Migrate passwords from shadow to mysql
shwaltz at cabm.rutgers.edu
Fri Jan 23 08:59:14 EST 2004
One other question ...
RH ES supplies cyrus-sasl-2.1.15-3 as an rpm in bin or src.
I found a cyrus-imapd-2.1.16-6.src.rpm, but could not locate
a bin or src rpm for cyrus-sasl-2.1.17.
I prefer to be able to upgrade by rpm rather than tar.gz -
does anyone know if sasl is available in rpm?
On Fri, 23 Jan 2004, Ken Murchison wrote:
Shelley Waltz wrote:
> Thanks for the very clear instructions on how this works. One thing
> which does not make sense is the removal of the mech_list option
> subsequent to all users in the shadow file having auth'd once. ???
Because once the users are transitioned to the sql database, then you
can use *any* of the available SASL mechs.
> Also, why are the transitioned passwords stored in plaintext in the mysql
The auxprop plugins are designed to *retrieve* the password rather than
just *verify* the password. The plaintext password is needed to support
SASL mechs like CRAM-MD5, DIGEST-MD5, NTLM.
> On Thu, 22 Jan 2004, Ken Murchison wrote:
> Shelley Waltz wrote:
> > Ken, Thanks for the reply.
> > Yes, my new server is RH ES3 with all the most recent versions of
> > Cyrus imap/sasl/postfix/mysql ...
> Which version of SASL? You definitely want 2.1.17.
> > Where do I read about autotransition into the SQL auxprop plugin?
> > Does this mean that after I transition my existing users, I still
> > need to create /etc/shadow entries in order to esatblish new accounts
> > in thge mysql database. I planned to use webcyradm to manage accounts.
> Just read the docs on how to configure the SQL auxprop plugin. Then in
> your imapd.conf file, you'll have options like the following:
> sasl_mech_list: PLAIN LOGIN
> sasl_auto_transition: yes
> sasl_pwcheck_method: auxprop saslauthd
> sasl_auxprop_plugin: sql
> sasl_sql_engine: mysql
> sasl_sql_select: ...
> sasl_sql_insert: ...
> sasl_sql_update: ...
> And you'll need to run:
> saslauthd -a shadow
> This config will limit the server to plaintext authentication which will
> happen against /etc/shadow and then the password will be inserted into
> mysql. The next time the user authenticates, the password will be
> pulled from mysql (given the order of pwcheck_method).
> Once all of your users have authenticated at least once, you can remove
> the mech_list option or add other mechs to the list.
> > On Thu, 22 Jan 2004, Ken Murchison wrote:
> > Shelley Waltz wrote:
> > > I am installing a new postfix-cyrus mail server.
> > > I currently have cyrus-imap 1.6.24 authing PLAIN
> > > from /etc/shadow.
> > >
> > > I wish to migrate the passwords(md5) from the shadow file to
> > > a mysql database and use this to auth PLAIN using TLS.
> > > Is there a script available to do so - to migrate the users
> > > from the shadow file and create the records for mysql authentication?
> > >
> > > I did search, but found nothing.
> > First, I'd strongly suggest that you upgrade to a recent version of
> > Cyrus, either 2.1.16 or 2.2.3. To do this, you'll need a recent version
> > of SASL (I'd suggest 2.1.17). Then, you just configure Cyrus/SASL to
> > authentication plaintext from /etc/shadow and have it autotransition
> > passwords into the SQL auxprop plugin.
More information about the Info-cyrus