resolving SASL vs. crypt'd pwds in MySQL, auxprop vs pam_mysql, & support for secret-based auth mechs [x-posted]
OpenMacNews
cyrus-info.20.openmacnews at spamgourmet.com
Tue Nov 9 15:53:36 EST 2004
hi all,
yes, i know .... 'ugh'.
i've spent seemingly countless hours googling around in circles -- well actually, in dozens of disjointed threads -- and getting oft conflicting answers/instructions from contributing authors. thanks for all the coments/help, tho! (you know who you are ...)
it was suggested that i repost the Q to the lists ... so, to limit the bouncing around again, please bear with me on cross-posting this to:
Cyrus SASL List <cyrus-sasl at lists.andrew.cmu.edu>
Cyrus INFO List <info-cyrus at lists.andrew.cmu.edu>
Web-Cyradm List <web-cyradm at web-cyradm.org>
this *should* (i hope) reopen a stagnant thread or two ...
to the details:
my target (on OSX 10.3.6) is:
postfix (2.1.15)
cyrus-imap (2.2.8)
cyrus-sasl (2.1.20)
mysql (4.1.7)
web-cyradm as a front-end
setup for virtual domains/accounts only.
an included goals is to enable support of all auth mechs (plain, login, gssapi, ntlm, cram-md5, digest-md5) for client connections, both with, & without, SSL/TLS encryption.
i've built all the pieces successfully, and am currently awash in trying to solve numerous authentication issues ...
to that end, here are my QUESTION(s):
(a) web-cyradm's HOWTO instructs that pam_mysql be used with SASL2 for authentication.
however, i've found
<http://groups.google.com/groups?hl=en&lr=&threadm=bvvqjf%2425rh%241%40FreeBSD.csie.NCTU.edu.tw&rnum=2&prev=/groups%3Fq%3Dpam_mysql%253A%2520MySQL%2520err%2520Access%2520denied%2520for%2520user%26hl%3Den%26lr%3D%26sa%3DN%26tab%3Dwg>
" >or if the problem is in sasl2, pam_mysql.so or mysql itself.
SASL - pam_mysql
SASL2 - auxprop_mysql
choose either one, but do not mix them."
but, i can find no further reference/documentation on the issue.
#############
## QUESTION
does, IN FACT, the use of SASL2 preclude the use of pam_mysql?
(b) as i'm migrating TO a cyrus IMAP/SASL based from commercial-ware,
i'm 'used to' seeing full support for all of the multiple auth mechs
i've learned that there's an 'issue' (problem?) of Cyrus' "lack of native support
for encrypted pwds in MySQL" which prevents one from using the secret-based
auth mechs via saslauthd ...
there are patches around (all of? some of?) this problem:
cref: <http://brunny.com/content/view/12/0/>
and 'authdaemond' from courier-imap seems to be an alternative:
cref: <http://groups.google.com/groups?hl=en&lr=&threadm=c3ucsu%24a12%241%40FreeBSD.csie.NCTU.edu.tw&rnum=21&prev=/groups%3Fq%3Dsasl%2Bcyrus%2Bcrypt%2Bmysql%26hl%3Den%26lr%3D%26start%3D20%26sa%3DN>
but, of course, the goals is to get THIS system working, rather that 'abandoning ship'.
to THAT end, for the moment, i've settled on (still working on it ... ):
(1) patch to web-cyradm: <http://www.shaolinux.org/web-cyradm-0.5.4.new.diff>
cref discussion thread @:
http://www.web-cyradm.org/pipermail/web-cyradm/2004-April/017305.html
cd /var/DarkMatter/WebTools
(2) patch to cyrus-sasl: <http://frost.ath.cx/software/cyrus-sasl-patches/>
(3) modify web-cyradm install's impad.conf & smtpd.conf to use sasl auxprop's
sql/mysql plugin, rather than pam_mysql
#############
## QUESTION(s)
(i) is this, IN FACT, a 'problem'/missing functionality in Cyrus?
(ii) is it planned to be addressed/fixed anytime soon?
(it's been implied that it requires a 'major rewrite' ...)?
(iii) what specifically would need to be fixed/changed in SASL?
NOTE: i've heard from the maintainers that this is 'not on the top
of their priority list ... but that a discussion here might instigate
a patch ...
i appreciate any/all insights, direction and look forward to the discussion -- and 'closure'!
cheers,
richard
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
More information about the Info-cyrus
mailing list