lists@xxxxxxxxxxxxxxx wrote: > > Hello everybody, > > I configured cyrus imapd on a Opensuse 11 machine following the > recommedation in a README file. Now I discovered the following - for > me odd behavior - which might depend on a "misconfiguration". > > /etc/imap.conf: > sasl_pwcheck_method: saslauthd > > /etc/sysconfig/saslauthd: > SASLAUTHD_AUTHMECH=pam > > If a user logs into cyrus (I used mtest from uw-imap because of it's > debug messages) it takes 4 trials (3 with CRAM-MD5 and a final with > plain password) before the login succeeds. > > By chance I've found a tutorial which recommends adding a user to > sasldb2. I tried that and without any additional changes to the > configuration the first login attempt succeeds. > > I wonder if someone could tell me > 1. Why did it take 4 attempts using the system credentials > 2. Why did it succeed with one attempts after a user with the same > username and different password was added to sasldb2 > 3. Why did the sasldb2 approach succedd at all without any > configuration changes. > When authenticating via CRAM-MD5, the pwcheck_method will be ignored. Your chosen pwcheck_method should only be referenced when authenticating via a 'plaintext' authentication mechanism - LOGIN or PLAIN. The fact that mtest attempted to authenticate via CRAM-MD5 probably means that you are advertising CRAM-MD5 support within imapd.conf. When authenticating via a mechanism which utilizes a shared secret, such as CRAM-MD5, your auxprop configuration will be used (sasl_auxprop_plugin). The default auxprop plugin is sasldb. If you are advertising CRAM-MD5 support in /etc/imapd.conf, but do not have the user configured in an auxprop store, then CRAM-MD5 should always fail. > 1. Why did it take 4 attempts using the system credentials mtest is probably falling back to PLAIN after 3 unsuccessful CRAM-MD5 login attempts. > 2. Why did it succeed with one attempts after a user with the same username and different password was added to sasldb2 > 3. Why did the sasldb2 approach succedd at all without any configuration changes. Because adding the user to your (default) auxprop store allowed CRAM-MD5 to succeed. If you are planning to support CRAM-MD5, you'll want to use: sasl_pwcheck_method: auxprop which will provide some consistency between PLAIN logins and CRAM-MD5 logins. It will not allow you to use PAM and you'll need to configure your users in /etc/sasldb2. If you don't care about supporting CRAM-MD5, then remove it from your 'sasl_mech_list', and you can stick with saslauthd and PAM. - Dan ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
