Migrate passwords from shadow to mysql

Ken Murchison ken at oceana.com
Thu Jan 22 14:35:58 EST 2004

Shelley Waltz wrote:
> Ken, Thanks for the reply.
> Yes, my new server is RH ES3 with all the most recent versions of
> Cyrus imap/sasl/postfix/mysql ...

Which version of SASL?  You definitely want 2.1.17.

> Where do I read about autotransition into the SQL auxprop plugin?
> Does this mean that after I transition my existing users, I still
> need to create /etc/shadow entries in order to esatblish new accounts
> in thge mysql database.  I planned to use webcyradm to manage accounts.

Just read the docs on how to configure the SQL auxprop plugin.  Then in 
your imapd.conf file, you'll have options like the following:

sasl_mech_list: PLAIN LOGIN
sasl_auto_transition: yes
sasl_pwcheck_method: auxprop saslauthd
sasl_auxprop_plugin: sql
sasl_sql_engine: mysql
sasl_sql_select: ...
sasl_sql_insert: ...
sasl_sql_update: ...

And you'll need to run:

saslauthd -a shadow

This config will limit the server to plaintext authentication which will 
happen against /etc/shadow and then the password will be inserted into 
mysql.  The next time the user authenticates, the password will be 
pulled from mysql (given the order of pwcheck_method).

Once all of your users have authenticated at least once, you can remove 
the mech_list option or add other mechs to the list.

> On Thu, 22 Jan 2004, Ken Murchison wrote:
>    Shelley Waltz wrote:
>    > I am installing a new postfix-cyrus mail server.
>    > I currently have cyrus-imap 1.6.24 authing PLAIN
>    > from /etc/shadow.
>    > 
>    > I wish to migrate the passwords(md5) from the shadow file to
>    > a mysql database and use this to auth PLAIN using TLS.
>    > Is there a script available to do so - to migrate the users
>    > from the shadow file and create the records for mysql authentication?
>    > 
>    > I did search, but found nothing.
>    First, I'd strongly suggest that you upgrade to a recent version of 
>    Cyrus, either 2.1.16 or 2.2.3.  To do this, you'll need a recent version 
>    of SASL (I'd suggest 2.1.17).  Then, you just configure Cyrus/SASL to 
>    authentication plaintext from /etc/shadow and have it autotransition 
>    passwords into the SQL auxprop plugin.

Kenneth Murchison     Oceana Matrix Ltd.
Software Engineer     21 Princeton Place
716-662-8973 x26      Orchard Park, NY 14127
--PGP Public Key--    http://www.oceana.com/~ken/ksm.pgp

More information about the Info-cyrus mailing list