Univention Bugzilla – Bug 47642
[4.3] saslauthd (e.g. via postfix) fails once user changes his/her own password
Last modified: 2018-08-29 12:49:45 CEST
Merge this change also to UCS 4.3 as it fixes the UID login problem with dovecot/IMAP. +++ This bug was initially created as a clone of Bug #42759 +++ Situation: postfix with SASL authentication via Cyrus' saslauthd (not via Dovecot as the customer in question is using Kopano as their mail server). saslauthd runs with the default configuration (MECHANISM="pam") from installation of the sasl2-bin package. Whenever a user changes his/her password via logging in to the UMC authentication via saslauthd fails and keeps on failing, both with the new and the old password. Comparing the user entry in the LDAP directory before and after that change reveals that the "userPassword" field uses a different method. Before the change it contained the hashed password, e.g. "userPassword: {crypt}$6$…". After the change it only contained a reference to the Kerberos secret: "userPassword: {K5KEY}". How to reproduce it: • Install the sasl2-bin package and start saslauthd. • Verify that authentication works (please select a user who's not a member of the "Domain Admins" group): "testsaslauthd -u <username> -p <password>" • Log in to the Univention Management Console as that unprivileged user. The only available module should be the password change module. • Change the user's password. • On the command line restart both the "nscd" and "saslauthd" services in order to prevent caching from affecting the results. • Try to authenticate with "testsaslauthd" again. Observe that it now fails with both the old and the new password. A workaround for one user is to log into the UMC as a user with administrative privileges and to change the user's password via the "Users" module. In that moment the "userPassword" attribute in the LDAP will contain the hashed key again. The workaround for all users is to reconfigure saslauthd to use LDAP instead of PAM for authentication. I've implemented the following template file (/etc/univention/templates/files/etc/saslauthd.conf.d/99_custom) for this: ------------------------------------------------------------ @%@UCRWARNING=# @%@ # # LDAP Recipient Canonical Maps support # search_base = @%@ldap/base@%@ query_filter = (&(univentionCanonicalRecipientRewriteEnabled=1)(|(univentionPublicPrimaryMailAddress=%s)(univentionPublicAlternativeMailAddress=%s))) result_attribute = univentionInternalPrimaryMailAddress search_timeout = @%@mail/postfix/ldap/timeout@%@ scope = sub version = 3 bind_dn = @%@ldap/hostdn@%@ @!@ import os from univention.lib.misc import getLDAPURIs print 'server_host = %s' % getLDAPURIs(configRegistry) if os.path.exists('/etc/machine.secret'): print 'bind_pw = %s' % (open('/etc/machine.secret','r').read()) else: print 'bind_pw = MACHINE.SECRET_IS_MISSING' if configRegistry.is_true('mail/postfix/ldaptable/starttls', False): print 'start_tls = yes' if configRegistry.is_true('mail/postfix/ldaptable/tlsrequirecert', False): print 'tls_require_cert = yes' if configRegistry.get('mail/postfix/ldaptable/tlscacertfile'): print 'tls_ca_cert_file = %s' % configRegistry['mail/postfix/ldaptable/tlscacertfile'] print 'debuglevel = %s' % configRegistry.get('mail/postfix/ldaptable/debuglevel', '0') @!@ ------------------------------------------------------------ Registration of the template looks like this (/etc/univention/templates/info/custom): ------------------------------------------------------------ Type: multifile Multifile: etc/saslauthd.conf Type: subfile Multifile: etc/saslauthd.conf Subfile: etc/saslauthd.conf.d/99_custom Variables: hostname Variables: domainname Variables: ldap/master Variables: saslauthd/starttls ------------------------------------------------------------ Additionally a server password hook script is needed; mine (/usr/lib/univention-server/server_password_change.d/custom-saslauthd) looks like this: ------------------------------------------------------------ #!/bin/bash if [ "$1" = "postchange" ] ; then /usr/sbin/ucr commit /etc/saslauthd.conf /usr/sbin/service saslauthd restart fi ------------------------------------------------------------
"requisite" has been replaced by "optional" for pam_univentionmailcyrus.so in several PAM stacks. Additionally a ucs-test has been added that tests all authentication variants (username, mailPrimaryAddress(mPA), w/ and w/o {K5KEY}). I found no problems with mPA, uid or {K5KEY} with the new setup. Prepared in branch "sschwardt/47642/4.3/fix_pamstack"
As discussed, merged to 4.3-1-errata. 137b90f173 Bug #47642: update advisories ccc2f331c0 Bug #47642: Merge branch 'sschwardt/47642/4.3/fix_pamstack' into 4.3-1 af76f1ddb0 Bug #47642: check PAM stack for mail services d024f8d470 Bug #47642: add changelog entries 048655c475 Bug #47642: fix PAM stack to allow login with username bb3d2421fa Bug #47642: add advisories Package: univention-mail-postfix Version: 12.0.0-21A~4.3.0.201808241427 Branch: ucs_4.3-0 Scope: errata4.3-1 Package: univention-mail-dovecot Version: 4.0.0-11A~4.3.0.201808241427 Branch: ucs_4.3-0 Scope: errata4.3-1
OK: code change OK: advisory OK: manual tests with fetchmail and swaks OK: auto mated test: ii univention-mail-postfix 12.0.0-20A~4.3.0. all UCS - postfix configuration ii univention-mail-dovecot 4.0.0-10A~4.3.0.2 all UCS - imap configuration RESULT: (on m52 and m141-ox) ======================================================= pre_change_testsaslauthd_uid : SKIPPED pre_change_testsaslauthd_mailPrimaryAddress : SKIPPED pre_change_smtp_uid : OK pre_change_smtp_mailPrimaryAddress : OK pre_change_sieve_uid : FAILED pre_change_sieve_mailPrimaryAddress : OK pre_change_imap_uid : FAILED pre_change_imap_mailPrimaryAddress : OK post_change_testsaslauthd_uid : SKIPPED post_change_testsaslauthd_mailPrimaryAddress : SKIPPED post_change_smtp_uid : OK post_change_smtp_mailPrimaryAddress : OK post_change_sieve_uid : FAILED post_change_sieve_mailPrimaryAddress : OK post_change_imap_uid : FAILED post_change_imap_mailPrimaryAddress : OK $ univention-upgrade ii univention-mail-postfix 12.0.0-21 all UCS - postfix configuration ii univention-mail-dovecot 4.0.0-11 all UCS - imap configuration RESULT: (on m52 and m141-ox) ======================================================= pre_change_testsaslauthd_uid : SKIPPED pre_change_testsaslauthd_mailPrimaryAddress : SKIPPED pre_change_smtp_uid : OK pre_change_smtp_mailPrimaryAddress : OK pre_change_sieve_uid : OK pre_change_sieve_mailPrimaryAddress : OK pre_change_imap_uid : OK pre_change_imap_mailPrimaryAddress : OK post_change_testsaslauthd_uid : SKIPPED post_change_testsaslauthd_mailPrimaryAddress : SKIPPED post_change_smtp_uid : OK post_change_smtp_mailPrimaryAddress : OK post_change_sieve_uid : OK post_change_sieve_mailPrimaryAddress : OK post_change_imap_uid : OK post_change_imap_mailPrimaryAddress : OK
f440e6875b Bug #47642: 20b_check_auth_via_smtp_and_imap: fix LDAP connection on slaves and memberservers
<http://errata.software-univention.de/ucs/4.3/228.html> <http://errata.software-univention.de/ucs/4.3/229.html>