Guillermo Gómez wrote: >> pam_mysql would correlate to saslauthd, and the cyrus sasl plugin >> would correlate to auxprop. >> >> See documentation on the SASL pwcheck_method setting >> (sasl_pwcheck_method in /etc/imapd.conf). >> >> When set to saslauthd, the pwcheck_method will allow the use of >> the PLAIN and LOGIN mechanisms, and will pass the username and >> password from the client on to PAM. PAM can internally hash the >> password and compare it against an already md5/crypted password. >> >> When set to auxprop, SASL will retrieve the cleartext password >> and use it to compare (in the case of PLAIN and LOGIN), or to use >> in multi-step negotiation of other mechanisms, such as DIGEST-MD5. >> >> The auxprop plugin gives you the ability to authenticate using >> the PLAIN, LOGIN, DIGEST-MD5, CRAM-MD5, NTLM and OTP mechs (and >> probably more). >> >> saslauthd only gives you the ability to authenticate using PLAIN >> and LOGIN (I believe), which may or may not be sufficient for you. >> >> - Dan >> > > Thanks Dan, im reading and trying to digest all the material available. > > What the customer wants is: > > 1.- md5-digest between imap client/server (squirrelmail/cyrus-imapd) > 2.- md5 encrypted passwords stored in mysql db (cyrus-imap-??) > > Is this combination possible? The SASLv1 library used to store a non-plaintext secret for use with DIGEST-MD5. In fact, it stored separate secrets for each mechanism. In SASLv2, it was decided to use a single plaintext secret. Part of this decision was based on the fact that the DIGEST-MD5 secret was tied to the servername/domain, which made the database non-portable. -- Kenneth Murchison Systems Programmer Project Cyrus Developer/Maintainer Carnegie Mellon University ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
