authentication headaches

Louis LeBlanc cyrus at keyslapper.org
Wed Jul 7 00:24:14 EDT 2004 

Hey everyone.  I'm trying to set up a replacement server, moving from
2.0.17 to 2.2.6.

The new machine is running FreeBSD 5.2.1 with the following (installed
from ports):
cyrus-imapd-2.2.6
cyrus-sasl-2.1.18_1
cyrus-sasl-saslauthd-2.1.18_2

The problem is that I am suddenly having a bear of a time getting
authentication to work consistently.  The current server running
2.0.17 answers plaintext on imap and imaps ports (143 and 993) and
answers CRAM-MD5 as well.

Problem is that Mutt and gkrellm work with CRAM-MD5 on SSL, and
Netscape will only run plaintext on SSL.

It appears that I still need to allow port 143 traffic because cyradm
requires it, but I've no problem firewalling that off from the
outside.

Regardless, I'd really like to get CRAM-MD5 and plaintext over SSL
(993) working for the same userid.

It seems that now that I've logged in with plaintext, I can't do it
with CRAM-MD5, because I keep getting this when I try:

Jul  6 23:55:58 key2 imaps[6597]: starttls: SSLv2 with cipher DES-CBC3-MD5 (168/168 bits new) no authentication
Jul  6 23:55:58 key2 imaps[6597]: Could not open db
Jul  6 23:55:58 key2 imaps[6597]: Could not open db
Jul  6 23:55:58 key2 imaps[6597]: no secret in database
Jul  6 23:55:58 key2 imaps[6597]: badlogin: key2.keyslapper.org [10.8.20.7] CRAM-MD5 [SASL(-17): One time use of a plaintext password will enable requested mechanism for user: no secret in database]

I still haven't figured out what database(s) imaps is trying to open,
but I don't understand the last message either.

When I go back to plaintext authentication, I get the following:

Jul  6 23:57:36 key2 imaps[6598]: starttls: SSLv2 with cipher DES-CBC3-MD5 (168/168 bits new) no authentication
Jul  6 23:57:36 key2 imaps[6598]: transitioning user leblanc to auxprop database
Jul  6 23:57:36 key2 imaps[6598]: SASL error opening password file. Do you have write permissions? 
Jul  6 23:57:36 key2 imaps[6598]: Could not open db for write
Jul  6 23:57:36 key2 imaps[6598]: setpass succeeded for leblanc
Jul  6 23:57:36 key2 imaps[6598]: login: key2.keyslapper.org [10.8.20.7] leblanc plaintext+TLS User logged in

So that works fine, but it still has problems opening a database.

imapd is running as cyrus, but saslauthd is running as root.  the
sasldb2.db file is owned by root:wheel, and is set with no group
access.

Do I need to make the file group writeable?  I thought the saslauthd
process did the actual checking?

And what is meant by "setpass succeeded"?

This whole thing is driving me nuts.  Personally, I'd just as soon
have one single authentication point.  Because of the way mail is
filtered prior to delivery to the imap mailbox, every user (all of
about 4 ids) will have a unix login anyway, but is it even possible to
get CRAM-MD5 authentication using pwcheck in the backend?

This system will be running samba, which has it's own authentication
mechanism, but at least that can be tied to the /etc/passwd database.
Is there anyway to tie imap authentication (with CRAM-MD5) to it as
well?

Thanks in advance.

Lou
-- 
Louis LeBlanc               leblanc at keyslapper.org
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
http://www.keyslapper.org                     Ô¿Ô¬

Fifth Law of Procrastination:
  Procrastination avoids boredom; one never has the feeling that
  there is nothing important to do.
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

More information about the Info-cyrus mailing list