SASL auth failing in 2 of 6 imtest cases. why?

Igor Brezac igor at ipass.net
Fri Oct 7 23:50:44 EDT 2005 

On Fri, 7 Oct 2005, OpenMacNews wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: RIPEMD160
>
> MORE info, by simple RANDOM CHANCE ...
>
>
> in my original post, i'd ID'd two FAIL'd auth cases:
>
> 	(4) FAIL:    from EXTERNAL  box on EXTERNAL  intfc, as user1
> 	(6) FAIL:    from EXTERNAL  box on EXTERNAL  intfc, proxy as user2 w/ user1 AUTH creds
>
> if, however, i CHANGE auth mech for each:
>
> 	---   -m plain    \
> 	+++   -m cram-md5 \
>
> then, BOTH cases, (4) & (6) SUCCEED: for the auth user, my.admin
>
> (4) login: pb1.testdomain.com [10.0.0.6] my.admin CRAM-MD5+TLS User logged in
> (6) login: pb1.testdomain.com [10.0.0.6] my.admin CRAM-MD5+TLS User logged in
>
> this seems rather ODD to me, as in imapd.conf, i've:
>
> 	sasl_mech_list:         PLAIN
>
> so, WHY is imtest using/requiring CRAM-MD5? and only in these two cases?
>
> i *DO* note that my server capability is ADVERTISING:
>
> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID
> NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT
> THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=PLAIN AUTH=PLAIN AUTH=PLAIN AUTH=LOGIN AUTH=LOGIN
> AUTH=LOGIN AUTH=DIGEST-MD5 AUTH=DIGEST-MD5 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=CRAM-MD5
> AUTH=CRAM-MD5 SASL-IR LISTEXT LIST-SUBSCRIBED
>
> why i find:
>
> "AUTH=PLAIN AUTH=PLAIN AUTH=PLAIN AUTH=LOGIN AUTH=LOGIN AUTH=LOGIN AUTH=DIGEST-MD5
> AUTH=DIGEST-MD5 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=CRAM-MD5 AUTH=CRAM-MD5"
>
> rather than JUST "AUTH=PLAIN" as the spec'd "sasl_mech_list: PLAIN", i dunno ...
>
> but, perhaps relevant is that the above lists correlates to:
>
> ls /usr/local/cyrus-sasl/lib/sasl2
> 	libcrammd5.2.0.22.so    libdigestmd5.so     libplain.la
> 	libcrammd5.2.so         liblogin.2.0.22.so  libplain.so
> 	libcrammd5.la           liblogin.2.so       libsasldb.2.0.22.so
> 	libcrammd5.so           liblogin.la         libsasldb.2.so
> 	libdigestmd5.2.0.22.so  liblogin.so         libsasldb.la
> 	libdigestmd5.2.so       libplain.2.0.22.so  libsasldb.so
> 	libdigestmd5.la         libplain.2.so
>

The plugin parser is barfing on your library names.  That is why you see 
duplicate mechs advertised.  See lib/dlopen.c.  Things will probably work 
if you rm *.2.so *.2.0.22.so (make sure liblogin.so is not a sym link)

-Igor

> it's ACTING like sasl is IGNORING the mech_list spec'n, and selecting from available options in
> lib/sasl2.
>
> TESTING, by moving libcrammd5* out of the way ...
>
> and trying again w/
>
>   imtest -v \
>   -t "    CERTS/mail.testdomain.com.CYRUSkey.rsa.pem" \
>   -p imap \
>   -m cram-md5 \
>   -a my.admin at mail.testdomain.com \
>   -u my.admin at mail.testdomain.com \
>   -r mail.testdomain.com\
>   mail.testdomain.com
>
> it FAILS with:
>
> badlogin: pb1.testdomain.com [10.0.0.6] CRAM-MD5 [SASL(-4): no mechanism available: Couldn't
> find mech CRAM-MD5]
>
> so, it IS 'these' MD5 plugin/libs that are being used.
>
> questions are WHY, and only in two cases?
>
> is this an SASL problem, or an IMAP (imapd, imtest) problem?
>
> cheers,
>
> richard
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (Darwin)
>
> iEYEAREDAAYFAkNG8P8ACgkQGnqMy4gvZ6G0AACfeF38xoUWOPjmEx66J6JBKSny
> C1cAn2qWSmEdi04QxQoI0pvi0+2Uv4eq
> =w7Uf
> -----END PGP SIGNATURE-----
>
>

-- 
Igor

More information about the Cyrus-sasl mailing list