cyrus-imap validating against Active Directory [CLOSED]

All questions about cyrus-imap used by artica

cyrus-imap validating against Active Directory [CLOSED]

New postby garaujo » Sun Oct 10, 2010 11:55 pm

Hello David, i finished my lab for Active Directory validation ... i can't get to work in artica because some files are rewrited when i stop and start some services like saslauthd, but i CAN validate the web interface again active directory, and make a successfuly kinit logon from artica machine ...

After several errors and misconfigurations, I decided to install a machine with CentOS 5.5 in BASE mode (minimal installation) and there could successfully validate the user for both SMTP and IMAP using kerberos and ActiveDirectory

This is how i did it:


Artica with cyrus-imap validating against Active Directory using kerberos (R&D)

My windows Server is a Windows 2008 with Active Directory in Mixed mode (Native for 2003) installed for this lab
Windows machine name: hadesw2008 Domain: GZISNET.AD (dc=gzisnet,dc=ad)
Ip address: 192.168.254.2

Linux Server: Centos 5.5 minimal installation
Name: LinuxPostfix
ip address 192.168.254.3, dns: 192.168.254.2 (active directory resolution for kerberos validation: _kerberos._tcp.gzisnet.ad)

Linux Machine:
- Install postfix and cyrus-imapd ( yum install postfix cyrus-imapd)
- Test dns resolution with active directory:

Code: Select all
[root@LinuxPostfix ~]# host -t any  _kerberos._tcp.gzisnet.ad
_kerberos._tcp.gzisnet.ad has SRV record 0 100 88 hadesw2008.gzisnet.ad.
[root@LinuxPostfix ~]#


Modify /etc/krb5.conf, here final modification:

Code: Select all
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = GZISNET.AD
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes

[realms]
GZISNET.AD = {
  kdc = gzisnet.ad:88
  admin_server = gzisnet.ad:749
  default_domain = gzisnet.ad
  }

[domain_realm]
.gzisnet.ad = GZISNET.AD
gzisnet.ad = GZISNET.AD

[appdefaults]
pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
}


Now test for ldap search and kerberos validation (no answer is VALIDATED):

Code: Select all
[root@LinuxPostfix ~]# kinit garaujo
Password for garaujo@GZISNET.AD:
[root@LinuxPostfix ~]#


If there is errors in the configuration, the command fail with a state and description, like this one for incorrect password:

Code: Select all
Password for garaujo@GZISNET.AD:
kinit(v5): Preauthentication failed while getting initial credentials
[root@LinuxPostfix ~]#


Now kerberos is configured, and the linux machine can validate agains AD, now we need to configure cyrus ..

The Postfix Cyrus SASL support is used to authenticate clients and local mailboxes to the Postfix SMTP server. We will use the Pluggable Authentication Modules (PAM) in Linux to configure Cyrus SASL and delegate the authentication process to the Active Directory server.

so, we need to configure pam module, Edit the file /etc/pam.d/smtp and /etc/pam.d/imap

Code: Select all
auth     sufficient pam_krb5.so no_user_check validate
account  sufficient pam_permit.so


Now restart saslauthd service

Code: Select all
service saslauthd restart


Ok, now we will test the validation using testsaslauthd command with -s smtp param

Code: Select all
[root@LinuxPostfix ~]# testsaslauthd -u garaujo -p 1q2w3e. -s imap
0: OK "Success."
[root@LinuxPostfix ~]#


Now, to be sure that Active directory is working, i go to my windows machine and change the user password for demo.2010 and test again:

resetad.jpg
resetad.jpg (70.68 KiB) Viewed 8860 times


Code: Select all
[root@LinuxPostfix ~]# testsaslauthd -u garaujo -p 1q2w3e. -s imap
0: NO "authentication failed"
[root@LinuxPostfix ~]#


Now using the new password:

Code: Select all
[root@LinuxPostfix ~]# testsaslauthd -u garaujo -p demo.2010 -s imap
0: OK "Success."
[root@LinuxPostfix ~]#


Waiting for comments.
--

Ing. Gonzalo Araujo C
MCSE, MCSA, MCSD, ITIL, CISSP, C|EH, LPI
SLM Sistemas - Ingenio Virtual
http://www.slmsistemas.com
Colombia - Guatemala - Chile - Venezuela
User avatar
garaujo
 
Posts: 31
Joined: Sun Sep 12, 2010 4:58 pm
Location: Caracas / Venezuela
Artica servers number: 10
Linux System: CentOS
Technical skills: A Linux developper

Re: Artica with cyrus-imap validating against Active Directory

New postby admin » Mon Oct 11, 2010 8:37 am

i can't get to work in artica because some files are rewrited when i stop and start some services like saslauthd,


What you need to modify ?
User avatar
admin
Site Admin
 
Posts: 11946
Joined: Wed Oct 17, 2007 7:59 am
Location: France

Re: Artica with cyrus-imap validating against Active Directory

New postby garaujo » Mon Oct 11, 2010 7:29 pm

Got It ! clap clap clap ... ;)

Now i have an artica box validating agains active directory ...

The problem was with saslauthd .. is using LDAP for validating ...

So i stop the sasauthd service and run with the folowing params:

Code: Select all
/usr/sbin/saslauthd -m /var/run/saslauthd -a pam -d


And test with

Code: Select all
[root@localhost WORK]# testsaslauthd -u garaujo -p demo.2010 -s imap
0: OK "Success."


And AT LAST!! got it:

Code: Select all
[root@localhost WORK]# imtest -m login -a garaujo -w demo.2010 localhost -v
S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS] localhost.localdomain Cyrus IMAP4 v2.3.7-Invoca-RPM-2.3.7-7.el5_4.3 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH
S: C01 OK Completed
C: L01 LOGIN garaujo {9}
S: + go ahead
C: <omitted>
S: L01 OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID LOGINDISABLED ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH] User logged in
Authenticated.
Security strength factor: 0


Now ? what next? ...

Greetings.,
--

Ing. Gonzalo Araujo C
MCSE, MCSA, MCSD, ITIL, CISSP, C|EH, LPI
SLM Sistemas - Ingenio Virtual
http://www.slmsistemas.com
Colombia - Guatemala - Chile - Venezuela
User avatar
garaujo
 
Posts: 31
Joined: Sun Sep 12, 2010 4:58 pm
Location: Caracas / Venezuela
Artica servers number: 10
Linux System: CentOS
Technical skills: A Linux developper

Re: Artica with cyrus-imap validating against Active Directory

New postby admin » Mon Oct 11, 2010 9:21 pm

I have a really respects of your work on this kind of strategy...
But i have one question....
If you disconnect cyrus sasl from LDAP, the front-end artica was unable to create or modify users because users are turn to Active Directory system.
Your case is very interesting but what are benefits using artica is this way ??
User avatar
admin
Site Admin
 
Posts: 11946
Joined: Wed Oct 17, 2007 7:59 am
Location: France

Re: Artica with cyrus-imap validating against Active Directory

New postby garaujo » Mon Oct 11, 2010 9:33 pm

Hello david, the web interface is validating to local ldap with no problem ... in one test i create the manager user in active directory too to validate the web interface against active directory, but right now is configured with local ldap users...

About the creation of mailboxes, i resolve that too:

- In the artica mailbox panel, change the cyrus password from secret to something more secure (Active directory need strong passwords) so i use imap%.2010
- After that, artica know the new password ... and change locally
- Then create a user in active directory called cyrus with password imap%2010
- move validation from ldap to pam (this only affect the services i already change in /etc/pam.d like imap or pop)
- Now return to artica interface ... and voila .. artica create users, mailboxes, and import users from active directory :)

At this moment i have an outlook configured reading mails from artica box ... and i can create users, and delete users from web interface ...

Surely there is some others things to consider about all the modules from artica, i only want to show that there is a way to do it .. MANY MANY companies that are changing from EXCHANGE to Linux really need this feature ... i have 3 clients waiting for an answer to this issue ...

I really need artica with active directory integration ... that's why i put my self in this lab ...

With this information is possible to make this from web console interface?

PD/ need your help with WEBDAV case in the Calendar topic to finish the sync calendar lab too ...

Greetings
--

Ing. Gonzalo Araujo C
MCSE, MCSA, MCSD, ITIL, CISSP, C|EH, LPI
SLM Sistemas - Ingenio Virtual
http://www.slmsistemas.com
Colombia - Guatemala - Chile - Venezuela
User avatar
garaujo
 
Posts: 31
Joined: Sun Sep 12, 2010 4:58 pm
Location: Caracas / Venezuela
Artica servers number: 10
Linux System: CentOS
Technical skills: A Linux developper

Re: Artica with cyrus-imap validating against Active Directory

New postby admin » Tue Oct 12, 2010 12:16 am

With this information is possible to make this from web console interface?


I will try, it seems very interesting to perform this LAB but to be honest it should be more cool to kill the Local OpenLDAP database and using directly Active Directory for all tasks.
But i'm afraid that need to change more things and more work :

I think you did not need to use the pam for Saslauthd.
in fact artica use the /etc/saslauthd.conf file that store the LDAP credentials.
I think just changing it's content should forward saslauthd requests to the Active Directory.

Your are not able to change the user's password directly in Active Directory.
Passwords are not stored in Active Directory LDAP database but in SAM database located in C:\Windows\system32
Have you tried to change the password trough artica Interface ? is it really changed in the Active Directory ?

Artica need to add it's own attributes.
Especially the schema stored in /usr/share/artica-postfix/bin/install/postfix.schema
Is this schema can be imported into the Active Directory ?

need your help with WEBDAV case in the Calendar topic to finish the sync calendar lab too

Tomorow i will focus on it...
User avatar
admin
Site Admin
 
Posts: 11946
Joined: Wed Oct 17, 2007 7:59 am
Location: France

Re: Artica with cyrus-imap validating against Active Directory

New postby garaujo » Tue Oct 12, 2010 1:04 am

I think you did not need to use the pam for Saslauthd.
in fact artica use the /etc/saslauthd.conf file that store the LDAP credentials.
I think just changing it's content should forward saslauthd requests to the Active Directory.


I think is not good idea to change the context of artica in openldap ... is possible to move the attributes and configurations to internal objects in active directory, but this is gonna be heavy work, and, i think is not the way this will work ... i think of using ad passwords at the beginning ONLY for mail authentication, nothing else ... so artica can work as today ... connecting to openldap .. but, when a user want to read the mailbox, the password will be validated agains AD not local account ...

Your are not able to change the user's password directly in Active Directory.
Passwords are not stored in Active Directory LDAP database but in SAM database located in C:\Windows\system32
Have you tried to change the password trough artica Interface ? is it really changed in the Active Directory ?


We don;t need to change the password for a user in artica ... when active directory is used, only validations about mailbox will be redirected to active directory, and the corporate AD manager will manage the accounts in AD ... if the user is disabled in AD, then can't validate and can't read mail ... and, if the manager, change the password in AD, the user will need the new password to get access to mailbox ... this is exactly what this kind of companies are searching because, actually, all the process involvolved in accounts administration is done using active directory console ... so, a user need to go to vacations, and there is a organizative process to disable the account in AD, and all dependent services ... like Artica Mailbox ...

Artica need to add it's own attributes.
Especially the schema stored in /usr/share/artica-postfix/bin/install/postfix.schema
Is this schema can be imported into the Active Directory ?


Yes, this is possible .. but not functional ... i don't think this is a good idea at all.

I'm mounting all the lab AGAIN ... from zero, because i DO so many changes in artica ... i will try to make all this in a easy process .. and see if is possible to deliver this solution as is to my clients ...

Really thanks for your time and support, and sorry my english, i know is not the best ...

Greetings
--

Ing. Gonzalo Araujo C
MCSE, MCSA, MCSD, ITIL, CISSP, C|EH, LPI
SLM Sistemas - Ingenio Virtual
http://www.slmsistemas.com
Colombia - Guatemala - Chile - Venezuela
User avatar
garaujo
 
Posts: 31
Joined: Sun Sep 12, 2010 4:58 pm
Location: Caracas / Venezuela
Artica servers number: 10
Linux System: CentOS
Technical skills: A Linux developper

Re: Artica with cyrus-imap validating against Active Directory

New postby admin » Tue Oct 12, 2010 9:41 am

Give me step by step what files handle by artica must be changed and i touch for you a specified build;
User avatar
admin
Site Admin
 
Posts: 11946
Joined: Wed Oct 17, 2007 7:59 am
Location: France

Re: Artica with cyrus-imap validating against Active Directory

New postby garaujo » Wed Oct 13, 2010 12:33 am

Hello David, at last .. i got to work the validation with easy steps ...

I implement the solution in a production server with 150 active direcotry users and at this moment everything is OK (4 hours with no problems)

the only issue that i'm having is the fact that artica will generate the saslauthd init script every x minutes ... so, i need to manually stop the service and start the saslauthd in console ...

Code: Select all
/usr/sbin/saslauthd -m /var/run/saslauthd -a pam -d



The procedure is:

Non intrusive part:

1. Modify /etc/krb5 file as described in last posts.
2. Modify /etc/pam.d/imap as described too
3. Change the password for cyrus user using artica web interface (This is because the active directory strong password policy rules)
** Can cyrus user have a strong password directly from the artica installation?
4. Create user cyrus in Active Directory with the same password used in artica box.

The above files can be changed without any problems, i restart the server, logon to the artica web interface, delete and create users, etc ... and no errors at all, everything just like nothing happens ;)

Now the intrusive part.

5. Start the saslauthd service using PAM mechanism and not LDAP (This don't bring any problems to Manager user, organizations, local users, web interface, anything ... i probe a lot of things, and kind of seamless change ... is like the LDAP and PAM are compatible mechanism for Artica ...

The problem that i'm facing right now is the artica changing the saslauthd file, and stoping and restarting the service with custom parameters (LDAP MECHANISM)

Salu2
--

Ing. Gonzalo Araujo C
MCSE, MCSA, MCSD, ITIL, CISSP, C|EH, LPI
SLM Sistemas - Ingenio Virtual
http://www.slmsistemas.com
Colombia - Guatemala - Chile - Venezuela
User avatar
garaujo
 
Posts: 31
Joined: Sun Sep 12, 2010 4:58 pm
Location: Caracas / Venezuela
Artica servers number: 10
Linux System: CentOS
Technical skills: A Linux developper

Re: Artica with cyrus-imap validating against Active Directory

New postby admin » Fri Oct 15, 2010 2:57 pm

I have added your feature in 1.4.101516

the feature can be found here.
2010-10-15_165235.png
2010-10-15_165235.png (118.18 KiB) Viewed 8830 times


Try it to see if it met your request...
User avatar
admin
Site Admin
 
Posts: 11946
Joined: Wed Oct 17, 2007 7:59 am
Location: France

Next

Return to Cyrus-imap

Who is online

Users browsing this forum: No registered users and 1 guest

cron