how to proxy for a user [was Re: Geographically Redundant mail stores]

Luca Olivetti luca at wetron.es
Wed Mar 19 03:10:48 EST 2003 

Ken Murchison wrote:

> When you authenticate, you need to use a SASL mech which supports
> proxying.  Look at doc/mechanisms.html in the SASL distro for a complete
> list.  In your case, you should be able to use at least PLAIN (you can
> use others if using OpenLDAP 2.2's auxprop plugin).  Here's how you'd
> authenticate as 'cyrus' and login as 'test' using imtest and cyradm:

I'm using saslauthd (readme.html says that PLAIN uses saslauthd), 
mechanisms.html says that PLAIN can proxy, I have in my imapd.conf

sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN


but

> 
> imtest -a cyrus -u test -m plain localhost

tells me that plain is not available:

$ imtest -a cyrus -u luca -m plain localhost
S: * OK saturn.wetron.local Cyrus IMAP4 v2.1.12-Mandrake-RPM-2.1.12-1mdk 
server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS 
NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT 
THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS LISTEXT 
LIST-SUBSCRIBED ANNOTATEMORE X-NETSCAPE
S: C01 OK Completed
C: A01 AUTHENTICATE PLAIN
S: A01 NO no mechanism available
Authentication failed. generic failure
Security strength factor: 0

While I see this message in the logs:

PLAIN [SASL(-4): no mechanism available: security flags do not match 
required]


The plain pluging *is* installed (in fact I couldn't login to sieve 
without it):

$ telnet localhost sieve
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
"IMPLEMENTATION" "Cyrus timsieved v2.1.12-Mandrake-RPM-2.1.12-1mdk"
"SASL" "PLAIN"
"SIEVE" "fileinto reject envelope vacation imapflags notify subaddress 
relational regex"
"STARTTLS"
OK



Note that if I omit the "-m plain" it will logs me in as user cyrus (so 
no proxy):

$ imtest -a cyrus -u luca localhost
S: * OK saturn.wetron.local Cyrus IMAP4 v2.1.12-Mandrake-RPM-2.1.12-1mdk 
server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS 
NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT 
THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS LISTEXT 
LIST-SUBSCRIBED ANNOTATEMORE X-NETSCAPE
S: C01 OK Completed
Please enter your password:
C: L01 LOGIN cyrus {7}
S: + go ahead
C: <omitted>
S: L01 OK User logged in
Authenticated.
Security strength factor: 0

> 
> cyradm --user cyrus --authz test --auth plain localhost

Will log me in as user cyrus (no proxy) (I gave the same password for 
user cyrus to both prompts):

$ cyradm --user cyrus --authz luca --auth plain localhost
Password:
IMAP Password:
localhost.localdomain> lm INBOX
localhost.localdomain> lm user.luca
user.luca (\HasChildren)
localhost.localdomain>



Bye
-- 
Luca Olivetti
Wetron Automatización S.A. http://www.wetron.es/
Tel. +34 93 5883004      Fax +34 93 5883007

More information about the Info-cyrus mailing list