mupdate auth configuration

[Jim Levie]

On Tue, 2004-02-17 at 15:59, Prentice Bisbal wrote:
> Im setting up Cyrus on a SAN where /var/spool/imap is shared via the 
> san. I'm using the unified-imap branch as suggested by Ken Murchison. 
> Everything seems to be working except mupdate. When I try to create a 
> mailbox, I get the following error
> 
> localhost.localdomain> cm user.prentice
> createmailbox: no authentication to server
> 
> I suspect it may be a SASL issue. I've tried the mupdate login names 
> with and without the domain/realm appended to the username.
> 
If it is the same problem I just found, then it is a SASL problem.

> Feb 17 16:53:29 pdb-mail-1 imap[13192]: authentication to remote mupdate 
> server failed:  "undefined error!"^M

I don't know which version of Cyrus you are running, but that error is
remarkably similar to what mupdate-client.c procduces on 2.2.3. I see
that you are using sasldb2, which makes me think it may be the same
problem I had.

What I found was that SASL is being too helpful in trying to use the
strongest authentication method possible. If SASL was build with
Kerberos support and you aren't using Kerberos that is the only method
mupdate will try, which of course will fail. You can tell if this is the
case by executing:

mupdatetest -p 3905 -u mupdater 128.6.239.23

and checking the "* AUTH" line for GSSAPI.

I don't see a way of limiting the mupdate server's allowable auth mechs
in the imapd.conf, but I found that renaming the
/usr/lib/sasl2/libgssapiv2* plugins and restarting Cyrus on the mupdate
server is a workable solution.
-- 
Jim Levie <jim at entrophy-free.net>

---
Home Page: http://asg.web.cmu.edu/cyrus
Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html