Bug#108942: The saga of cyrus2-imapd continues

2001-11-15 Thread David D. Kilzer 
> > "David" == David D Kilzer <[EMAIL PROTECTED]> writes:
> David> I finally got cyrus2-imapd to authenticate an account, but
> David> I had to use "sasldb" instead of "PAM" for
> David> "sasl_pwcheck_method" in /etc/imapd.conf.
> 
> David> It appears that until PAM-0.74 is available in "unstable",
> David> cyrus2-imapd won't be able to authenticate using it.  I
> David> thought about filing a "new upstream version" bug against
> David> libpam0g, but I know there has been some discussion about
> David> how to handle new versions of PAM in Debian.  I just can't
> David> seem to find the correct mailing list archive or web page
> David> that describes this.

On Wed, Nov 07, 2001 at 04:16:55PM -0500, Sam Hartman wrote:
> Disbelieve.  It can be handled the same way as cyrus 1.x.

So you're saying that pwcheck can be used with PAM-0.72 and
cyrus2-imapd-2.0.x.  Unfortunately, the way the software is packaged
currently doesn't make that possible.

To handle cyrus2-imapd-2.0.x the same way as cyrus-imapd-1.5.x would
require the use of the pwcheck daemon.  This daemon has been removed
from the cyrus2-imapd-2.0.x source tree, but may still be found in the
cyrus-sasl-1.5.24 source.  Unfortunately, cyrus-sasl-1.5.24 doesn't
currently build pwcheck the same way that cyrus-imapd-1.5.19 does (in
two flavors: pwcheck_standard and pwcheck_pam).

To confuse matters further, cyrus2-sasl-2.0.x betas now include a
replacement for pwcheck called saslauthd.  Unfortunately, no one has
packaged cyrus2-sasl-2.0.x yet.

In summary, using "sasldb" for the "sasl_pwcheck_method" parameter in
/etc/imapd.conf will work in the short term until the pwcheck/saslauthd
situation is resolved.  (I am NOT saying this is the best solution, but
it works for me now.)  More work is required if pwcheck or saslauthd
is to be used.

(Just trying to document the current state of the cyrus2-imapd package
and what may need to be done in the future.)

Dave

Bug#108942: The saga of cyrus2-imapd continues

2001-11-07 Thread Sam Hartman 
> "David" == David D Kilzer <[EMAIL PROTECTED]> writes:

David> I finally got cyrus2-imapd to authenticate an account, but
David> I had to use "sasldb" instead of "PAM" for
David> "sasl_pwcheck_method" in /etc/imapd.conf.

David> It appears that until PAM-0.74 is available in "unstable",
David> cyrus2-imapd won't be able to authenticate using it.  I
David> thought about filing a "new upstream version" bug against
David> libpam0g, but I know there has been some discussion about
David> how to handle new versions of PAM in Debian.  I just can't
David> seem to find the correct mailing list archive or web page
David> that describes this.

Disbelieve.  It can be handled the same way as cyrus 1.x.

Bug#108942: The saga of cyrus2-imapd continues

2001-11-07 Thread David D. Kilzer 
I finally got cyrus2-imapd to authenticate an account, but I had to use
"sasldb" instead of "PAM" for "sasl_pwcheck_method" in /etc/imapd.conf.

It appears that until PAM-0.74 is available in "unstable", cyrus2-imapd
won't be able to authenticate using it.  I thought about filing a "new
upstream version" bug against libpam0g, but I know there has been some
discussion about how to handle new versions of PAM in Debian.  I just
can't seem to find the correct mailing list archive or web page that 
describes this.

It would be nice to be able to have Cyrus do a two-level check, first on
real accounts via PAM, then on virtual accounts via SASL, then return an
unknown user error, but I don't know enough about PAM, SASL or Cyrus to
create a patch (yet).

I tried copying the included /etc/pam.d/cyrus to /etc/pam.d/pop and to
/etc/pam.d/imap to get Cyrus to authenticate against PAM.  This didn't
work.  That file looked like this:

--- /etc/pam.d/cyrus

# PAM configuration file for Cyrus
#
# If you want to use Cyrus in a setup where users don't have
# accounts on the local machine, you'll need to make sure
# you use something like pam_permit for account checking.
#
# Also, take a look into libpam-ldap, libpam-mysql/libpam-pgsql
# and libpam-pwdfile. They're likely to be helpful aid for creating
# a closed-box email system.
#

authrequiredpam_unix.so nullok
account requiredpam_unix.so

--- End of /etc/pam.d/cyrus

I also tried using the /etc/pam.d/pop and /etc/pam.d/imap (the files are
identical; see below) that came with the 2.0.16 RPMs on
 without any luck (since 
pam_stack.so is a part of PAM-0.74).

--- /etc/pam.d/[pop|imap]

#%PAM-1.0
auth   required /lib/security/pam_stack.so service=system-auth
accountrequired /lib/security/pam_stack.so service=system-auth

--- End of /etc/pam.d/[pop|imap]

I finally did the following to create an /etc/sasldb file:

$ ssh [EMAIL PROTECTED]
# saslpasswd ddkilzer
Password:
Again (for verification):
# exit

This was done long after running "cyradm" to create a mailbox for
ddkilzer ("cm user.ddkilzer").

After creating the sasldb (and changing /etc/imapd.conf and restarting
cyrmaster), logging into the POP server through telnet worked great, and
I could connect to the imapd using mutt.  I know this isn't the ideal
setup, but it's what I'll use for now.

Hope this still helps!

Dave