connecting to localhost or outside-IP makes difference with
global admins ?
Igor Brezac
igor at ipass.net
Sun Sep 14 11:50:00 EDT 2003
On Sun, 14 Sep 2003, Ken Murchison wrote:
>
>
> Christian Schulte wrote:
> > I have a question regarding cyrus 2.2 and virtual-domains turned on. It seems
> > that the behaviour of how global admins get authenticated changed somehow.
> >
> > Connecting with cyradm to localhost (cyradm localhost)
> > =>auxprop mysql will lookup the domain with the fqdn of the server
This works becuase 127.0.0.1 reverses to localhost.fqdn (I think RH does
this)
> > Connecting with cyradm to IP (cyradm real-outside-ip)
> > =>auxprop mysql will lookup the domain with the host-name stripped off of the
> > fqdn
> >
> > Why ?
> >
Use admin at fqdn and the host-name will not be stripped off. In this case
'admin' will not be global unless you set defaultdomain to 'fqdn'.
> > I did not set defaultdomain in imapd.conf but even changing anything with it
> > does not change that behaviour. I am pretty shure this got changed a few
> > weeks ago because it worked before no matter to where cyradm connected.
>
> I haven't touched the virtdomain code in weeks/months. My guess is that
> something in the SASL SQL plugin changed, or something in your DNS changed.
>
Well, global admin (in Christian's case 'admin') is fully qualified based
on reverse IP. Unfortunately, this will have undesired results for some
people.
We tried to address this issue in late May (we were fixing duplicate calls
to canonify_userid()), but Rob opted not to go this route because it
needed an extra call to auth_newstate().
>
> >
> > How can I get the old behaviour back so that I do not have to maintain two
> > different rows in the usertable one with the fqdn and another with the
> > stripped-host-from-fqdn domain ?
> >
> >
> > --Christian
> >
> > imapd.conf:
> >
> > configdirectory: /var/imap
> > partition-default: /var/spool/imap
> > sievedir: /var/spool/sieve
> > servername: host.domain.tld
> > admins: admin
> >
> > #defaultdomain: host.domain.tld
> > (gets stripped to just domain.tld during authentication if connecting to the
> > outside IP but not if connecting to localhost with cyradm)
> > Its commented out for me. Is that correct ?
> >
> > sasl_pwcheck_method: auxprop
> > sasl_auxprop_plugin: mysql
> > sasl_allowanonymouslogin: no
> >
> > sasl_allowplaintext: yes
> > (Currently Outlook stops working for me if I set it to 'no'. Other clients I
> > tested supported DIGEST-MD5 and CRAM-MD5 correctly and so I think its an
> > OE-issue...)
> >
> > sasl_mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
> > ---snip---
> > sasl_mysql_statement: select password from SASLUser where login='%u' and
> > domain='%r' and IMAP='YES'
> >
> > connecting to localhost the query will be like:
> > select password from SASLUser where login='admin' and domain='host.domain.tld'
> >
> > connecting to the outside IP (even from localhost) the query will be like:
> > select password from SASLUser where login='admin' and domain='domain.tld' and
> > IMAP='YES'
> > --snip
> >
> > idlesocket: /var/imap/socket/idle
> > unixhierarchysep: yes
> > virtdomains: yes
> > altnamespace: on
> > unix_group_enable: 0
> > imapidresponse: no
> > logtimestamps: 1
> > lmtp_over_quota_perm_failure: 1
> > autocreatequota: -1
> > timeout: 15
> > notifysocket: /var/imap/socket/notify
> >
> >
>
>
--
Igor
More information about the Info-cyrus
mailing list