=user.cid WHERE login2user.uid = 'gunnarstahl' AND (user.cid=1)
        saslauthd[14451]: pam_mysql - pam_mysql_check_passwd() returning 0.
        saslauthd[14451]: pam_mysql - pam_mysql_sql_log() called.
        saslauthd[14451]: pam_mysql - pam_mysql_sql_log() returning 0.
        saslauthd[14451]: pam_mysql - pam_sm_authenticate() returning 0.
        saslauthd[14451]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
        saslauthd[14451]: pam_mysql - pam_mysql_release_ctx() called.
        saslauthd[14451]: pam_mysql - pam_mysql_destroy_ctx() called.
        saslauthd[14451]: pam_mysql - pam_mysql_close_db() called.
        saslauthd[14451]: do_auth         : auth failure: [user=gunnarstahl] [service=imap] [realm=] [mech=pam] [reason=PAM auth error]

        Comment


        • #5
          [Solved]

          Hi,
          finally found the problem. Was rather trivial.

          My /etc/pam.d/imap file stated at the beginning:

          @include common-auth
          @include common-account

          Uncomment both and everything works. Those two lines make pam try to lookup the usercredentials via the default authentication mechanism, wich is the standard unix shadow.

          Yt,

          Gunnar

          Comment


          • #6
            pam-mysql has supported SHA1 for a few years.....
            OX just encodes the SHA password with base64 and non-hex.....

            So to compare SHA1 passwords, first step would be to decode the userpassword with base64. Then convert the string into HEX...
            Finally set it to lowercase....
            ....
            I've simply added a function to the OX Database for decoding base64.

            So, my password query includes.... lower(hex(BASE64_DECODE(user.userPassword)))
            ...
            This gives me a standard SHA1 hash in HEX....

            Comment


            • #7
              hi,

              we also want use pam.d with sha.

              if i think right ox use a base64(sha) key to save in db, but (we use cyrus) if we want to authenticate the given key is the original sha key.

              what have you change in your /etc/pam.d/imap file ?

              Best regards

              outlow

              ###########
              Hi,

              wir sind ebenfalls bestrebt pam mit der Methode zur sha Überprüfung zu nutzen.

              So wie ich das sehe nutzt OX einen SHA Key der mit BASE64 kodiert wird, versucht sich nun Cyrus zu autorisieren wird hier nur der SHA Key verwendet.

              Dies passt natürlich nicht, wie hast du deine Abfrage in /etc/pam.d/imap umgebaut das es funktioniert?

              Ich würde mich freuen wenn du uns hier unterstützen könntest.

              MfG

              Outlow

              Comment


              • #8
                i found it.

                thx

                Comment


                • #9
                  hi,

                  We have actually the same problem,
                  please, can you tel us what do you found?

                  thanks

                  Comment


                  • #10
                    hi,

                    we are verry sorry, the solution is in the forum
                    You think you can help the developers with some new features or other improvements? You want to bring your own stuff into Open-Xchange? Then this is your forum.


                    thank

                    Comment

                    Working...
                    X