cyradm auth failure

Simon Matter simon.matter at ch.sauter-bc.com
Tue Feb 24 09:29:45 EST 2004 

> Simon,
> Thanks for the reply.  After further experimenting ...
>
> I changed admin user, cyrus, in my LDAP database to an entry exactly like
> the one which allows me to auth.  Still failed as before.
> I tried the non-problematic(but not an admin in imapd.conf) user, shelley,
> using cyradm, and I could auth.  This led me to believe that the username
> cyrus was a problem.  The rpm creates user cyrus and group cyrus in the
> /etc/{passwd,group} files.  I changed imapd.conf to have a different admin
> name and created an ldap entry and this worked.
>
> I am using sasl_pwcheck_method: saslauthd and saslauthd -ldap, so why
> does it matter that user cyrus is in the passwd file?

Sorry, I have no idea what's going on here.

>
> Also, I added method LOGIN because this was necessary for Outlook to
> do SMTP auth on my old server.
>
> My imapd.conf has the imap/sieve directory structure modified to look
> like that of my old server.  I understood this to be necessary in order
> to painlessly migrate mailboxes.  True?

You could also move the directories to the new locations. I have never
tested whether my scripts in the rpm work with other directories - seems
they do, right?

Simon

>
> thanks
> Shelley
>
>
> On Mon, 23 Feb 2004, Simon Matter wrote:
>
>    Hi,
>
>    Make this 'sasl_mech_list: PLAIN' in imapd.conf, it's what you want.
>
>    Then, check your LDAP tree. You told us that you can authenticate as
>    another user but not as cyrus, so I'm quite sure there is a significant
>    difference between those users in your tree.
>
>    And then, you said that you are using my cyrus-imapd rpms but your
>    imapd.conf tells me that you don't? How comes? Are you really sure
> which
>    config you are running?
>
>    Simon
>
>    > more helpful information ...
>    > I added allowplaintextlogins: 1 to impad.conf ...
>    >
>    > [root at chipmunk etc]# cyradm --user cyrus --auth login localhost
>    > IMAP Password:
>    >
>    > Login failed: authentication failure at
>    > /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/Cyrus/IMAP/Admin.pm
>    > line 118
>    > cyradm: cannot authenticate to server with login as cyrus
>    >
>    > [root at chipmunk etc]# tail /var/log/maillog
>    > Feb 23 13:51:52 chipmunk master[22140]: about to exec
>    > /usr/lib/cyrus-imapd/imapd
>    > Feb 23 13:51:52 chipmunk master[22141]: about to exec
>    > /usr/lib/cyrus-imapd/pop3d
>    > Feb 23 13:51:52 chipmunk imap[22140]: executed
>    > Feb 23 13:51:52 chipmunk imap[22139]: executed
>    > Feb 23 13:51:52 chipmunk pop3[22141]: executed
>    > Feb 23 13:51:52 chipmunk imap[22138]: executed
>    > Feb 23 13:51:57 chipmunk imap[22131]: accepted connection
>    > Feb 23 13:51:57 chipmunk master[22143]: about to exec
>    > /usr/lib/cyrus-imapd/imapd
>    > Feb 23 13:51:57 chipmunk imap[22143]: executed
>    > Feb 23 13:52:04 chipmunk imap[22131]: badlogin: localhost.localdomain
>    > [127.0.0.1] plaintext cyrus SASL(-13): authentication failure:
> checkpass
>    > failed
>    >
>    >
>    > [root at chipmunk etc]# cyradm --user cyrus --auth plain localhost
>    > Password:
>    > IMAP Password:
>    >
>    > Login failed: authentication failure at
>    > /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/Cyrus/IMAP/Admin.pm
>    > line 118
>    > cyradm: cannot authenticate to server with plain as cyrus
>    > [root at chipmunk etc]# tail /var/log/maillog
>    > Feb 23 13:51:57 chipmunk imap[22131]: accepted connection
>    > Feb 23 13:51:57 chipmunk master[22143]: about to exec
>    > /usr/lib/cyrus-imapd/imapd
>    > Feb 23 13:51:57 chipmunk imap[22143]: executed
>    > Feb 23 13:52:04 chipmunk imap[22131]: badlogin: localhost.localdomain
>    > [127.0.0.1] plaintext cyrus SASL(-13): authentication failure:
> checkpass
>    > failed
>    > Feb 23 13:52:56 chipmunk imap[22136]: accepted connection
>    > Feb 23 13:53:01 chipmunk imap[22136]: badlogin: localhost.localdomain
>    > [127.0.0.1] PLAIN [SASL(-4): no mechanism available: security flags
> do not
>    > match required]
>    > Feb 23 13:53:07 chipmunk master[22121]: process 22131 exited, status
> 0
>    > Feb 23 13:53:07 chipmunk master[22153]: about to exec
>    > /usr/lib/cyrus-imapd/imapd
>    > Feb 23 13:53:07 chipmunk imap[22153]: executed
>    > Feb 23 13:53:10 chipmunk imap[22136]: badlogin: localhost.localdomain
>    > [127.0.0.1] plaintext cyrus SASL(-13): authentication failure:
> checkpass
>    > failed
>    >
>    >
>    > I have looked at similiar threads regarding this issue on this list.
>    > It bounces back and forth bewtween config error and bug.  The issue
>    > has never been answered definitively - is ths a config error or a
> bug?
>    > If I need to go back to a different version please let me know which
> one.
>    > If it is a config error ??? what ???
>    >
>    > thanks
>    > Shelley Waltz
>    >
>    >
>    > On Mon, 23 Feb 2004, Shelley Waltz wrote:
>    >
>    >    I cannot get the cyrus user to authenticate using either
>    >    imtest or cyradm.  I can authenticate all other normal
>    >    users using imtest.
>    >
>    >    I am using Simon's rpms for sasl and imap on RHES3.
>    >    cyrus-sasl-2.1.17-2
>    >    cyrus-imapd-2.2.3-4
>    >    openldap-2.0.27-11
>    >
>    >    I am using LDAP authentication using saslauthd -ldap.
>    >    The cyrus user in in the LDAP database as simpleSecurityObject
>    >    which has uid and userPassword attributes.  The password
>    >    has been entered as clear,crypt and md5 and none work.
>    >
>    >    Here are the outputs and config files ...
>    >
>    >    user shelley ... an imap user works ...
>    >    [root at chipmunk text]# imtest -t "" -a shelley  localhost
>    >    S: * OK chipmunk.cabm.rutgers.edu Cyrus IMAP4
> v2.2.3-Invoca-RPM-2.2.3-4
>    >    server ready
>    >    C: C01 CAPABILITY
>    >    S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+
> MAILBOX-REFERRALS
>    >    NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN
> MULTIAPPEND
>    > BINARY
>    >    SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE
> STARTTLS
>    >    LISTEXT LIST-SUBSCRIBED X-NETSCAPE
>    >    S: C01 OK Completed
>    >    C: S01 STARTTLS
>    >    S: S01 OK Begin TLS negotiation now
>    >    verify error:num=18:self signed certificate
>    >    TLS connection established: TLSv1 with cipher AES256-SHA (256/256
> bits)
>    >    C: C01 CAPABILITY
>    >    S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+
> MAILBOX-REFERRALS
>    >    NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN
> MULTIAPPEND
>    > BINARY
>    >    SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE
>    > AUTH=PLAIN
>    >    AUTH=LOGIN SASL-IR LISTEXT LIST-SUBSCRIBED X-NETSCAPE
>    >    S: C01 OK Completed
>    >    Please enter your password:
>    >    C: A01 AUTHENTICATE PLAIN c2hlbGxleQBzaGVsbGV5AGxvbi8vbGF0
>    >    S: A01 OK Success (tls protection)
>    >    Authenticated.
>    >    Security strength factor: 256
>    >    C: Q01 LOGOUT
>    >    Connection closed.
>    >
>    >
>    >    user cyrus does not ...
>    >
>    >    [root at chipmunk text]# imtest -t "" -a cyrus  localhost
>    >    S: * OK chipmunk.cabm.rutgers.edu Cyrus IMAP4
> v2.2.3-Invoca-RPM-2.2.3-4
>    >    server ready
>    >    C: C01 CAPABILITY
>    >    S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+
> MAILBOX-REFERRALS
>    >    NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN
> MULTIAPPEND
>    > BINARY
>    >    SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE
> STARTTLS
>    >    LISTEXT LIST-SUBSCRIBED X-NETSCAPE
>    >    S: C01 OK Completed
>    >    C: S01 STARTTLS
>    >    S: S01 OK Begin TLS negotiation now
>    >    verify error:num=18:self signed certificate
>    >    TLS connection established: TLSv1 with cipher AES256-SHA (256/256
> bits)
>    >    C: C01 CAPABILITY
>    >    S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+
> MAILBOX-REFERRALS
>    >    NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN
> MULTIAPPEND
>    > BINARY
>    >    SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE
>    > AUTH=PLAIN
>    >    AUTH=LOGIN SASL-IR LISTEXT LIST-SUBSCRIBED X-NETSCAPE
>    >    S: C01 OK Completed
>    >    Please enter your password:
>    >    C: A01 AUTHENTICATE PLAIN Y3lydXMAY3lydXMAbnV0c0BjYWJt
>    >    S: A01 NO authentication failure
>    >    Authentication failed. generic failure
>    >    Security strength factor: 256
>    >
>    >    Feb 23 11:53:50 chipmunk saslauthd[21680]: do_auth         : auth
>    > failure:
>    >    [user=cyrus] [service=imap] [realm=] [mech=ldap] [reason=Unknown]
>    >    Feb 23 11:53:50 chipmunk imap[21637]: Password verification failed
>    >
>    >
>    >    [root at chipmunk text]# cyradm -u cyrus -a plain localhost
>    >    Password:
>    >    IMAP Password:
>    >
>    >    Login failed: authentication failure at
>    >    /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/Cyrus/IMAP/Admin.pm
>    >    line 118
>    >    cyradm: cannot authenticate to server with plain as cyrus
>    >
>    >    Feb 23 11:54:48 chipmunk perl: No worthy mechs found
>    >    Feb 23 11:54:52 chipmunk saslauthd[21681]: do_auth         : auth
>    > failure:
>    >    [user=cyrus] [service=imap] [realm=] [mech=ldap] [reason=Unknown]
>    >
>    >    I am confused here - why does it ask twice for a
> password????????????
>    >
>    >
>    >    [root at chipmunk etc]# more saslauthd.conf
>    >    ldap_servers: ldap://localhost/
>    >    ldap_search_base: dc=cabm.rutgers,dc=edu
>    >    ldap_bind_dn: cn=chipmunk,dc=cabm.rutgers,dc=edu
>    >    ldap_bind_pw: xxxxx
>    >    ldap_version: 3
>    >    ldap_timeout: 5
>    >    ldap_timelimit: 5
>    >    ldap_restart: yes
>    >    ldap_scope: sub
>    >    ldap_search_base: dc=cabm.rutgers,dc=edu
>    >    ldap_auth_method: bind
>    >    #ldap_filter: (|(uid=%u)(mail=%u)(alias=%u))
>    >    ldap_filter: (uid=%u)
>    >    ldap_debug: 9
>    >    ldap_verbose: 1
>    >    ldap_ssl: no
>    >
>    >
>    >    [root at chipmunk etc]# more imapd.conf
>    >    configdirectory: /usr/cyrus/imap
>    >    partition-default: /usr/cyrus/spool/imap
>    >    admins: cyrus
>    >    sievedir: /usr/sieve
>    >    sendmail: /usr/sbin/sendmail
>    >    hashimapspool: true
>    >    sasl_pwcheck_method: saslauthd
>    >    sasl_mech_list: PLAIN LOGIN MD5
>    >    #tls_cert_file: /usr/share/ssl/certs/cyrus-imapd.pem
>    >    tls_cert_file: /usr/share/ssl/certs/server.pem
>    >    #tls_key_file: /usr/share/ssl/certs/cyrus-imapd.pem
>    >    tls_key_file: /usr/share/ssl/certs/server.pem
>    >    #tls_ca_file: /usr/share/ssl/certs/ca-bundle.crt
>    >
>    >
>    >    A clue as to what I am doing wrong is appreciated. I have seen
>    >    similar threads, but no resolution.
>    >    Shelley Waltz
>    >
>    >    ---
>    >    Home Page: http://asg.web.cmu.edu/cyrus
>    >    Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
>    >    List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>    >
>    >
>    > ---
>    > Home Page: http://asg.web.cmu.edu/cyrus
>    > Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
>    > List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>    >
>
>
>
>


---
Home Page: http://asg.web.cmu.edu/cyrus
Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

More information about the Info-cyrus mailing list