Migrate passwords from shadow to mysql

Ken Murchison ken at oceana.com
Fri Jan 23 08:31:49 EST 2004 

Shelley Waltz wrote:
> Ken,
> Thanks for the very clear instructions on how this works.   One thing 
> which does not make sense is the removal of the mech_list option 
> subsequent to all users in the shadow file having auth'd once. ???

Because once the users are transitioned to the sql database, then you 
can use *any* of the available SASL mechs.

> Also, why are the transitioned passwords stored in plaintext in the mysql
> database?

The auxprop plugins are designed to *retrieve* the password rather than 
just *verify* the password.  The plaintext password is needed to support 
SASL mechs like CRAM-MD5, DIGEST-MD5, NTLM.


> On Thu, 22 Jan 2004, Ken Murchison wrote:
> 
>    Shelley Waltz wrote:
>    > Ken, Thanks for the reply.
>    > 
>    > Yes, my new server is RH ES3 with all the most recent versions of
>    > Cyrus imap/sasl/postfix/mysql ...
>    
>    Which version of SASL?  You definitely want 2.1.17.
>    
>    > Where do I read about autotransition into the SQL auxprop plugin?
>    > Does this mean that after I transition my existing users, I still
>    > need to create /etc/shadow entries in order to esatblish new accounts
>    > in thge mysql database.  I planned to use webcyradm to manage accounts.
>    
>    Just read the docs on how to configure the SQL auxprop plugin.  Then in 
>    your imapd.conf file, you'll have options like the following:
>    
>    sasl_mech_list: PLAIN LOGIN
>    sasl_auto_transition: yes
>    sasl_pwcheck_method: auxprop saslauthd
>    sasl_auxprop_plugin: sql
>    sasl_sql_engine: mysql
>    sasl_sql_select: ...
>    sasl_sql_insert: ...
>    sasl_sql_update: ...
>    
>    
>    And you'll need to run:
>    
>    saslauthd -a shadow
>    
>    
>    This config will limit the server to plaintext authentication which will 
>    happen against /etc/shadow and then the password will be inserted into 
>    mysql.  The next time the user authenticates, the password will be 
>    pulled from mysql (given the order of pwcheck_method).
>    
>    Once all of your users have authenticated at least once, you can remove 
>    the mech_list option or add other mechs to the list.
>    
>    > On Thu, 22 Jan 2004, Ken Murchison wrote:
>    > 
>    >    Shelley Waltz wrote:
>    >    
>    >    > I am installing a new postfix-cyrus mail server.
>    >    > I currently have cyrus-imap 1.6.24 authing PLAIN
>    >    > from /etc/shadow.
>    >    > 
>    >    > I wish to migrate the passwords(md5) from the shadow file to
>    >    > a mysql database and use this to auth PLAIN using TLS.
>    >    > Is there a script available to do so - to migrate the users
>    >    > from the shadow file and create the records for mysql authentication?
>    >    > 
>    >    > I did search, but found nothing.
>    >    
>    >    First, I'd strongly suggest that you upgrade to a recent version of 
>    >    Cyrus, either 2.1.16 or 2.2.3.  To do this, you'll need a recent version 
>    >    of SASL (I'd suggest 2.1.17).  Then, you just configure Cyrus/SASL to 
>    >    authentication plaintext from /etc/shadow and have it autotransition 
>    >    passwords into the SQL auxprop plugin.
>    >    
>    >    
>    > 
>    > 
>    
>    
>    
> 
> 


-- 
Kenneth Murchison     Oceana Matrix Ltd.
Software Engineer     21 Princeton Place
716-662-8973 x26      Orchard Park, NY 14127
--PGP Public Key--    http://www.oceana.com/~ken/ksm.pgp

More information about the Info-cyrus mailing list