Hello, Dan, and other SASL experts.
A quick update: I have decided to try using SASL's PAM mechanism,
since that's what seems to be setup by default.
So, I rebuild my system from scratch (it's just a Xen VM, after all),
and installed all cyrus-sasl RPMs:
==================================
cyrus-sasl-ldap-2.1.22-4
cyrus-sasl-devel-2.1.22-4
cyrus-sasl-plain-2.1.22-4
cyrus-sasl-ntlm-2.1.22-4
cyrus-sasl-sql-2.1.22-4
cyrus-sasl-plain-2.1.22-4
cyrus-sasl-ntlm-2.1.22-4
cyrus-sasl-ldap-2.1.22-4
cyrus-sasl-lib-2.1.22-4
cyrus-sasl-2.1.22-4
cyrus-sasl-lib-2.1.22-4
cyrus-sasl-sql-2.1.22-4
cyrus-sasl-gssapi-2.1.22-4
cyrus-sasl-md5-2.1.22-4
cyrus-sasl-devel-2.1.22-4
cyrus-sasl-2.1.22-4
cyrus-sasl-md5-2.1.22-4
cyrus-sasl-gssapi-2.1.22-4
==================================
When I start up SASL with "service saslauthd start", here's what's
running:
==================================
[root@emailrelay ~]# ps auxwww | grep sasl
root 4828 0.0 0.3 46648 804 ? Ss 16:10 0:00 /usr/
sbin/saslauthd -m /var/run/saslauthd -a pam
==================================
It's using PAM, right? It should work with any shell account I create,
right?
So, I create a regular Unix shell account, set the password to
'1234', and verify that I can login as the user in question.
==================================
ann@some-other-host:~> ssh relay@xxxxxxxxxxxxxxxxxxxxxxx
relay@xxxxxxxxxxxxxxxxxxxxxxx's password: [ here I type '1234' ]
Last login: Mon Nov 17 16:06:15 2008 from xxx.xxx.xxx.xxx
[relay@emailrelay ~]$
==================================
OK, shell login works. Later, if I can get this working, I will set
the shell to "/sbin/nologin".
Now, at this point, SASL should authenticate against these credentials
with no problem, right? So, why won't this work?
==================================
[root@emailrelay ~]# testsaslauthd -u relay -p 1234
0: NO "authentication failed"
==================================
and from /var/log/messages...
==================================
Nov 17 16:47:49 emailrelay saslauthd[4831]: do_auth : auth
failure: [user=relay] [service=imap] [realm=] [mech=pam] [reason=PAM
auth error]
==================================
OK, now I'm really baffled. Is the testsaslauthd broken? Am I using it
incorrectly? What does the [service=imap] mean?
This use case seem dead simple, but is not working. :(
Thanks for any insights,
- Ann