On 02/06/12 16:01 +0200, T T wrote:
Hello List, I've set up a cyrus-imap server on a virtual machine. Initially, I've configured it to authenticate using GSSAPI/Kerberos V. Worked fine. Then, as the "real" end-users are not "Kerberised", I've decided to to switch for simple auxprop/sasldb authentication for the time being. The first idea was to set up two mechanisms, so that a "kerberised" user can enjoy SSO, and the rest would use login/password. My /etc/imapd.conf is below. It didn't work, so I've limited the mechanisms to auxprop only, stopped the saslauthd, and tried again. It didn't work. The telnet sessions:
Choice of pwcheck_method (saslauthd or auxprop) should be orthogonal to the gssapi mechanism. The same is true of auxprop and gssapi. gssapi should work independently of how you have the other two configured... however the sasl_hostname option will affect gssapi.
root@mail:~# telnet mail.example.com 143 Trying 172.16.3.9... Connected to mail.example.com. Escape character is '^]'. * OK mail.example.com Cyrus IMAP4 v2.2.13-Debian-2.2.13-19+squeeze3 server ready 01 login tom ******** 01 NO Login failed: generic failure
Check your syslog output (auth facility) for further details, such as which mechanism is being used.
root@mail:~# telnet localhost 143 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. * OK mail.example.com Cyrus IMAP4 v2.2.13-Debian-2.2.13-19+squeeze3 server ready 01 login tom ******** 01 NO Login failed: generic failure Then I've commented out servername: mail.example.com, and then the simple authentication started to work.
Your client may be choosing a mechanism that makes use of the hostname (digest-md5?).
I'm obviously missing something elementary here, but I'm out of my wits. My questions are: 1. Is it possible to set up BOTH GSSAPI and sasldb authentication working at the same time, and if yes, then how?
By specifying: sasl_mech_list: <list of mechnisms> which includes 'gssapi'. Although not specifying that option in your imapd.conf will attempt to initialize all available mechanisms, which includes gssapi. Also, 'sasl_keytab' and 'sasl_hostname' can affect how gssapi operates. With no 'sasl_hostname' specified, gssapi and other mechanisms will attempt to determine the local fqdn via some OS call. What ever the resultant fqdn is will determine which identity to look for in your keytab, e.g.: imap/mail.example.com
2. Why just specifying a hosts FQDN plain login stops working?
Not sure, but try explicitly specifying a restrictive mech_list: sasl_mech_list: gssapi plain login and if saslauthd is working like you want, then just: sasl_pwcheck_method: saslauthd should be good. However, be aware that most other mechanisms require the use of auxprop (including digest-md5 and cram-md5). If you require the use of those mechanisms, then you'll need to do: sasl_pwcheck_method: auxprop
The /etc/imapd.conf sasl_keytab: /etc/imap.keytab servername: mail.example.com loginrealms: EXAMPLE.COM configdirectory: /var/lib/cyrus defaultpartition: default partition-default: /var/spool/cyrus/mail partition-news: /var/spool/cyrus/news newsspool: /var/spool/news altnamespace: yes unixhierarchysep: yes lmtp_downcase_rcpt: yes admins: cyrus imap_admins: cyrus sieve_admins: cyrus allowanonymouslogin: no popminpoll: 1 autocreatequota: 0 umask: 077 sieveusehomedir: false sievedir: /var/spool/sieve hashimapspool: true allowplaintext: yes sasl_pwcheck_method: auxprop saslauthd
This means to attempt to authenticate a plain text login (plain, login, '01 login tom *****') with auxprop, and then with saslauthd. I'd just pick one or the other unless you have some exotic authentication environment.
sasl_auxprop_plugin: sasldb sasl_auto_transition: no tls_ca_path: /etc/ssl/certs tls_session_timeout: 1440 tls_cipher_list: TLSv1+HIGH:!aNULL:@STRENGTH lmtpsocket: /var/spool/postfix/public/lmtp idlemethod: poll idlesocket: /var/run/cyrus/socket/idle notifysocket: /var/run/cyrus/socket/notify syslog_prefix: cyrus Thanks in advance! Toomas
-- Dan White
