Simplest way to get imap authentication with sasldb working?
Raimund Eimann
raimund at busy-byte.de
Mon Oct 19 16:51:22 EDT 2009
Hi Dan,
many thanks for your hints. I've found a tool called pluginviewer that
comes with the sasl package which creates this output:
# /usr/sbin/pluginviewer
Installed SASL (server side) mechanisms are:
GSSAPI PLAIN ANONYMOUS LOGIN CRAM-MD5 DIGEST-MD5 EXTERNAL
List of server plugins follows
Plugin "gssapiv2" [loaded], API version: 4
SASL mechanism: GSSAPI, best SSF: 56, supports setpass: no
security flags:
NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH
features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
Plugin "plain" [loaded], API version: 4
SASL mechanism: PLAIN, best SSF: 0, supports setpass: no
security flags: NO_ANONYMOUS
features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
Plugin "anonymous" [loaded], API version: 4
SASL mechanism: ANONYMOUS, best SSF: 0, supports setpass: no
security flags: NO_PLAINTEXT
features: WANT_CLIENT_FIRST
Plugin "login" [loaded], API version: 4
SASL mechanism: LOGIN, best SSF: 0, supports setpass: no
security flags: NO_ANONYMOUS
features:
Plugin "crammd5" [loaded], API version: 4
SASL mechanism: CRAM-MD5, best SSF: 0, supports setpass: no
security flags: NO_ANONYMOUS|NO_PLAINTEXT
features: SERVER_FIRST
Plugin "digestmd5" [loaded], API version: 4
SASL mechanism: DIGEST-MD5, best SSF: 128, supports setpass: no
security flags: NO_ANONYMOUS|NO_PLAINTEXT|MUTUAL_AUTH
features: PROXY_AUTHENTICATION
Installed auxprop mechanisms are:
sasldb
List of auxprop plugins follows
Plugin "sasldb" , API version: 4
supports store: yes
Installed SASL (client side) mechanisms are:
GSSAPI PLAIN ANONYMOUS LOGIN CRAM-MD5 DIGEST-MD5 EXTERNAL
List of client plugins follows
Plugin "gssapiv2" [loaded], API version: 4
SASL mechanism: GSSAPI, best SSF: 56
security flags:
NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH
features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION|NEED_SERVER_FQDN
Plugin "plain" [loaded], API version: 4
SASL mechanism: PLAIN, best SSF: 0
security flags: NO_ANONYMOUS
features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
Plugin "anonymous" [loaded], API version: 4
SASL mechanism: ANONYMOUS, best SSF: 0
security flags: NO_PLAINTEXT
features: WANT_CLIENT_FIRST
Plugin "login" [loaded], API version: 4
SASL mechanism: LOGIN, best SSF: 0
security flags: NO_ANONYMOUS
features: SERVER_FIRST
Plugin "crammd5" [loaded], API version: 4
SASL mechanism: CRAM-MD5, best SSF: 0
security flags: NO_ANONYMOUS|NO_PLAINTEXT
features: SERVER_FIRST
Plugin "digestmd5" [loaded], API version: 4
SASL mechanism: DIGEST-MD5, best SSF: 128
security flags: NO_ANONYMOUS|NO_PLAINTEXT|MUTUAL_AUTH
features: PROXY_AUTHENTICATION|NEED_SERVER_FQDN
Plugin "EXTERNAL" [loaded], API version: 4
SASL mechanism: EXTERNAL, best SSF: 0
security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_DICTIONARY
features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
This is what I have in my imapd.conf:
#sasl_pwcheck_method: saslauthd
sasl_pwcheck_method: auxprop
sasl_mech_list: PLAIN LOGIN
As the first line is commented out, I guess all sasl_pwcheck_methods will
be used as you described in your e-mail.
> sasl_pwcheck_method only applies to the simple password based login
> methods:
>
> PLAIN
> LOGIN
> the Login command (rfc 3501, section 6.2.3)
>
> However, if you are using one of those methods to authenticate, be aware
> that cyrus imapd may not allow any login using the methods (without
> SSL/TLS
> or other encryption) if the 'allowplaintext' option (which is disabled by
> default) is not enabled.
Ok, that was missing in my imapd.conf. I've put it in now...
However, things still don't seem to work:
raimund at callisto # /etc/init.d/cyrus restart
Shutting down IMAP/POP3 service (cyrus-imapd) done
Starting IMAP/POP3 service (cyrus-imapd) done
^-Looks ok...
raimund at callisto # netstat -lntp |grep 143
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 13298/master
^-Also looks ok...
raimund at callisto # rm /etc/sasldb2
raimund at callisto # saslpasswd2 raimund
Password:
Again (for verification):
raimund at callisto # sasldblistusers2
raimund at callisto: userPassword
^-Looks ok... (?)
raimund at callisto # chown cyrus /etc/sasldb2
raimund at callisto # imtest -u raimund callisto
S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=PLAIN
AUTH=LOGIN SASL-IR] callisto Cyrus IMAP4 v2.3.11 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=PLAIN AUTH=LOGIN
SASL-IR ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS
NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ
THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE
IDLE X-NETSCAPE URLAUTH
S: C01 OK Completed
Please enter your password:
C: A01 AUTHENTICATE PLAIN cmFpbXVuZEBjYWxsaXN0bwByb290AGJi
S: A01 NO authentication failure
Authentication failed. generic failure
Security strength factor: 0
^CC: Q01 LOGOUT
Connection closed.
^- Fail...
Even with -m login it's not working:
# imtest -u raimund -m login callisto
S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=PLAIN
AUTH=LOGIN SASL-IR] callisto Cyrus IMAP4 v2.3.11 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=PLAIN AUTH=LOGIN
SASL-IR ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS
NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ
THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE
IDLE X-NETSCAPE URLAUTH
S: C01 OK Completed
Please enter your password:
C: L01 LOGIN root {2}
S: + go ahead
C: <omitted>
S: L01 NO Login failed: authentication failure
Authentication failed. generic failure
Security strength factor: 0
^CC: Q01 LOGOUT
Connection closed.
Can you give me another hint about what's going wrong here?
Cheers,
Raimund
More information about the Cyrus-sasl
mailing list