cyradm auth failure

Shelley Waltz shwaltz at cabm.rutgers.edu
Tue Feb 24 08:47:18 EST 2004


Simon,
Thanks for the reply.  After further experimenting ...

I changed admin user, cyrus, in my LDAP database to an entry exactly like
the one which allows me to auth.  Still failed as before.
I tried the non-problematic(but not an admin in imapd.conf) user, shelley, 
using cyradm, and I could auth.  This led me to believe that the username
cyrus was a problem.  The rpm creates user cyrus and group cyrus in the
/etc/{passwd,group} files.  I changed imapd.conf to have a different admin 
name and created an ldap entry and this worked.

I am using sasl_pwcheck_method: saslauthd and saslauthd -ldap, so why
does it matter that user cyrus is in the passwd file?

Also, I added method LOGIN because this was necessary for Outlook to
do SMTP auth on my old server.

My imapd.conf has the imap/sieve directory structure modified to look
like that of my old server.  I understood this to be necessary in order
to painlessly migrate mailboxes.  True?

thanks
Shelley


On Mon, 23 Feb 2004, Simon Matter wrote:

   Hi,
   
   Make this 'sasl_mech_list: PLAIN' in imapd.conf, it's what you want.
   
   Then, check your LDAP tree. You told us that you can authenticate as
   another user but not as cyrus, so I'm quite sure there is a significant
   difference between those users in your tree.
   
   And then, you said that you are using my cyrus-imapd rpms but your
   imapd.conf tells me that you don't? How comes? Are you really sure which
   config you are running?
   
   Simon
   
   > more helpful information ...
   > I added allowplaintextlogins: 1 to impad.conf ...
   >
   > [root at chipmunk etc]# cyradm --user cyrus --auth login localhost
   > IMAP Password:
   >
   > Login failed: authentication failure at
   > /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/Cyrus/IMAP/Admin.pm
   > line 118
   > cyradm: cannot authenticate to server with login as cyrus
   >
   > [root at chipmunk etc]# tail /var/log/maillog
   > Feb 23 13:51:52 chipmunk master[22140]: about to exec
   > /usr/lib/cyrus-imapd/imapd
   > Feb 23 13:51:52 chipmunk master[22141]: about to exec
   > /usr/lib/cyrus-imapd/pop3d
   > Feb 23 13:51:52 chipmunk imap[22140]: executed
   > Feb 23 13:51:52 chipmunk imap[22139]: executed
   > Feb 23 13:51:52 chipmunk pop3[22141]: executed
   > Feb 23 13:51:52 chipmunk imap[22138]: executed
   > Feb 23 13:51:57 chipmunk imap[22131]: accepted connection
   > Feb 23 13:51:57 chipmunk master[22143]: about to exec
   > /usr/lib/cyrus-imapd/imapd
   > Feb 23 13:51:57 chipmunk imap[22143]: executed
   > Feb 23 13:52:04 chipmunk imap[22131]: badlogin: localhost.localdomain
   > [127.0.0.1] plaintext cyrus SASL(-13): authentication failure: checkpass
   > failed
   >
   >
   > [root at chipmunk etc]# cyradm --user cyrus --auth plain localhost
   > Password:
   > IMAP Password:
   >
   > Login failed: authentication failure at
   > /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/Cyrus/IMAP/Admin.pm
   > line 118
   > cyradm: cannot authenticate to server with plain as cyrus
   > [root at chipmunk etc]# tail /var/log/maillog
   > Feb 23 13:51:57 chipmunk imap[22131]: accepted connection
   > Feb 23 13:51:57 chipmunk master[22143]: about to exec
   > /usr/lib/cyrus-imapd/imapd
   > Feb 23 13:51:57 chipmunk imap[22143]: executed
   > Feb 23 13:52:04 chipmunk imap[22131]: badlogin: localhost.localdomain
   > [127.0.0.1] plaintext cyrus SASL(-13): authentication failure: checkpass
   > failed
   > Feb 23 13:52:56 chipmunk imap[22136]: accepted connection
   > Feb 23 13:53:01 chipmunk imap[22136]: badlogin: localhost.localdomain
   > [127.0.0.1] PLAIN [SASL(-4): no mechanism available: security flags do not
   > match required]
   > Feb 23 13:53:07 chipmunk master[22121]: process 22131 exited, status 0
   > Feb 23 13:53:07 chipmunk master[22153]: about to exec
   > /usr/lib/cyrus-imapd/imapd
   > Feb 23 13:53:07 chipmunk imap[22153]: executed
   > Feb 23 13:53:10 chipmunk imap[22136]: badlogin: localhost.localdomain
   > [127.0.0.1] plaintext cyrus SASL(-13): authentication failure: checkpass
   > failed
   >
   >
   > I have looked at similiar threads regarding this issue on this list.
   > It bounces back and forth bewtween config error and bug.  The issue
   > has never been answered definitively - is ths a config error or a bug?
   > If I need to go back to a different version please let me know which one.
   > If it is a config error ??? what ???
   >
   > thanks
   > Shelley Waltz
   >
   >
   > On Mon, 23 Feb 2004, Shelley Waltz wrote:
   >
   >    I cannot get the cyrus user to authenticate using either
   >    imtest or cyradm.  I can authenticate all other normal
   >    users using imtest.
   >
   >    I am using Simon's rpms for sasl and imap on RHES3.
   >    cyrus-sasl-2.1.17-2
   >    cyrus-imapd-2.2.3-4
   >    openldap-2.0.27-11
   >
   >    I am using LDAP authentication using saslauthd -ldap.
   >    The cyrus user in in the LDAP database as simpleSecurityObject
   >    which has uid and userPassword attributes.  The password
   >    has been entered as clear,crypt and md5 and none work.
   >
   >    Here are the outputs and config files ...
   >
   >    user shelley ... an imap user works ...
   >    [root at chipmunk text]# imtest -t "" -a shelley  localhost
   >    S: * OK chipmunk.cabm.rutgers.edu Cyrus IMAP4 v2.2.3-Invoca-RPM-2.2.3-4
   >    server ready
   >    C: C01 CAPABILITY
   >    S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
   >    NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND
   > BINARY
   >    SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE STARTTLS
   >    LISTEXT LIST-SUBSCRIBED X-NETSCAPE
   >    S: C01 OK Completed
   >    C: S01 STARTTLS
   >    S: S01 OK Begin TLS negotiation now
   >    verify error:num=18:self signed certificate
   >    TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits)
   >    C: C01 CAPABILITY
   >    S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
   >    NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND
   > BINARY
   >    SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE
   > AUTH=PLAIN
   >    AUTH=LOGIN SASL-IR LISTEXT LIST-SUBSCRIBED X-NETSCAPE
   >    S: C01 OK Completed
   >    Please enter your password:
   >    C: A01 AUTHENTICATE PLAIN c2hlbGxleQBzaGVsbGV5AGxvbi8vbGF0
   >    S: A01 OK Success (tls protection)
   >    Authenticated.
   >    Security strength factor: 256
   >    C: Q01 LOGOUT
   >    Connection closed.
   >
   >
   >    user cyrus does not ...
   >
   >    [root at chipmunk text]# imtest -t "" -a cyrus  localhost
   >    S: * OK chipmunk.cabm.rutgers.edu Cyrus IMAP4 v2.2.3-Invoca-RPM-2.2.3-4
   >    server ready
   >    C: C01 CAPABILITY
   >    S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
   >    NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND
   > BINARY
   >    SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE STARTTLS
   >    LISTEXT LIST-SUBSCRIBED X-NETSCAPE
   >    S: C01 OK Completed
   >    C: S01 STARTTLS
   >    S: S01 OK Begin TLS negotiation now
   >    verify error:num=18:self signed certificate
   >    TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits)
   >    C: C01 CAPABILITY
   >    S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
   >    NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND
   > BINARY
   >    SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE
   > AUTH=PLAIN
   >    AUTH=LOGIN SASL-IR LISTEXT LIST-SUBSCRIBED X-NETSCAPE
   >    S: C01 OK Completed
   >    Please enter your password:
   >    C: A01 AUTHENTICATE PLAIN Y3lydXMAY3lydXMAbnV0c0BjYWJt
   >    S: A01 NO authentication failure
   >    Authentication failed. generic failure
   >    Security strength factor: 256
   >
   >    Feb 23 11:53:50 chipmunk saslauthd[21680]: do_auth         : auth
   > failure:
   >    [user=cyrus] [service=imap] [realm=] [mech=ldap] [reason=Unknown]
   >    Feb 23 11:53:50 chipmunk imap[21637]: Password verification failed
   >
   >
   >    [root at chipmunk text]# cyradm -u cyrus -a plain localhost
   >    Password:
   >    IMAP Password:
   >
   >    Login failed: authentication failure at
   >    /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/Cyrus/IMAP/Admin.pm
   >    line 118
   >    cyradm: cannot authenticate to server with plain as cyrus
   >
   >    Feb 23 11:54:48 chipmunk perl: No worthy mechs found
   >    Feb 23 11:54:52 chipmunk saslauthd[21681]: do_auth         : auth
   > failure:
   >    [user=cyrus] [service=imap] [realm=] [mech=ldap] [reason=Unknown]
   >
   >    I am confused here - why does it ask twice for a password????????????
   >
   >
   >    [root at chipmunk etc]# more saslauthd.conf
   >    ldap_servers: ldap://localhost/
   >    ldap_search_base: dc=cabm.rutgers,dc=edu
   >    ldap_bind_dn: cn=chipmunk,dc=cabm.rutgers,dc=edu
   >    ldap_bind_pw: xxxxx
   >    ldap_version: 3
   >    ldap_timeout: 5
   >    ldap_timelimit: 5
   >    ldap_restart: yes
   >    ldap_scope: sub
   >    ldap_search_base: dc=cabm.rutgers,dc=edu
   >    ldap_auth_method: bind
   >    #ldap_filter: (|(uid=%u)(mail=%u)(alias=%u))
   >    ldap_filter: (uid=%u)
   >    ldap_debug: 9
   >    ldap_verbose: 1
   >    ldap_ssl: no
   >
   >
   >    [root at chipmunk etc]# more imapd.conf
   >    configdirectory: /usr/cyrus/imap
   >    partition-default: /usr/cyrus/spool/imap
   >    admins: cyrus
   >    sievedir: /usr/sieve
   >    sendmail: /usr/sbin/sendmail
   >    hashimapspool: true
   >    sasl_pwcheck_method: saslauthd
   >    sasl_mech_list: PLAIN LOGIN MD5
   >    #tls_cert_file: /usr/share/ssl/certs/cyrus-imapd.pem
   >    tls_cert_file: /usr/share/ssl/certs/server.pem
   >    #tls_key_file: /usr/share/ssl/certs/cyrus-imapd.pem
   >    tls_key_file: /usr/share/ssl/certs/server.pem
   >    #tls_ca_file: /usr/share/ssl/certs/ca-bundle.crt
   >
   >
   >    A clue as to what I am doing wrong is appreciated. I have seen
   >    similar threads, but no resolution.
   >    Shelley Waltz
   >
   >    ---
   >    Home Page: http://asg.web.cmu.edu/cyrus
   >    Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
   >    List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
   >
   >
   > ---
   > Home Page: http://asg.web.cmu.edu/cyrus
   > Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
   > List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
   >
   
   

---
Home Page: http://asg.web.cmu.edu/cyrus
Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html




More information about the Info-cyrus mailing list