SASL auth failing in 2 of 6 imtest cases. why?

OpenMacNews OpenMacNews at speakeasy.net
Fri Oct 7 18:04:48 EDT 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

MORE info, by simple RANDOM CHANCE ...


in my original post, i'd ID'd two FAIL'd auth cases:

	(4) FAIL:    from EXTERNAL  box on EXTERNAL  intfc, as user1
	(6) FAIL:    from EXTERNAL  box on EXTERNAL  intfc, proxy as user2 w/ user1 AUTH creds

if, however, i CHANGE auth mech for each:

	---   -m plain    \
	+++   -m cram-md5 \

then, BOTH cases, (4) & (6) SUCCEED: for the auth user, my.admin

(4) login: pb1.testdomain.com [10.0.0.6] my.admin CRAM-MD5+TLS User logged in
(6) login: pb1.testdomain.com [10.0.0.6] my.admin CRAM-MD5+TLS User logged in

this seems rather ODD to me, as in imapd.conf, i've:

	sasl_mech_list:         PLAIN

so, WHY is imtest using/requiring CRAM-MD5? and only in these two cases?

i *DO* note that my server capability is ADVERTISING:

S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID
NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT
THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=PLAIN AUTH=PLAIN AUTH=PLAIN AUTH=LOGIN AUTH=LOGIN
AUTH=LOGIN AUTH=DIGEST-MD5 AUTH=DIGEST-MD5 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=CRAM-MD5
AUTH=CRAM-MD5 SASL-IR LISTEXT LIST-SUBSCRIBED

why i find:

"AUTH=PLAIN AUTH=PLAIN AUTH=PLAIN AUTH=LOGIN AUTH=LOGIN AUTH=LOGIN AUTH=DIGEST-MD5
AUTH=DIGEST-MD5 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=CRAM-MD5 AUTH=CRAM-MD5"

rather than JUST "AUTH=PLAIN" as the spec'd "sasl_mech_list: PLAIN", i dunno ...

but, perhaps relevant is that the above lists correlates to:

ls /usr/local/cyrus-sasl/lib/sasl2
	libcrammd5.2.0.22.so    libdigestmd5.so     libplain.la
	libcrammd5.2.so         liblogin.2.0.22.so  libplain.so
	libcrammd5.la           liblogin.2.so       libsasldb.2.0.22.so
	libcrammd5.so           liblogin.la         libsasldb.2.so
	libdigestmd5.2.0.22.so  liblogin.so         libsasldb.la
	libdigestmd5.2.so       libplain.2.0.22.so  libsasldb.so
	libdigestmd5.la         libplain.2.so

it's ACTING like sasl is IGNORING the mech_list spec'n, and selecting from available options in
lib/sasl2.

TESTING, by moving libcrammd5* out of the way ...

and trying again w/

   imtest -v \
   -t "    CERTS/mail.testdomain.com.CYRUSkey.rsa.pem" \
   -p imap \
   -m cram-md5 \
   -a my.admin at mail.testdomain.com \
   -u my.admin at mail.testdomain.com \
   -r mail.testdomain.com\
   mail.testdomain.com

it FAILS with:

badlogin: pb1.testdomain.com [10.0.0.6] CRAM-MD5 [SASL(-4): no mechanism available: Couldn't
find mech CRAM-MD5]

so, it IS 'these' MD5 plugin/libs that are being used.

questions are WHY, and only in two cases?

is this an SASL problem, or an IMAP (imapd, imtest) problem?

cheers,

richard
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (Darwin)

iEYEAREDAAYFAkNG8P8ACgkQGnqMy4gvZ6G0AACfeF38xoUWOPjmEx66J6JBKSny
C1cAn2qWSmEdi04QxQoI0pvi0+2Uv4eq
=w7Uf
-----END PGP SIGNATURE-----

More information about the Cyrus-sasl mailing list