Migrate passwords from shadow to mysql
Ken Murchison
ken at oceana.com
Fri Jan 23 10:03:56 EST 2004
Shelley Waltz wrote:
> One other question ...
>
> RH ES supplies cyrus-sasl-2.1.15-3 as an rpm in bin or src.
> I found a cyrus-imapd-2.1.16-6.src.rpm, but could not locate
> a bin or src rpm for cyrus-sasl-2.1.17.
> I prefer to be able to upgrade by rpm rather than tar.gz -
> does anyone know if sasl is available in rpm?
http://www.invoca.ch/pub/packages/cyrus-sasl/
>
> On Fri, 23 Jan 2004, Ken Murchison wrote:
>
> Shelley Waltz wrote:
> > Ken,
> > Thanks for the very clear instructions on how this works. One thing
> > which does not make sense is the removal of the mech_list option
> > subsequent to all users in the shadow file having auth'd once. ???
>
> Because once the users are transitioned to the sql database, then you
> can use *any* of the available SASL mechs.
>
> > Also, why are the transitioned passwords stored in plaintext in the mysql
> > database?
>
> The auxprop plugins are designed to *retrieve* the password rather than
> just *verify* the password. The plaintext password is needed to support
> SASL mechs like CRAM-MD5, DIGEST-MD5, NTLM.
>
>
> > On Thu, 22 Jan 2004, Ken Murchison wrote:
> >
> > Shelley Waltz wrote:
> > > Ken, Thanks for the reply.
> > >
> > > Yes, my new server is RH ES3 with all the most recent versions of
> > > Cyrus imap/sasl/postfix/mysql ...
> >
> > Which version of SASL? You definitely want 2.1.17.
> >
> > > Where do I read about autotransition into the SQL auxprop plugin?
> > > Does this mean that after I transition my existing users, I still
> > > need to create /etc/shadow entries in order to esatblish new accounts
> > > in thge mysql database. I planned to use webcyradm to manage accounts.
> >
> > Just read the docs on how to configure the SQL auxprop plugin. Then in
> > your imapd.conf file, you'll have options like the following:
> >
> > sasl_mech_list: PLAIN LOGIN
> > sasl_auto_transition: yes
> > sasl_pwcheck_method: auxprop saslauthd
> > sasl_auxprop_plugin: sql
> > sasl_sql_engine: mysql
> > sasl_sql_select: ...
> > sasl_sql_insert: ...
> > sasl_sql_update: ...
> >
> >
> > And you'll need to run:
> >
> > saslauthd -a shadow
> >
> >
> > This config will limit the server to plaintext authentication which will
> > happen against /etc/shadow and then the password will be inserted into
> > mysql. The next time the user authenticates, the password will be
> > pulled from mysql (given the order of pwcheck_method).
> >
> > Once all of your users have authenticated at least once, you can remove
> > the mech_list option or add other mechs to the list.
> >
> > > On Thu, 22 Jan 2004, Ken Murchison wrote:
> > >
> > > Shelley Waltz wrote:
> > >
> > > > I am installing a new postfix-cyrus mail server.
> > > > I currently have cyrus-imap 1.6.24 authing PLAIN
> > > > from /etc/shadow.
> > > >
> > > > I wish to migrate the passwords(md5) from the shadow file to
> > > > a mysql database and use this to auth PLAIN using TLS.
> > > > Is there a script available to do so - to migrate the users
> > > > from the shadow file and create the records for mysql authentication?
> > > >
> > > > I did search, but found nothing.
> > >
> > > First, I'd strongly suggest that you upgrade to a recent version of
> > > Cyrus, either 2.1.16 or 2.2.3. To do this, you'll need a recent version
> > > of SASL (I'd suggest 2.1.17). Then, you just configure Cyrus/SASL to
> > > authentication plaintext from /etc/shadow and have it autotransition
> > > passwords into the SQL auxprop plugin.
> > >
> > >
> > >
> > >
> >
> >
> >
> >
> >
>
>
>
>
>
--
Kenneth Murchison Oceana Matrix Ltd.
Software Engineer 21 Princeton Place
716-662-8973 x26 Orchard Park, NY 14127
--PGP Public Key-- http://www.oceana.com/~ken/ksm.pgp
More information about the Info-cyrus
mailing list