On 22/03/11 20:32 +0700, Nguyen, Quoc Khanh wrote:
I can not authenticate with user LDAP. Here is the messeage:
root@ubuntu:/usr/local/bin# ./imtest -a khanhnq -m login localhost
S: *
OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE LOGINDISABLED AUTH=DIGEST-MD5
AUTH=CRAM-MD5 AUTH=NTLM SASL-IR] ubuntu Cyrus IMAP v2.4.6 server ready
C:
C01 CAPABILITY
S: * CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL
RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME
UNSELECT CHILDREN MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SORT
SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE
LIST-EXTENDED WITHIN QRESYNC SCAN XLIST URLAUTH URLAUTH=BINARY
LOGINDISABLED AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM SASL-IR
COMPRESS=DEFLATE IDLE
S: C01 OK Completed
Please enter your password:
C:
L01 LOGIN khanhnq {6}
S: L01 NO Login only available under a layer
Authentication failed. generic failure
Security strength factor: 0
My
/etc/imapd.comf is:
configdirectory: /var/imap
partition-default:
/var/spool/imap
admins: cyrus
sasl_pwcheck_method: saslauthd
The sasl
authenticated with user LDAP is OK.
In recent versions of imapd, cleartext-over-the-network authentication is
not allowed by default.
The 'LOGINDISABLED' capability means that the server will not allow
traditional (rfc3501 6.2.3.) imap logins, nor will it support SASL
PLAIN/LOGIN authentications, since they are not advertised.
You could authenticate using DIGEST-MD5 or CRAM-MD5, but those are not
compatible with saslauthd.
Assuming you understand the security consequences, the simplest fix is to
add this to your imapd.conf:
allowplaintext: yes
# Disallow shared secret mechanisms:
sasl_mech_list: plain login gssapi external
Alternatively, you could implement TLS instead of enabling allowplaintext.
--
Dan White
