You want to use:
sasl_pwcheck_method: saslauthd
-Rob
On Thu, 16 Jan 2003, Thomas Hannan wrote:
> Hi all,
>
> The cliffnotes version of my problem is that even though I run
> /usr/local/sbin/saslauthd -a pam&
> and my /etc/imapd.conf contains "sasl_pwcheck_method: pam"
> I get an auth failed when trying to login over IMAP or imtest:
> $ testsaslauthd -u tico2 -p test1234 -s imap
> 0: OK "Success."
>
> $ testsaslauthd -u tico2 -p test1234
> 0: OK "Success."
>
> $ imtest -u tico2 -a tico2 -w test1234 -v -m login 192.168.1.98
> S: * OK mail.test Cyrus IMAP4 v2.1.11 server ready
> C: C01 CAPABILITY
> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
> NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT
> THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE AUTH=OTP AUTH=DIGEST-MD5
> AUTH=CRAM-MD5
> S: C01 OK Completed
> C: L01 LOGIN tico2 {8}
> S: + go ahead
> C: <omitted>
> S: L01 NO Login failed: no mechanism available
> Authentication failed. generic failure
> Security strength factor: 0
>
> $ imtest -u tico2 -a tico2 -w test1234 -v -m plain 192.168.1.98
> S: * OK mail.test.pharm-olam.com Cyrus IMAP4 v2.1.11 server ready
> C: C01 CAPABILITY
> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
> NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT
> THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE AUTH=OTP AUTH=DIGEST-MD5
> AUTH=CRAM-MD5
> S: C01 OK Completed
> C: A01 AUTHENTICATE PLAIN
> S: A01 NO no mechanism available
> Authentication failed. generic failure
> Security strength factor: 0
>
> /var/log/auth.log says:
> Jan 16 12:59:26 frosty imapd[2968]: unknown password verifier
> /var/log/imap.log says:
> Jan 16 12:59:05 frosty imapd[2968]: badlogin: mail.test [192.168.1.98]
> PLAIN [SASL(-4): no mechanism available: security flags do not match
> required]
> Jan 16 12:59:26 frosty imapd[2968]: accepted connection
> Jan 16 12:59:26 frosty imapd[2968]: badlogin: mail.test [192.168.1.98]
> plaintext test1 SASL(-4): no mechanism available: checkpass failed
>
> I'm on my first Cyrus install and have RTFM all I can find, so bear with
> me. I have a Redhat 7.2 box on which I'm trying to accomplish the
> following:
> Get Cyrus IMAPd to authenticate (via SASLv2) against PAM instead of
> directly to a /etc/sasldb or a MySQL table or anything of that nature. My
> users are set up in PAM using Samba/winbind modules, and they can
> authenticate for anything else. Additionally, I have a few /etc/shadow
> users that I've created just for testing, and behavior is the exact same no
> matter which type of user I try.
>
> Any help would be greatly appreciated!!
> Regards,
> Tico Hannan [CCDP,CCNP]
>
> more notes:
>
> Locally I can auth against any of them (winbind or /etc/shadow) since they
> are in my /etc/pam.d/system-auth:
> auth required /lib/security/pam_env.so
> auth sufficient /lib/security/pam_winbind.so
> auth sufficient /lib/security/pam_unix.so likeauth nullok
> auth required /lib/security/pam_deny.so
> account required /lib/security/pam_unix.so
> password required /lib/security/pam_cracklib.so retry=3 type=
> password sufficient /lib/security/pam_unix.so nullok use_authtok md5
> shadow use_first_pass
> password required /lib/security/pam_deny.so
> session required /lib/security/pam_limits.so
> session required /lib/security/pam_unix.so
>
> and currently (just for testing purposes) I have everything
> (including /etc/pam.d/imap) set to use:
> $ cat /etc/pam.d/imap
> #%PAM-1.0
> auth required /lib/security/pam_stack.so service=system-auth
> account required /lib/security/pam_stack.so service=system-auth
>
> I have a startup script that runs
> /usr/local/sbin/saslauthd -a pam&
> /usr/cyrus/bin/master &
> and my configs are /etc/imapd.conf:
> configdirectory: /var/imap
> partition-default: /var/spool/imap
> admins: cyrus root
> allowanonymouslogin: no
> sasl_pwcheck_method: pam
> defaultacl: anyone lrs
> postmaster: postmaster
> sendmail: /usr/sbin/sendmail.postfix
> allowplaintext: yes
> servername: mail.test
> autocreatequota: 10000
> quotawarn: 90
>
> my /etc/cyrus.conf:
> START {
> # do not delete these entries!
> mboxlist cmd="ctl_mboxlist -r"
> deliver cmd="ctl_deliver -r"
> }
> SERVICES {
> imap cmd="/usr/cyrus/bin/imapd" listen="imap" prefork=0
> imaps cmd="/usr/cyrus/bin/imapd -s" listen="imaps" prefork=0
> pop3 cmd="/usr/cyrus/bin/pop3d" listen="pop3" prefork=0
> pop3s cmd="/usr/cyrus/bin/pop3d -s" listen="pop3s" prefork=0
> sieve cmd="/usr/cyrus/bin/timsieved" listen="sieve" prefork=0
> lmtpunix cmd="/usr/cyrus/bin/lmtpd" listen="/var/imap/socket/lmtp"
> prefork=0
> }
> EVENTS {
> checkpoint cmd="ctl_mboxlist -c" period=30
> }
>
> My installation options:
> SASL:
> make clean
> ./configure \
> --with-dblib=berkeley \
> --with-bdb-libdir=/usr/local/BerkeleyDB.3.1/lib \
> --with-bdb-incdir=/usr/local/BerkeleyDB.3.1/include \
> --with-pam=/usr/include/security \
> --with-openssl=/usr/include/openssl \
> --enable-plain \
> --enable-krb4=no \
> --without-des \
> --enable-digest=no
> make
> make install
> IMAP:
> make clean
> ./configure \
> --with-auth=unix \
> --with-openssl=/usr/include/openssl \
> --with-dbdir=/usr/local/BerkeleyDB.3.3
> make depend
> make all CFLAGS=-O
> make install
>
>
>
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456
Research Systems Programmer * /usr/contributed Gatekeeper
