Homepage | Products | OX Knowledge Base | Support | Try Now | Contact | Company
OX Logo
Results 1 to 10 of 10
  1. #1
    gunnarstahl Guest

    Default PAM_MYSQL and OX6

    Hello,
    on my debian box I have installed open exchange via the debian packages. As my imap server I use cyrus 2.2.

    No I am trying to get cyrus imap configured to authenticate against the ox6 mysql database.

    Therefore I told cyrus to use saslauthd, and saslauthd to use pam.

    My imap.conf states:
    sasl_mech_list: PLAIN LOGIN
    sasl_pwcheck_method: saslauthd

    My /etc/saslauthd states:
    MECHANISMS="pam"

    In /etc/pam.d/ I created a file called "imap" which looks like:

    Code:
    @include common-auth
    @include common-account
    auth optional pam_mysql.so host=/var/run/mysqld/mysqld.sock user=openexchange p\
    asswd=xxxxx db=oxdatabase_6 [table=login2user LEFT JOIN user ON login2user\
    .id=user.id AND login2user.cid=user.cid] [where=user.cid=1] usercolumn=login2us\
    er.uid passwdcolumn=user.userPassword crypt=1 log=1
    
    account required pam_mysql.so host=/var/run/mysqld/mysqld.sock user=openexchang\
    e passwd=xxxxx db=oxdatabase_6 [table=login2user LEFT JOIN user ON login2u\
    ser.id=user.id AND login2user.cid=user.cid]  [where=user.cid=1] usercolumn=logi\
    n2user.uid passwdcolumn=user.userPassword crypt=1 log=1
    When I try to authenticate against IMAP I get the following messages in my /var/log/auth.log:

    Code:
    cyrus/imap[17633]: badlogin: localhost [127.0.0.1] plaintext gunnarstahl SASL(-13): authentication failure: checkpass failed
    cyrus/imap[17633]: telling master 1
    In the mysql.log I can see the query being executed:
    Code:
    090304  0:30:08	    446 Connect     openexchange@localhost on oxdatabase_6
    		    446 Init DB     oxdatabase_6
    		    446 Query       SELECT user.userPassword FROM login2user LEFT JOIN user ON login2user.id=user.id AND login2user.cid=user.cid WHERE login2user.uid = 'gunnarstahl' AND (user.cid=1)
    		    446 Query       SELECT user.userPassword FROM login2user LEFT JOIN user ON login2user.id=user.id AND login2user.cid=user.cid WHERE login2user.uid = 'gunnarstahl' AND (user.cid=1)
    090304  0:30:10	    446 Quit       
    090304  0:30:15	    443 Quit       
    		    442 Quit
    Does anybody have an idea why the pasword check fails? I am somehow running out of ideas...

    Thanks,


    Gunnar

  2. #2
    Join Date
    Feb 2007
    Location
    Germany
    Posts
    3,695

    Default

    Hi Gunnar,

    could it be that the user passwords are hashed with SHA1 but pam_mysql is only able to hash crypt()?

    Greetings

  3. #3
    Carsten Hoeger is offline Open-Xchange Professional Services
    Join Date
    Mar 2007
    Posts
    703

    Default

    Yes, pam_mysql can only do crypt.
    Check this thread:

    http://www.open-xchange.com/forum/sh...ighlight=crypt
    OXpedia.org - the answer to almost all questions.

  4. #4
    gunnarstahl Guest

    Default First success...

    Hello,
    thanks for the info about the {crypt}-thing. This partially did the trick for me.
    But still, this somehow tries to drive me nuts.

    I have two users which were created via the creatuser-mechanism inside the /opt/open-exchange/sbin folder. These are the users "cyrus" and "gunnarstahl".

    For the user "cyrus" everything works. I can get a connection via imtest and testsaslauthd.

    The user "gunnarstahl" was created by the same means. But it doesn't work.

    The following lines show what happens inside the mysql_pam.
    I am somewhat running out of ideas so any help is appreciated.

    Testsaslauthd with user cyrus:
    Code:
    saslauthd[14450]: rel_accept_lock : released accept lock
    saslauthd[14451]: get_accept_lock : acquired accept lock
    saslauthd[14450]: cache_get_rlock : attempting a read lock on slot: 1013
    saslauthd[14450]: cache_lookup    : [login=cyrus] [service=] [realm=imap]: not found, update pending
    saslauthd[14450]: cache_un_lock   : attempting to release lock on slot: 1013
    saslauthd[14450]: pam_mysql - option verbose is set to "1"
    saslauthd[14450]: pam_mysql - pam_mysql_close_db() called.
    saslauthd[14450]: pam_mysql - pam_sm_authenticate() called.
    saslauthd[14450]: pam_mysql - pam_mysql_open_db() called.
    saslauthd[14450]: pam_mysql - pam_mysql_open_db() returning 0.
    saslauthd[14450]: pam_mysql - pam_mysql_check_passwd() called.
    saslauthd[14450]: pam_mysql - pam_mysql_format_string() called
    saslauthd[14450]: pam_mysql - pam_mysql_quick_escape() called.
    saslauthd[14450]: pam_mysql - SELECT user.userPassword FROM login2user LEFT JOIN user ON login2user.id=user.id AND login2user.cid=user.cid WHERE login2user.uid = 'cyrus' AND (user.cid=1)
    saslauthd[14450]: pam_mysql - pam_mysql_check_passwd() returning 0.
    saslauthd[14450]: pam_mysql - pam_mysql_sql_log() called.
    saslauthd[14450]: pam_mysql - pam_mysql_sql_log() returning 0.
    saslauthd[14450]: pam_mysql - pam_sm_authenticate() returning 0.
    saslauthd[14450]: pam_mysql - option host is set to "/var/run/mysqld/mysqld.sock"
    saslauthd[14450]: pam_mysql - option user is set to "openexchange"
    saslauthd[14450]: pam_mysql - option passwd is set to "xxx"
    saslauthd[14450]: pam_mysql - option db is set to "oxdatabase_6"
    saslauthd[14450]: pam_mysql - option table is set to "login2user LEFT JOIN user ON login2user.id=user.id AND login2user.cid=user.cid"
    saslauthd[14450]: pam_mysql - option where is set to "user.cid=1"
    saslauthd[14450]: pam_mysql - option usercolumn is set to "login2user.uid"
    saslauthd[14450]: pam_mysql - option passwdcolumn is set to "user.userPassword"
    saslauthd[14450]: pam_mysql - option crypt is set to "1"
    saslauthd[14450]: pam_mysql - unknown option: log
    saslauthd[14450]: pam_mysql - option verbose is set to "1"
    saslauthd[14450]: pam_mysql - pam_mysql_close_db() called.
    saslauthd[14450]: pam_mysql - pam_sm_acct_mgmt() called.
    saslauthd[14450]: pam_mysql - pam_mysql_open_db() called.
    saslauthd[14450]: pam_mysql - pam_mysql_open_db() returning 0.
    saslauthd[14450]: pam_mysql - pam_mysql_query_user_stat() called.
    saslauthd[14450]: pam_mysql - pam_mysql_format_string() called
    saslauthd[14450]: pam_mysql - pam_mysql_quick_escape() called.
    saslauthd[14450]: pam_mysql - SELECT 0, user.userPassword FROM login2user LEFT JOIN user ON login2user.id=user.id AND login2user.cid=user.cid WHERE login2user.uid = 'cyrus' AND (user.cid=1)
    saslauthd[14450]: pam_mysql - pam_mysql_query_user_stat() returning 0.
    saslauthd[14450]: pam_mysql - pam_mysql_sql_log() called.
    saslauthd[14450]: pam_mysql - pam_mysql_sql_log() returning 0.
    saslauthd[14450]: pam_mysql - pam_sm_acct_mgmt() returning 0.
    saslauthd[14450]: pam_mysql - pam_mysql_release_ctx() called.
    saslauthd[14450]: pam_mysql - pam_mysql_destroy_ctx() called.
    saslauthd[14450]: pam_mysql - pam_mysql_close_db() called.
    saslauthd[14450]: cache_get_wlock : attempting a write lock on slot: 1013
    saslauthd[14450]: cache_commit    : lookup committed
    saslauthd[14450]: cache_un_lock   : attempting to release lock on slot: 1013
    saslauthd[14450]: do_auth         : auth success: [user=cyrus] [service=imap] [realm=] [mech=pam]
    saslauthd[14450]: do_request      : response: OK
    Testsaslauthd with user gunnarstahl:
    Code:
    saslauthd[14452]: get_accept_lock : acquired accept lock
    saslauthd[14451]: rel_accept_lock : released accept lock
    saslauthd[14451]: cache_get_rlock : attempting a read lock on slot: 1522
    saslauthd[14451]: cache_lookup    : [login=gunnarstahl] [service=] [realm=imap]: not found, update pending
    saslauthd[14451]: cache_un_lock   : attempting to release lock on slot: 1522
    saslauthd[14451]: pam_unix(imap:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=gunnarstahl
    saslauthd[14451]: pam_mysql - option verbose is set to "1"
    saslauthd[14451]: pam_mysql - pam_mysql_close_db() called.
    saslauthd[14451]: pam_mysql - pam_sm_authenticate() called.
    saslauthd[14451]: pam_mysql - pam_mysql_open_db() called.
    saslauthd[14451]: pam_mysql - pam_mysql_open_db() returning 0.
    saslauthd[14451]: pam_mysql - pam_mysql_check_passwd() called.
    saslauthd[14451]: pam_mysql - pam_mysql_format_string() called
    saslauthd[14451]: pam_mysql - pam_mysql_quick_escape() called.
    saslauthd[14451]: pam_mysql - SELECT user.userPassword FROM login2user LEFT JOIN user ON login2user.id=user.id AND login2user.cid=user.cid WHERE login2user.uid = 'gunnarstahl' AND (user.cid=1)
    saslauthd[14451]: pam_mysql - pam_mysql_check_passwd() returning 0.
    saslauthd[14451]: pam_mysql - pam_mysql_sql_log() called.
    saslauthd[14451]: pam_mysql - pam_mysql_sql_log() returning 0.
    saslauthd[14451]: pam_mysql - pam_sm_authenticate() returning 0.
    saslauthd[14451]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
    saslauthd[14451]: pam_mysql - pam_mysql_release_ctx() called.
    saslauthd[14451]: pam_mysql - pam_mysql_destroy_ctx() called.
    saslauthd[14451]: pam_mysql - pam_mysql_close_db() called.
    saslauthd[14451]: do_auth         : auth failure: [user=gunnarstahl] [service=imap] [realm=] [mech=pam] [reason=PAM auth error]

  5. #5
    gunnarstahl Guest

    Default [Solved]

    Hi,
    finally found the problem. Was rather trivial.

    My /etc/pam.d/imap file stated at the beginning:

    @include common-auth
    @include common-account

    Uncomment both and everything works. Those two lines make pam try to lookup the usercredentials via the default authentication mechanism, wich is the standard unix shadow.

    Yt,

    Gunnar

  6. #6
    cyrixCrawler Guest

    Default

    pam-mysql has supported SHA1 for a few years.....
    OX just encodes the SHA password with base64 and non-hex.....

    So to compare SHA1 passwords, first step would be to decode the userpassword with base64. Then convert the string into HEX...
    Finally set it to lowercase....
    ....
    I've simply added a function to the OX Database for decoding base64.

    So, my password query includes.... lower(hex(BASE64_DECODE(user.userPassword)))
    ...
    This gives me a standard SHA1 hash in HEX....

  7. #7
    Join Date
    Oct 2007
    Location
    Germany, Essen
    Posts
    171

    Default

    hi,

    we also want use pam.d with sha.

    if i think right ox use a base64(sha) key to save in db, but (we use cyrus) if we want to authenticate the given key is the original sha key.

    what have you change in your /etc/pam.d/imap file ?

    Best regards

    outlow

    ###########
    Hi,

    wir sind ebenfalls bestrebt pam mit der Methode zur sha Überprüfung zu nutzen.

    So wie ich das sehe nutzt OX einen SHA Key der mit BASE64 kodiert wird, versucht sich nun Cyrus zu autorisieren wird hier nur der SHA Key verwendet.

    Dies passt natürlich nicht, wie hast du deine Abfrage in /etc/pam.d/imap umgebaut das es funktioniert?

    Ich würde mich freuen wenn du uns hier unterstützen könntest.

    MfG

    Outlow

  8. #8
    Join Date
    Oct 2007
    Location
    Germany, Essen
    Posts
    171

    Default

    i found it.

    thx

  9. #9

    Default

    hi,

    We have actually the same problem,
    please, can you tel us what do you found?

    thanks

  10. #10

    Default

    hi,

    we are verry sorry, the solution is in the forum
    https://forum.open-xchange.com/showt...ghlight=base64

    thank

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •