IMAP authentication fail with user LDAP...
Dan White
dwhite at olp.net
Tue Mar 22 09:47:29 EDT 2011
On 22/03/11 20:32 +0700, Nguyen, Quoc Khanh wrote:
> I can not authenticate with user LDAP. Here is the messeage:
>
>
> root at ubuntu:/usr/local/bin# ./imtest -a khanhnq -m login localhost
> S: *
>OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE LOGINDISABLED AUTH=DIGEST-MD5
>AUTH=CRAM-MD5 AUTH=NTLM SASL-IR] ubuntu Cyrus IMAP v2.4.6 server ready
> C:
>C01 CAPABILITY
> S: * CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL
>RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME
>UNSELECT CHILDREN MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SORT
>SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE
>LIST-EXTENDED WITHIN QRESYNC SCAN XLIST URLAUTH URLAUTH=BINARY
>LOGINDISABLED AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM SASL-IR
>COMPRESS=DEFLATE IDLE
> S: C01 OK Completed
> Please enter your password:
> C:
>L01 LOGIN khanhnq {6}
> S: L01 NO Login only available under a layer
>
>Authentication failed. generic failure
> Security strength factor: 0
>
> My
>/etc/imapd.comf is:
>configdirectory: /var/imap
>partition-default:
>/var/spool/imap
>admins: cyrus
>sasl_pwcheck_method: saslauthd
>
>The sasl
>authenticated with user LDAP is OK.
In recent versions of imapd, cleartext-over-the-network authentication is
not allowed by default.
The 'LOGINDISABLED' capability means that the server will not allow
traditional (rfc3501 6.2.3.) imap logins, nor will it support SASL
PLAIN/LOGIN authentications, since they are not advertised.
You could authenticate using DIGEST-MD5 or CRAM-MD5, but those are not
compatible with saslauthd.
Assuming you understand the security consequences, the simplest fix is to
add this to your imapd.conf:
allowplaintext: yes
# Disallow shared secret mechanisms:
sasl_mech_list: plain login gssapi external
Alternatively, you could implement TLS instead of enabling allowplaintext.
--
Dan White
More information about the Cyrus-sasl
mailing list