<div class="gmail_quote">2010/7/2 Dan White <span dir="ltr"><<a href="mailto:dwhite@olp.net">dwhite@olp.net</a>></span><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="im">On 02/07/10 14:43 -0300, D G Teed wrote:<br>
</div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div class="im">
2010/7/2 D G Teed <<a href="mailto:donald.teed@gmail.com" target="_blank">donald.teed@gmail.com</a>><br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Subject: Authentication problems since Redhat 5.5 updates<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>
We had a nice trouble free cyrus running until it was updated with<br>
updates from Redhat today.<br>
<br>
I've tested with testsaslauthd (no service name given) and it works OK,<br>
so I'd think things are fine on the pam, AD and ldap end.<br>
<br>
In the cyrus server's maillog I'm seeing messages like this from<br>
attempts to connect from the remote webmail:<br>
<br>
Jul 2 13:54:22 navi imap[4073]: badlogin:<br>
<a href="http://webmail.example.com" target="_blank">webmail.example.com</a>[XXX.YYY.ZZZ.111] CRAM-MD5 [SASL(-13): user not<br>
found: no secret in database]<br>
<br>
</blockquote></blockquote>
<br></div><div class="im">
I have things working again. I had disabled Unix authentication in pam<br>
temporarily to try troubleshooting with my account. That had the side<br>
effect of disabling the cyrus user from authentication. So that explains<br>
the scripts using IMAP::Admin breaking.<br>
<br>
I also removed the package cyrus-sasl-md5 and I believe this has an impact<br>
on the issue I was facing with "CRAM-MD5".<br>
<br>
Any tips on how to co-exist with that package are welcomed.<br>
</div></blockquote>
<br>
Cyrus imap will offer all available and initializable SASL authentication<br>
plugins it can find (see pluginviewer for that list). In the case where you<br>
have a plugin installed that you don't wish to offer, you can restrict the<br>
list of mechanisms with the sasl_mech_list option.<br>
<br>
If you're depending on saslauthd for authentication, you shouldn't be<br>
offering anything other than plain and login:<br>
<br>
sasl_mech_list: PLAIN LOGIN<br>
<font color="#888888"><br></font></blockquote><div><br>Right, I had more in my list. And since I didn't have the cyrus-sasl-md5<br>package before, the mentioning of MD5 mech types in the sasl_mech_list didn't<br>
matter.<br><br>I have read some comments that suggest the MD5 mech options<br>only work with sasl_pwcheck_method of auxprop, and won't work <br>with pam via saslauthd. Is that true? That seems to be what<br>you are saying as well. If not the case, I don't understand <br>
what would have been needed to enable the MD5 types of<br>auth mechanism. Any pointers to where the MD5 types of mech<br>are documented for configuration?<br><br></div></div>For some reason, IMAP connections using TLS were not impacted<br>
by the change. I'm not sure of all of the ways it was broken because<br>I wanted to get the service back up ASAP, but I do know Horde<br>webmail was unable to connect using IMAP and notls.<br><br>--Donald<br><br>