Folks,
I must be missing something obvious here . . . please can someone tell me
how to get Cyrus to use LDAP for all types of authentication? I'm happily
using PAM + LDAP for Cyrus authentication thanks to the following line in
/etc/imapd.conf:
sasl_pwcheck_method: pam
and it's working fine with LOGIN authentication:
[root@mail2 nss_ldap-122]# imtest -u someone -a someone -m LOGIN localhost
C: C01 CAPABILITY
S: * OK mail2.iworkwell.com Cyrus IMAP4 v2.0.7 server ready
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS
NO_ATOMIC_RENAME UNSELECT MULTIAPPEND ID SORT THREAD=ORDEREDSUBJECT
AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5 X-NETSCAPE
S: C01 OK Completed
Password:
+ go ahead
L01 OK User logged in
Authenticated.
Security strength factor: 0
. logout
I've jacked up slapd's logging, and I can see lots of activity when the
authentication takes place.
Unfortunately, if I switch to a CRAM-MD5 test, slapd is silent (no request is
made) and the authentication fails with the following message:
Dec 8 18:19:56 mail2 imapd[14340]: badlogin: mail2.iworkwell.com[127.0.0.1]
CRAM-MD5 authentication failure [no secret in database]
The following excerpt from sasl's sysadmin.html seems relevant:
The PAM authentication for SASL only affects the plaintext
authentication it does. It has no effect on the other mechanisms, so
it is incorrect to try to use PAM to enforce additional restrictions
beyond correct password on an application that uses SASL for
authentication.
Am I beating a dead horse here? Does authenticating against MySQL or LDAP using
PAM by definition mean I'm limited to *shock horror* plaintext passwords? Say
it ain't so!? Am I forced to interoperate with that nasty sasldb beast if I
want to CRAM-MD5 my way through life?
Thanks for any advice.
-Darren
