how to proxy for a user [was Re: Geographically Redundant mail stores]

Igor Brezac igor at ipass.net
Wed Mar 19 10:08:38 EST 2003


On Wed, 19 Mar 2003, Luca Olivetti wrote:

> Ken Murchison wrote:
>
> > When you authenticate, you need to use a SASL mech which supports
> > proxying.  Look at doc/mechanisms.html in the SASL distro for a complete
> > list.  In your case, you should be able to use at least PLAIN (you can
> > use others if using OpenLDAP 2.2's auxprop plugin).  Here's how you'd
> > authenticate as 'cyrus' and login as 'test' using imtest and cyradm:
>
> I'm using saslauthd (readme.html says that PLAIN uses saslauthd),
> mechanisms.html says that PLAIN can proxy, I have in my imapd.conf
>
> sasl_pwcheck_method: saslauthd
> sasl_mech_list: PLAIN
>
>
> but
>
> >
> > imtest -a cyrus -u test -m plain localhost
>
> tells me that plain is not available:
>
> $ imtest -a cyrus -u luca -m plain localhost
> S: * OK saturn.wetron.local Cyrus IMAP4 v2.1.12-Mandrake-RPM-2.1.12-1mdk
> server ready
> C: C01 CAPABILITY
> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
> NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT
> THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS LISTEXT
> LIST-SUBSCRIBED ANNOTATEMORE X-NETSCAPE
> S: C01 OK Completed
> C: A01 AUTHENTICATE PLAIN
> S: A01 NO no mechanism available
> Authentication failed. generic failure
> Security strength factor: 0
>
> While I see this message in the logs:
>
> PLAIN [SASL(-4): no mechanism available: security flags do not match
> required]
>

You need to setup SSL in order to see plaintext mechs advertised.

-Igor


> The plain pluging *is* installed (in fact I couldn't login to sieve
> without it):
>
> $ telnet localhost sieve
> Trying 127.0.0.1...
> Connected to localhost.localdomain (127.0.0.1).
> Escape character is '^]'.
> "IMPLEMENTATION" "Cyrus timsieved v2.1.12-Mandrake-RPM-2.1.12-1mdk"
> "SASL" "PLAIN"
> "SIEVE" "fileinto reject envelope vacation imapflags notify subaddress
> relational regex"
> "STARTTLS"
> OK
>
>
>
> Note that if I omit the "-m plain" it will logs me in as user cyrus (so
> no proxy):
>
> $ imtest -a cyrus -u luca localhost
> S: * OK saturn.wetron.local Cyrus IMAP4 v2.1.12-Mandrake-RPM-2.1.12-1mdk
> server ready
> C: C01 CAPABILITY
> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
> NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT
> THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS LISTEXT
> LIST-SUBSCRIBED ANNOTATEMORE X-NETSCAPE
> S: C01 OK Completed
> Please enter your password:
> C: L01 LOGIN cyrus {7}
> S: + go ahead
> C: <omitted>
> S: L01 OK User logged in
> Authenticated.
> Security strength factor: 0
>
> >
> > cyradm --user cyrus --authz test --auth plain localhost
>
> Will log me in as user cyrus (no proxy) (I gave the same password for
> user cyrus to both prompts):
>
> $ cyradm --user cyrus --authz luca --auth plain localhost
> Password:
> IMAP Password:
> localhost.localdomain> lm INBOX
> localhost.localdomain> lm user.luca
> user.luca (\HasChildren)
> localhost.localdomain>
>
>
>
> Bye
>

-- 
Igor




More information about the Info-cyrus mailing list