Murder / LDAP / SASL Problem...

Jared Watkins jwatkins at snowcrash.homeip.net
Wed Oct 30 13:22:51 EST 2002 

I'm trying to setup a murder for testing...  I have two physical 
machines...  one running a backend.. the other running the mupdate 
master and as a frontend.  I'm using SASL 2.1.9 and cyrus 2.1.9 on both 
systems.  My latest compile time options are as follows:

SASL
--with-openssl=/usr/lib --with-saslauthd --enable-krb4=no --with-ldap 
--disable-anon --disable-cram --disable-digest --disable-otp 
--enable-plain --enable-login --disable-srp --with-opie=no --with-gssapi=no

IMAP
--with-auth=unix --enable-fulldirhash --with-mboxlist-db=skiplist 
--with-dbdir=/usr/include/db3 --with-ucdsnmp --enable-murder 
--with-krb4=no --with-sasl=/usr/lib/sasl2

My backend system has the following in imapd.conf
configdirectory: /var/imap
partition-default: /var/spool/imap
admins: cyrus
sasl_pwcheck_method: saslauthd
sasl_mech_list: plain
allowplaintext: yes
lmtp_allowplaintext: yes
altnamespace: yes
proxyservers: murder
tls_cert_file: /var/imap/server.pem
tls_key_file: /var/imap/server.pem
mupdate_server: <my front end system ip>
mupdate_password: murder
mupdate_authname: mupdatebackend1

My front end system has the following imapd.conf
configdirectory: /var/imap
partition-default: /tmp
admins: cyrus mupdatebackend1 slave1
sasl_pwcheck_method: saslauthd
sasl_mech_list: plain
allowplaintext: yes
mupdate_server: localhost
mupdate_port: 2004
mupdate_password: murder
mupdate_authname: slave1
backend1_password: murder
backend1_mechs: plain
proxy_authname: murder


I also have ldap entries for mupdatebackend1, slave1, murder, cyrus and 
my test accounts.

What works:  Before I started on murder.. I had a working mail system 
with a postifx mta (also using ldap) and a standalone cyrus using ldap 
to authenticate and accepting deliveries over lmtp from postfix.  Now.. 
deliveries are still working to the backend system...  mupdate is 
working...  I am able to use cyradm as the cyrus user to create and 
delete mailboxes when connected to the backend system.... and using 
telnet... I am able to authenticate as one of my test accounts to port 
143 to the front end system.

What's not working:  Although I'm able to authenticate with a test 
account to the front end system... I am not able to select the inbox. 
When I try to select the inbox there is a pause of around 5 seconds then 
I see the following errors:

IMAP:  NO Server(s) unavailable to complete operation
Frontend: login: localhost.localdomain[127.0.0.1] test1 plaintext
Frontend: couldn't authenticate to backend server: authentication failure
Backend:  badlogin: [ip of frontend] PLAIN [SASL (-4): no mechanism 
available: security flags do not match required]

When this happens... I know from sniffing the network that neither front 
or back system is doing an ldap lookup to verify the proxy users 
password... so I assume that's why it is failing...  it has nothing to 
verify the proxy_authname against.  

Any ideas on how to get this sorted out?

Thanks,
Jared

More information about the Info-cyrus mailing list