Hallo Dan, On Fri, Feb 21, 2014 at 08:50:41AM -0600, Dan White wrote: > On 02/21/14 10:50 +0100, Willy Offermans wrote: > >Indeed, I needed to specify an authentication mechanism and then I could > >use the command line interface of cyradm: > > > >cyradm --user username --auth PLAIN localhost > > > >If we are at this point anyway, I was wondering what I need to do to use > >another authentication mechanism. Is this possible? And what do I need to > >consider? > > > >The IMAP server response with the following authentication mechanism: > > > >AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM AUTH=PLAIN AUTH=LOGIN > > > >If I login with SCRAM-SHA-1: > > > >MyName@MyComputer:~$ cyradm --user username --auth SCRAM-SHA-1 localhost > >Password: > >verify error:num=19:self signed certificate in certificate chain > >cyradm: cannot authenticate to server with SCRAM-SHA-1 as username > > > >In the logs: > > > >Feb 21 09:48:36 MyComputer imap[17576]: badlogin: localhost [127.0.0.1] SCRAM-SHA-1 [SASL(-13): user not found: unable to canonify user and get auxprops] > > > >I'm pretty sure that the user is registered in the ldap database. > > DIGEST-MD5, CRAM-MD5, and SCRAM-SHA-1 all require cyrus sasl to have access > to the shared secret (clear text password) to complete authentication. If > you're using LDAP to store your user credentials, you'll need to use the > ldapdb auxprop plugin and store users' clear text passwords in userPassword. > Presumably you're using 'sasl_pwcheck_method: saslauthd' currently, which > is sufficient for PLAIN and LOGIN authentication. > > If you choose not to go the ldapdb route, I recommend specifying a > sasl_mech_list to limit your mechanisms to PLAIN and LOGIN (and EXTERNAL if > you intend to do starttls client authentication). If you don't do that, in > your current setup, most clients will attempt to first authenticate using a > shared secret mechanism (including cyradm in your initial attempt), which > will always fail on that attempt. > > -- > Dan White Thank you a lot for the clarification. I did some search on the internet myself and I got some increased understanding myself. I changed the imapd.conf on the imap server and added: sasl_mech_list: PLAIN LOGIN to the settings. This solved several issues. So I can already confirm your suggestion for solution. But many thnx anyway. You are pointing to EXTERNAL, next to PLAIN and LOGIN. I do not understand this mechanism yet. At the moment I believe I have PLAIN password wrapped into TLS. So I already do starttls client authentication. What will EXTERNAL do? -- Met vriendelijke groeten, With kind regards, Mit freundlichen Gruessen, De jrus wah, Wiel ************************************* W.K. Offermans Home: +31 45 544 49 44 Mobile: +31 681 15 87 68 e-mail: Willy@xxxxxxxxxxxxxxxxxxx ---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
