cyradm auth failure

Mon Feb 23 11:57:07 EST 2004

I cannot get the cyrus user to authenticate using either
imtest or cyradm.  I can authenticate all other normal
users using imtest.

I am using Simon's rpms for sasl and imap on RHES3.
cyrus-sasl-2.1.17-2
cyrus-imapd-2.2.3-4
openldap-2.0.27-11

I am using LDAP authentication using saslauthd -ldap.
The cyrus user in in the LDAP database as simpleSecurityObject
which has uid and userPassword attributes.  The password
has been entered as clear,crypt and md5 and none work.

Here are the outputs and config files ...

user shelley ... an imap user works ...
[root at chipmunk text]# imtest -t "" -a shelley  localhost
S: * OK chipmunk.cabm.rutgers.edu Cyrus IMAP4 v2.2.3-Invoca-RPM-2.2.3-4 
server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS 
NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY 
SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE STARTTLS 
LISTEXT LIST-SUBSCRIBED X-NETSCAPE
S: C01 OK Completed
C: S01 STARTTLS
S: S01 OK Begin TLS negotiation now
verify error:num=18:self signed certificate
TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits)
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS 
NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY 
SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=PLAIN 
AUTH=LOGIN SASL-IR LISTEXT LIST-SUBSCRIBED X-NETSCAPE
S: C01 OK Completed
Please enter your password:
C: A01 AUTHENTICATE PLAIN c2hlbGxleQBzaGVsbGV5AGxvbi8vbGF0
S: A01 OK Success (tls protection)
Authenticated.
Security strength factor: 256
C: Q01 LOGOUT
Connection closed.

user cyrus does not ...

[root at chipmunk text]# imtest -t "" -a cyrus  localhost
S: * OK chipmunk.cabm.rutgers.edu Cyrus IMAP4 v2.2.3-Invoca-RPM-2.2.3-4 
server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS 
NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY 
SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE STARTTLS 
LISTEXT LIST-SUBSCRIBED X-NETSCAPE
S: C01 OK Completed
C: S01 STARTTLS
S: S01 OK Begin TLS negotiation now
verify error:num=18:self signed certificate
TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits)
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS 
NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY 
SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=PLAIN 
AUTH=LOGIN SASL-IR LISTEXT LIST-SUBSCRIBED X-NETSCAPE
S: C01 OK Completed
Please enter your password:
C: A01 AUTHENTICATE PLAIN Y3lydXMAY3lydXMAbnV0c0BjYWJt
S: A01 NO authentication failure
Authentication failed. generic failure
Security strength factor: 256

Feb 23 11:53:50 chipmunk saslauthd[21680]: do_auth         : auth failure: 
[user=cyrus] [service=imap] [realm=] [mech=ldap] [reason=Unknown]
Feb 23 11:53:50 chipmunk imap[21637]: Password verification failed

[root at chipmunk text]# cyradm -u cyrus -a plain localhost
Password:
IMAP Password:

Login failed: authentication failure at 
/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/Cyrus/IMAP/Admin.pm 
line 118
cyradm: cannot authenticate to server with plain as cyrus

Feb 23 11:54:48 chipmunk perl: No worthy mechs found
Feb 23 11:54:52 chipmunk saslauthd[21681]: do_auth         : auth failure: 
[user=cyrus] [service=imap] [realm=] [mech=ldap] [reason=Unknown]

I am confused here - why does it ask twice for a password????????????

[root at chipmunk etc]# more saslauthd.conf
ldap_servers: ldap://localhost/
ldap_search_base: dc=cabm.rutgers,dc=edu
ldap_bind_dn: cn=chipmunk,dc=cabm.rutgers,dc=edu
ldap_bind_pw: xxxxx
ldap_version: 3
ldap_timeout: 5
ldap_timelimit: 5
ldap_restart: yes
ldap_scope: sub
ldap_search_base: dc=cabm.rutgers,dc=edu
ldap_auth_method: bind
#ldap_filter: (|(uid=%u)(mail=%u)(alias=%u))
ldap_filter: (uid=%u)
ldap_debug: 9
ldap_verbose: 1
ldap_ssl: no

[root at chipmunk etc]# more imapd.conf
configdirectory: /usr/cyrus/imap
partition-default: /usr/cyrus/spool/imap
admins: cyrus
sievedir: /usr/sieve
sendmail: /usr/sbin/sendmail
hashimapspool: true
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN LOGIN MD5
#tls_cert_file: /usr/share/ssl/certs/cyrus-imapd.pem
tls_cert_file: /usr/share/ssl/certs/server.pem
#tls_key_file: /usr/share/ssl/certs/cyrus-imapd.pem
tls_key_file: /usr/share/ssl/certs/server.pem
#tls_ca_file: /usr/share/ssl/certs/ca-bundle.crt

A clue as to what I am doing wrong is appreciated. I have seen
similar threads, but no resolution.
Shelley Waltz

---
Home Page: http://asg.web.cmu.edu/cyrus
Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html