cyradm auth failure
Shelley Waltz
shwaltz at cabm.rutgers.edu
Tue Feb 24 08:47:18 EST 2004
Simon,
Thanks for the reply. After further experimenting ...
I changed admin user, cyrus, in my LDAP database to an entry exactly like
the one which allows me to auth. Still failed as before.
I tried the non-problematic(but not an admin in imapd.conf) user, shelley,
using cyradm, and I could auth. This led me to believe that the username
cyrus was a problem. The rpm creates user cyrus and group cyrus in the
/etc/{passwd,group} files. I changed imapd.conf to have a different admin
name and created an ldap entry and this worked.
I am using sasl_pwcheck_method: saslauthd and saslauthd -ldap, so why
does it matter that user cyrus is in the passwd file?
Also, I added method LOGIN because this was necessary for Outlook to
do SMTP auth on my old server.
My imapd.conf has the imap/sieve directory structure modified to look
like that of my old server. I understood this to be necessary in order
to painlessly migrate mailboxes. True?
thanks
Shelley
On Mon, 23 Feb 2004, Simon Matter wrote:
Hi,
Make this 'sasl_mech_list: PLAIN' in imapd.conf, it's what you want.
Then, check your LDAP tree. You told us that you can authenticate as
another user but not as cyrus, so I'm quite sure there is a significant
difference between those users in your tree.
And then, you said that you are using my cyrus-imapd rpms but your
imapd.conf tells me that you don't? How comes? Are you really sure which
config you are running?
Simon
> more helpful information ...
> I added allowplaintextlogins: 1 to impad.conf ...
>
> [root at chipmunk etc]# cyradm --user cyrus --auth login localhost
> IMAP Password:
>
> Login failed: authentication failure at
> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/Cyrus/IMAP/Admin.pm
> line 118
> cyradm: cannot authenticate to server with login as cyrus
>
> [root at chipmunk etc]# tail /var/log/maillog
> Feb 23 13:51:52 chipmunk master[22140]: about to exec
> /usr/lib/cyrus-imapd/imapd
> Feb 23 13:51:52 chipmunk master[22141]: about to exec
> /usr/lib/cyrus-imapd/pop3d
> Feb 23 13:51:52 chipmunk imap[22140]: executed
> Feb 23 13:51:52 chipmunk imap[22139]: executed
> Feb 23 13:51:52 chipmunk pop3[22141]: executed
> Feb 23 13:51:52 chipmunk imap[22138]: executed
> Feb 23 13:51:57 chipmunk imap[22131]: accepted connection
> Feb 23 13:51:57 chipmunk master[22143]: about to exec
> /usr/lib/cyrus-imapd/imapd
> Feb 23 13:51:57 chipmunk imap[22143]: executed
> Feb 23 13:52:04 chipmunk imap[22131]: badlogin: localhost.localdomain
> [127.0.0.1] plaintext cyrus SASL(-13): authentication failure: checkpass
> failed
>
>
> [root at chipmunk etc]# cyradm --user cyrus --auth plain localhost
> Password:
> IMAP Password:
>
> Login failed: authentication failure at
> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/Cyrus/IMAP/Admin.pm
> line 118
> cyradm: cannot authenticate to server with plain as cyrus
> [root at chipmunk etc]# tail /var/log/maillog
> Feb 23 13:51:57 chipmunk imap[22131]: accepted connection
> Feb 23 13:51:57 chipmunk master[22143]: about to exec
> /usr/lib/cyrus-imapd/imapd
> Feb 23 13:51:57 chipmunk imap[22143]: executed
> Feb 23 13:52:04 chipmunk imap[22131]: badlogin: localhost.localdomain
> [127.0.0.1] plaintext cyrus SASL(-13): authentication failure: checkpass
> failed
> Feb 23 13:52:56 chipmunk imap[22136]: accepted connection
> Feb 23 13:53:01 chipmunk imap[22136]: badlogin: localhost.localdomain
> [127.0.0.1] PLAIN [SASL(-4): no mechanism available: security flags do not
> match required]
> Feb 23 13:53:07 chipmunk master[22121]: process 22131 exited, status 0
> Feb 23 13:53:07 chipmunk master[22153]: about to exec
> /usr/lib/cyrus-imapd/imapd
> Feb 23 13:53:07 chipmunk imap[22153]: executed
> Feb 23 13:53:10 chipmunk imap[22136]: badlogin: localhost.localdomain
> [127.0.0.1] plaintext cyrus SASL(-13): authentication failure: checkpass
> failed
>
>
> I have looked at similiar threads regarding this issue on this list.
> It bounces back and forth bewtween config error and bug. The issue
> has never been answered definitively - is ths a config error or a bug?
> If I need to go back to a different version please let me know which one.
> If it is a config error ??? what ???
>
> thanks
> Shelley Waltz
>
>
> On Mon, 23 Feb 2004, Shelley Waltz wrote:
>
> I cannot get the cyrus user to authenticate using either
> imtest or cyradm. I can authenticate all other normal
> users using imtest.
>
> I am using Simon's rpms for sasl and imap on RHES3.
> cyrus-sasl-2.1.17-2
> cyrus-imapd-2.2.3-4
> openldap-2.0.27-11
>
> I am using LDAP authentication using saslauthd -ldap.
> The cyrus user in in the LDAP database as simpleSecurityObject
> which has uid and userPassword attributes. The password
> has been entered as clear,crypt and md5 and none work.
>
> Here are the outputs and config files ...
>
> user shelley ... an imap user works ...
> [root at chipmunk text]# imtest -t "" -a shelley localhost
> S: * OK chipmunk.cabm.rutgers.edu Cyrus IMAP4 v2.2.3-Invoca-RPM-2.2.3-4
> server ready
> C: C01 CAPABILITY
> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
> NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND
> BINARY
> SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE STARTTLS
> LISTEXT LIST-SUBSCRIBED X-NETSCAPE
> S: C01 OK Completed
> C: S01 STARTTLS
> S: S01 OK Begin TLS negotiation now
> verify error:num=18:self signed certificate
> TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits)
> C: C01 CAPABILITY
> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
> NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND
> BINARY
> SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE
> AUTH=PLAIN
> AUTH=LOGIN SASL-IR LISTEXT LIST-SUBSCRIBED X-NETSCAPE
> S: C01 OK Completed
> Please enter your password:
> C: A01 AUTHENTICATE PLAIN c2hlbGxleQBzaGVsbGV5AGxvbi8vbGF0
> S: A01 OK Success (tls protection)
> Authenticated.
> Security strength factor: 256
> C: Q01 LOGOUT
> Connection closed.
>
>
> user cyrus does not ...
>
> [root at chipmunk text]# imtest -t "" -a cyrus localhost
> S: * OK chipmunk.cabm.rutgers.edu Cyrus IMAP4 v2.2.3-Invoca-RPM-2.2.3-4
> server ready
> C: C01 CAPABILITY
> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
> NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND
> BINARY
> SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE STARTTLS
> LISTEXT LIST-SUBSCRIBED X-NETSCAPE
> S: C01 OK Completed
> C: S01 STARTTLS
> S: S01 OK Begin TLS negotiation now
> verify error:num=18:self signed certificate
> TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits)
> C: C01 CAPABILITY
> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
> NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND
> BINARY
> SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE
> AUTH=PLAIN
> AUTH=LOGIN SASL-IR LISTEXT LIST-SUBSCRIBED X-NETSCAPE
> S: C01 OK Completed
> Please enter your password:
> C: A01 AUTHENTICATE PLAIN Y3lydXMAY3lydXMAbnV0c0BjYWJt
> S: A01 NO authentication failure
> Authentication failed. generic failure
> Security strength factor: 256
>
> Feb 23 11:53:50 chipmunk saslauthd[21680]: do_auth : auth
> failure:
> [user=cyrus] [service=imap] [realm=] [mech=ldap] [reason=Unknown]
> Feb 23 11:53:50 chipmunk imap[21637]: Password verification failed
>
>
> [root at chipmunk text]# cyradm -u cyrus -a plain localhost
> Password:
> IMAP Password:
>
> Login failed: authentication failure at
> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/Cyrus/IMAP/Admin.pm
> line 118
> cyradm: cannot authenticate to server with plain as cyrus
>
> Feb 23 11:54:48 chipmunk perl: No worthy mechs found
> Feb 23 11:54:52 chipmunk saslauthd[21681]: do_auth : auth
> failure:
> [user=cyrus] [service=imap] [realm=] [mech=ldap] [reason=Unknown]
>
> I am confused here - why does it ask twice for a password????????????
>
>
> [root at chipmunk etc]# more saslauthd.conf
> ldap_servers: ldap://localhost/
> ldap_search_base: dc=cabm.rutgers,dc=edu
> ldap_bind_dn: cn=chipmunk,dc=cabm.rutgers,dc=edu
> ldap_bind_pw: xxxxx
> ldap_version: 3
> ldap_timeout: 5
> ldap_timelimit: 5
> ldap_restart: yes
> ldap_scope: sub
> ldap_search_base: dc=cabm.rutgers,dc=edu
> ldap_auth_method: bind
> #ldap_filter: (|(uid=%u)(mail=%u)(alias=%u))
> ldap_filter: (uid=%u)
> ldap_debug: 9
> ldap_verbose: 1
> ldap_ssl: no
>
>
> [root at chipmunk etc]# more imapd.conf
> configdirectory: /usr/cyrus/imap
> partition-default: /usr/cyrus/spool/imap
> admins: cyrus
> sievedir: /usr/sieve
> sendmail: /usr/sbin/sendmail
> hashimapspool: true
> sasl_pwcheck_method: saslauthd
> sasl_mech_list: PLAIN LOGIN MD5
> #tls_cert_file: /usr/share/ssl/certs/cyrus-imapd.pem
> tls_cert_file: /usr/share/ssl/certs/server.pem
> #tls_key_file: /usr/share/ssl/certs/cyrus-imapd.pem
> tls_key_file: /usr/share/ssl/certs/server.pem
> #tls_ca_file: /usr/share/ssl/certs/ca-bundle.crt
>
>
> A clue as to what I am doing wrong is appreciated. I have seen
> similar threads, but no resolution.
> Shelley Waltz
>
> ---
> Home Page: http://asg.web.cmu.edu/cyrus
> Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>
>
> ---
> Home Page: http://asg.web.cmu.edu/cyrus
> Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>
---
Home Page: http://asg.web.cmu.edu/cyrus
Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
More information about the Info-cyrus
mailing list