On 01/12/13 11:16 +0000, Charles Bradshaw wrote:
Following Sebastians reply I'm more confused than ever.
The way I read the manual (here:
http://www.sendmail.org/~ca/email/cyrus2/sysadmin.html) to use sasldb I have
to change pwcheck_method=shadow to pwcheck_method=auxprop in
/usr/lib/sasl2/Sendmail.conf
saslauthd cannot be used to perform digest-md5 authentication. You'll need
to use an auxprop plugin (sasldb, ldapdb, sql) to authenticate shared
secret mechanisms.
If so, then presumably I have to change MECH=shadow in
/etc/sysconfig/saslauthd, but what to ?
"saslauthd -v" returns: authentication mechanisms: getpwent kerberos5 pam
rimap shadow ldap httpform.
There is no mention of sasldb in the above return. The installed default was
MECH=pam, which I changed to get where I am.
I need to get DIGEST-MD5 working while keeping PLAIN which already works:
You can continue to use saslauthd for PLAIN authentication (via the
pwcheck_method configuration). DIGEST-MD5 will use your configured
auxprop_plugin configuration.
See:
http://www.cyrussasl.org/docs/cyrus-sasl/2.1.25/components.php
Assuming Sebstians assertion is correct, can I just duplicate authorization
and/or authentication data in sasldb2 ?
Duplicate to another server? ldap or sql makes on sense in that scenario.
If I have to change pwcheck_method (as above) what about the MECH parameter in
/etc/sysconfig/saslauthd ?
If you configure an auxprop plugin, then you'd probably want to do
'pwcheck_method: auxprop' and drop saslauthd altogether.
Can I just specify MECH=pam ?
Thanks for your patience.
Previous reply:
Sebastian, thanks for the prompt reply.
What do you mean 'original', the password for realuser or smmsp or both ?
Re: Sendmail, saslauthd, AUTH DIGEST-MD5 and /etc/shadow ?
You'll have to use sasldb if you want to use DIGEST-MD5. Challenge-response
only works when both sides know the original password.
Charles Bradshaw
--
Dan White
