>Trying to get Kolab 3.4 setup in a distrubuted environment. The last piece of 
>the puzzle seems to be getting Cyrus configured correctly for a murder 
>environement. Currently, only using 1 frontend and one backend.
>mupdatetest and testsaslauthd checks seem to work fine. But, when trying to 
>create a user account using the command-line cyradm tools, from the backend, 
>I'm getting the following error:
>cyradm -t "" -u kolab -w "${password}" ${cyrus_host}
>verify error:num=18:self signed certificate
>> cm user/kolab3test
>verify error:num=18:self signed certificate
>Invalid user at /usr/lib64/perl5/vendor_perl/Cyrus/IMAP/Admin.pm line 118
>cyradm: cannot authenticate to [redacted.fqdn.backend.server]
>and directly from the frontend:
>> cm user/kolab3test
>IMAP Password:
>              Invalid user at /usr/lib64/perl5/vendor_perl/Cyrus/IMAP/Admin.pm 
> line 118
>cyradm: cannot authenticate to [redacted.fqdn.backend.server]
>/var/log/messages on the backend only shows "perl: No worthy mechs found"
>and /var/log/maillog says:
> imap[27001]: SASL bad userid authenticated
>imap[27001]: badlogin: [redacted.fqdn.frontend.server] [] PLAIN 
>[SASL(-13): authentication failure: bad userid authenticated]

Check your auth facility syslog (e.g. /var/log/auth.log) as well.

Verify your configuration with:


For further assistance, provide redacted copies of your /etc/imapd.conf,
/etc/cyrus.conf, and saslauthd.conf (if existing) files for both the
frontent and backend servers.

Dan White


Thanks for the response. Redacted versions of /etc/imapd.conf, 
/etc/saslauthd.conf and /etc/cyrus.conf for both frontend and backend servers 
are below.

BACKEND /etc/imapd.conf
configdirectory: /srv/imap/be/lib
# partition-default: /var/spool/imap
partition-default: /srv/imap/be/spool

# admins: kolab
admins: kolab
sievedir: /var/lib/imap/sieve
sendmail: /usr/sbin/sendmail
# sasl_pwcheck_method: saslauthd
sasl_pwcheck_method: saslauthd
# sasl_mech_list: PLAIN LOGIN
sasl_mech_list: PLAIN
# allowplaintext: no
allowplaintext: 1

 tls_server_cert: /var/imap/server.pem
 tls_server_key: /var/imap/server.pem
# tls_server_ca_file: /var/imap/server.pem
# tls_client_ca_file: /var/imap/server.pem

# uncomment this if you're operating in a DSCP environment (RFC-4594)
# qosmarking: af13
auth_mech: pts
pts_module: ldap

ldap_servers: {redacted}
ldap_sasl: 0

ldap_base: ou=people,o=intra,dc={redacted},dc={redacted}
ldap_bind_dn: uid={redacted},ou=People,o={redacted},dc={redacted},dc={redacted}
ldap_password: F@{redacted}
ldap_filter: {redacted}
ldap_user_attribute: uid
ldap_group_base: o=intra,dc={redacted},dc={redacted}
ldap_bind_dn: uid={redacted},ou=People,o=intra,dc={redacted},dc={redacted}
ldap_password: {redacted}
ldap_user_attribute: uid
ldap_group_base: o=intra,dc={redacted},dc={redacted}
ldap_group_scope: one
ldap_member_base: ou=People,o=intra,dc={redacted},dc={redacted}
ldap_member_method: attribute
ldap_member_attribute: nsrole
ldap_restart: 1
ldap_timeout: 10
ldap_time_limit: 10

# allowallsubscribe: 0
allowallsubscribe: 1
allowusermoves: 1
altnamespace: 1
hashimapspool: 1
unixhierarchysep: 1

annotation_definitions: /etc/imapd.annotations.conf
sieve_extensions: fileinto reject envelope body vacation imapflags notify 
include regex subaddress relational copy date index

anysievefolder: 1
fulldirhash: 0
sieveusehomedir: 0
# sieve_allowreferrals: 0
sieve_allowreferrals: 1

lmtp_downcase_rcpt: 1
lmtp_fuzzy_mailbox_match: 1
username_tolower: 1

deletedprefix: DELETED
delete_mode: delayed
expunge_mode: delayed

# This value not in Kolab 2
postuser: shared

# Only run a murder on the master site

# We run a discreet murder
mupdate_config: standard

# Mailbox master runs on the first frontend
mupdate_server: {redacted}
mupdate_port: 3905
mupdate_authname: {redacted}
mupdate_username: {redacted}
mupdate_password: {redacted}-

# proxyservers: murder
proxyservers: {redacted}
proxy_authname: {redacted}
proxy_password: {redacted}-

# virtdomains: userid
virtdomains: off

FRONTEND /etc/imapd.conf

configdirectory: /var/lib/imap
partition-default: /var/spool/imap
admins: {redacted}
sievedir: /var/lib/imap/sieve
sendmail: /usr/sbin/sendmail

sasl_pwcheck_method: saslauthd auxprop
sasl_auxprop_plugin: sasldb
sasl_mech_list: PLAIN
allowplaintext: 1

auth_mech: pts
pts_module: ldap

ldap_servers: ldap://{redacted}

ldap_sasl: 0
ldap_base: ou=people,o=intra,dc={redacted},dc={redacted}
ldap_scope: one
ldap_bind_dn: uid={redacted},ou=People,o=intra,dc={redacted},dc={redacted}
ldap_password: {redacted}
ldap_filter: {redacted}
ldap_user_attribute: uid
ldap_group_base: o=intra,dc={redacted},dc={redacted}
ldap_group_scope: one
ldap_member_base: ou=People,o=intra,dc={redacted},dc={redacted}
ldap_member_method: attribute
ldap_member_attribute: nsrole
ldap_restart: 1
ldap_timeout: 10
ldap_time_limit: 10

 tls_server_cert: /var/imap/server.pem
 tls_server_key: /var/imap/server.pem
# tls_server_ca_file: /var/imap/server.pem
#tls_client_ca_file: /var/imap/server.pem

annotation_definitions: /etc/imapd.annotations.conf

allowallsubscribe: 1
allowusermoves: 1
altnamespace: 1
hashimapspool: 1
unixhierarchysep: 1

anysievefolder: 1
fulldirhash: 0
sieveusehomedir: 0
sieve_allowreferrals: 1

lmtp_downcase_rcpt: 1
lmtp_fuzzy_mailbox_match: 1
username_to_lower: 1
normalizeuid: 1
deletedprefix: DELETED
delete_mode: delayed
expunge_mode: delayed

# Only run a murder on the master site

# We run a discreet murder
mupdate_config: standard

# Mailbox master runs on the first frontend
mupdate_server: {redacted}
mupdate_port: 3905
mupdate_authname: {redacted}
mupdate_username: {redacted}
mupdate_password: {redacted}

defaultserver: {redacted}
serverlist: {redacted}

proxy_authname: {redacted}
proxy_password: {redacted}

virtdomains: off

BACKEND /etc/saslauthd.conf

ldap_servers: ldap://{redacted}

ldap_bind_dn: uid={redacted},ou=People,o=intra,dc={redacted},dc={redacted}
ldap_password: {redacted}

# Use the upper level search base or expell ou=Special Users when using
# ou=People; cyrus-admin would not be able to authenticate.
ldap_search_base: ou=People,o=intra,dc={redacted},dc={redacted}

# Note: Allows login with uid, but is not translated to mailbox name
# Enable once Cyrus IMAP 2.4 can do authn w/ uid and authz w/ mail
ldap_filter: ({redacted}

ldap_referrals: yes
result_attribute: uid

FRONTEND /etc/saslauthd.conf

ldap_servers: ldap://{redacted}

ldap_bind_dn: uid={redacted},ou=People,o=intra,dc={redacted},dc={redacted}
ldap_password: {redacted}

# Use the upper level search base or expell ou=Special Users when using
# ou=People; cyrus-admin would not be able to authenticate.
ldap_search_base: ou=People,o=intra,dc={redacted},dc={redacted}

# Note: Allows login with uid, but is not translated to mailbox name
# Enable once Cyrus IMAP 2.4 can do authn w/ uid and authz w/ mail
ldap_filter: ({redacted}

ldap_referrals: yes
result_attribute: uid

log_level: 6

BACKEND /etc/cyrus.conf

    # do not delete this entry!
    recover     cmd="ctl_cyrusdb -r"

    # this is only necessary if using idled for IMAP IDLE
    idled               cmd="idled"

# UNIX sockets start with a slash and are put into /var/lib/imap/sockets
    # add or remove based on preferences
    imap                cmd="imapd" listen="imap" prefork=5
    imaps               cmd="imapd -s" listen="imaps" prefork=1
    # pop3              cmd="pop3d" listen="pop3" prefork=3
    # pop3s             cmd="pop3d -s" listen="pop3s" prefork=1
    sieve               cmd="timsieved" listen="sieve" prefork=0

    ptloader    cmd="ptloader" listen="/var/lib/imap/ptclient/ptsock" prefork=0

    # these are only necessary if receiving/exporting usenet via NNTP
    #nntp               cmd="nntpd" listen="nntp" prefork=3
    #nntps              cmd="nntpd -s" listen="nntps" prefork=1

    # at least one LMTP is required for delivery
    #lmtp               cmd="lmtpd" listen="lmtp" prefork=0
    lmtpunix    cmd="lmtpd" listen="/var/lib/imap/socket/lmtp" prefork=1

    # this is only necessary if using notifications
    notify      cmd="notifyd" listen="/var/lib/imap/socket/notify" proto="udp" 

    # this is required
    checkpoint  cmd="ctl_cyrusdb -c" period=30

    # this is only necessary if using duplicate delivery suppression,
    # Sieve or NNTP
    duplicateprune cmd="cyr_expire -E 3" at=0400

    # Expire data older then 69 days. Two full months of 31 days
    # each includes two full backup cycles, plus 1 week margin
    # because we run our full backups on the first sat/sun night
    # of each month.
    deleteprune cmd="cyr_expire -E 4 -D 69" at=0430
    expungeprune cmd="cyr_expire -E 4 -X 69" at=0445

    # this is only necessary if caching TLS sessions
    tlsprune    cmd="tls_prune" at=0400

    # Create search indexes regularly
    #squatter    cmd="squatter -s -i" at=0530

FRONTEND /etc/cyrus.conf

    # do not delete this entry!
    recover     cmd="ctl_cyrusdb -r"

    # this is only necessary if using idled for IMAP IDLE
    idled       cmd="idled"

    # The following lines enable the frontend server to proxy connections
    # to the appropriate backend server.
    imap        cmd="proxyd"        listen="imap"                           
prefork=5 maxchild=4096
    imaps       cmd="proxyd -s"     listen="imaps"                          
prefork=5 maxchild=4096

    # The frontend servers need to communicate about where the backend servers
    # are, since they contain the mailboxes.

    mupdate     cmd="mupdate -m"    listen=3905                             

    ptloader    cmd="ptloader"      listen="/var/lib/imap/ptclient/ptsock"  

    sievefilter cmd="timsieved"     listen=4190                             
    sieve       cmd="timsieved"     listen=sieve                            

    # This is required
    checkpoint  cmd="ctl_cyrusdb -c" period=30

    # this is only necessary if caching TLS sessions
    tlsprune    cmd="tls_prune" at=0500

