SASL auth failing in 2 of 6 imtest cases. why?
OpenMacNews
OpenMacNews at speakeasy.net
Fri Oct 7 18:04:48 EDT 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
MORE info, by simple RANDOM CHANCE ...
in my original post, i'd ID'd two FAIL'd auth cases:
(4) FAIL: from EXTERNAL box on EXTERNAL intfc, as user1
(6) FAIL: from EXTERNAL box on EXTERNAL intfc, proxy as user2 w/ user1 AUTH creds
if, however, i CHANGE auth mech for each:
--- -m plain \
+++ -m cram-md5 \
then, BOTH cases, (4) & (6) SUCCEED: for the auth user, my.admin
(4) login: pb1.testdomain.com [10.0.0.6] my.admin CRAM-MD5+TLS User logged in
(6) login: pb1.testdomain.com [10.0.0.6] my.admin CRAM-MD5+TLS User logged in
this seems rather ODD to me, as in imapd.conf, i've:
sasl_mech_list: PLAIN
so, WHY is imtest using/requiring CRAM-MD5? and only in these two cases?
i *DO* note that my server capability is ADVERTISING:
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID
NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT
THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=PLAIN AUTH=PLAIN AUTH=PLAIN AUTH=LOGIN AUTH=LOGIN
AUTH=LOGIN AUTH=DIGEST-MD5 AUTH=DIGEST-MD5 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=CRAM-MD5
AUTH=CRAM-MD5 SASL-IR LISTEXT LIST-SUBSCRIBED
why i find:
"AUTH=PLAIN AUTH=PLAIN AUTH=PLAIN AUTH=LOGIN AUTH=LOGIN AUTH=LOGIN AUTH=DIGEST-MD5
AUTH=DIGEST-MD5 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=CRAM-MD5 AUTH=CRAM-MD5"
rather than JUST "AUTH=PLAIN" as the spec'd "sasl_mech_list: PLAIN", i dunno ...
but, perhaps relevant is that the above lists correlates to:
ls /usr/local/cyrus-sasl/lib/sasl2
libcrammd5.2.0.22.so libdigestmd5.so libplain.la
libcrammd5.2.so liblogin.2.0.22.so libplain.so
libcrammd5.la liblogin.2.so libsasldb.2.0.22.so
libcrammd5.so liblogin.la libsasldb.2.so
libdigestmd5.2.0.22.so liblogin.so libsasldb.la
libdigestmd5.2.so libplain.2.0.22.so libsasldb.so
libdigestmd5.la libplain.2.so
it's ACTING like sasl is IGNORING the mech_list spec'n, and selecting from available options in
lib/sasl2.
TESTING, by moving libcrammd5* out of the way ...
and trying again w/
imtest -v \
-t " CERTS/mail.testdomain.com.CYRUSkey.rsa.pem" \
-p imap \
-m cram-md5 \
-a my.admin at mail.testdomain.com \
-u my.admin at mail.testdomain.com \
-r mail.testdomain.com\
mail.testdomain.com
it FAILS with:
badlogin: pb1.testdomain.com [10.0.0.6] CRAM-MD5 [SASL(-4): no mechanism available: Couldn't
find mech CRAM-MD5]
so, it IS 'these' MD5 plugin/libs that are being used.
questions are WHY, and only in two cases?
is this an SASL problem, or an IMAP (imapd, imtest) problem?
cheers,
richard
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (Darwin)
iEYEAREDAAYFAkNG8P8ACgkQGnqMy4gvZ6G0AACfeF38xoUWOPjmEx66J6JBKSny
C1cAn2qWSmEdi04QxQoI0pvi0+2Uv4eq
=w7Uf
-----END PGP SIGNATURE-----
More information about the Cyrus-sasl
mailing list