is this a 'realm' or query issue? imtest PLAIN auth works, but LOGIN auth fails

Wed Nov 3 20:50:46 EST 2004

hi all,

i've setup Exim(4.43), Cyrus-IMAP(2.1.19) & Cyrus-SASL(2.2.8) for use with VExim -- i.e. MySQL(4.1.7) usage/mgmt of virtual domains. replies from the folks on the vexim list suggest that i might be better off with this issue here ...

after setup, with saslauthd's "-r" option set (sasldauth -r -a pam) so as to correcly handle users with "@" signs, i can validate PLAIN auth:

        % imtest -p imap -m PLAIN -t "" -a siteadmin at testserver.internal.testserver.com tiedgar
	       > Authenticated.

where syslog shows:

        saslauthd[2391]: SELECT crypt FROM users WHERE username='siteadmin'

so far, so good.  but, LOGIN auth fails with:

        % imtest -p imap -m LOGIN -t "" -a siteadmin at testserver.internal.testserver.com tiedgar
        	> S: L01 NO Login failed: authentication failure
        	> Authentication failed. generic failure

where snips from syslog.log show:

        saslauthd[2232]: pam_mysql: where clause =
        saslauthd[2232]: SELECT crypt FROM users WHERE username='siteadmin at internal.testserver.com'
        saslauthd[2232]: pam_mysql: select returned more than one result
        saslauthd[2232]: returning 7 after db_checkpasswd.
        saslauthd[2232]: DEBUG: auth_pam: pam_authenticate failed: Permission denied
        saslauthd[2232]: do_auth         : auth failure: [user=siteadmin at internal.testserver.com] [service=imap] [realm=internal.testserver.com] [mech=pam] [reason=PAM auth error]
        imap[2294]: badlogin: testserver.internal.testserver.com [10.0.0.6] plaintext siteadmin SASL(-13): authentication failure: checkpass failed

now, after a little digging, i've learned that:

"When there is no record match in mysql table, pam-mysql returned error "select returned more than one result" a miss-leading message."
	cref: <http://groups.google.com/groups?hl=en&lr=&threadm=ckt0af%24273h%241%40news.hgc.com.hk&rnum=1&prev=/groups%3Fq%3Dpam_mysql:%2Bselect%2Breturned%2Bmore%2Bthan%2Bone%2Bresult%26hl%3Den%26lr%3D%26sa%3DN%26scoring%3Dd>

which makes sense, since the query on 'siteadmin at internal.testserver.com' WILL return an empty result as there's no such user ... rather the user is 'siteadmin at testserver.internal.testserver.com'.

clearly, there's an issue w/ the SELECT statement's username ... but i dunno where it's contructed/pluued-from.  in the first case (PLAIN auth) there's only a localpart, in the 2nd case (LOGIN auth) there a localpart + fqdn, but the WRONG fqdn.

is the answer in the Exim authenticators?  from my exim.conf:

        plain_login:
          driver = plaintext
          public_name = PLAIN
          server_condition =  ${lookup mysql{SELECT '1' FROM users WHERE \
                              username = '${quote_mysql:$2}' AND \
                              clear = '${quote_mysql:$3}'} {yes}{no}}
          server_set_id = $2

        fixed_login:
          driver = plaintext
          public_name = LOGIN
          server_prompts = "Username:: : Password::"
          server_condition =  ${lookup mysql{SELECT '1' FROM users WHERE \
                              username = '${quote_mysql:$1}' AND \
                              clear = '${quote_mysql:$2}'} {yes}{no}}
          server_set_id = $1

fyi, both auth mechs (PLAIN & LOGIN) ARE set in imapd.conf, and the releveant libs DO exist in the sasl2 plug-in lib.

ideas/suggestions?

thanks,

richard

---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html