is this a 'realm' or query issue? imtest PLAIN auth works, but LOGIN auth fails
OpenMacNews
cyrus-info.20.openmacnews at spamgourmet.com
Wed Nov 3 20:50:46 EST 2004
hi all,
i've setup Exim(4.43), Cyrus-IMAP(2.1.19) & Cyrus-SASL(2.2.8) for use with VExim -- i.e. MySQL(4.1.7) usage/mgmt of virtual domains. replies from the folks on the vexim list suggest that i might be better off with this issue here ...
after setup, with saslauthd's "-r" option set (sasldauth -r -a pam) so as to correcly handle users with "@" signs, i can validate PLAIN auth:
% imtest -p imap -m PLAIN -t "" -a siteadmin at testserver.internal.testserver.com tiedgar
> Authenticated.
where syslog shows:
saslauthd[2391]: SELECT crypt FROM users WHERE username='siteadmin'
so far, so good. but, LOGIN auth fails with:
% imtest -p imap -m LOGIN -t "" -a siteadmin at testserver.internal.testserver.com tiedgar
> S: L01 NO Login failed: authentication failure
> Authentication failed. generic failure
where snips from syslog.log show:
saslauthd[2232]: pam_mysql: where clause =
saslauthd[2232]: SELECT crypt FROM users WHERE username='siteadmin at internal.testserver.com'
saslauthd[2232]: pam_mysql: select returned more than one result
saslauthd[2232]: returning 7 after db_checkpasswd.
saslauthd[2232]: DEBUG: auth_pam: pam_authenticate failed: Permission denied
saslauthd[2232]: do_auth : auth failure: [user=siteadmin at internal.testserver.com] [service=imap] [realm=internal.testserver.com] [mech=pam] [reason=PAM auth error]
imap[2294]: badlogin: testserver.internal.testserver.com [10.0.0.6] plaintext siteadmin SASL(-13): authentication failure: checkpass failed
now, after a little digging, i've learned that:
"When there is no record match in mysql table, pam-mysql returned error "select returned more than one result" a miss-leading message."
cref: <http://groups.google.com/groups?hl=en&lr=&threadm=ckt0af%24273h%241%40news.hgc.com.hk&rnum=1&prev=/groups%3Fq%3Dpam_mysql:%2Bselect%2Breturned%2Bmore%2Bthan%2Bone%2Bresult%26hl%3Den%26lr%3D%26sa%3DN%26scoring%3Dd>
which makes sense, since the query on 'siteadmin at internal.testserver.com' WILL return an empty result as there's no such user ... rather the user is 'siteadmin at testserver.internal.testserver.com'.
clearly, there's an issue w/ the SELECT statement's username ... but i dunno where it's contructed/pluued-from. in the first case (PLAIN auth) there's only a localpart, in the 2nd case (LOGIN auth) there a localpart + fqdn, but the WRONG fqdn.
is the answer in the Exim authenticators? from my exim.conf:
plain_login:
driver = plaintext
public_name = PLAIN
server_condition = ${lookup mysql{SELECT '1' FROM users WHERE \
username = '${quote_mysql:$2}' AND \
clear = '${quote_mysql:$3}'} {yes}{no}}
server_set_id = $2
fixed_login:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
server_condition = ${lookup mysql{SELECT '1' FROM users WHERE \
username = '${quote_mysql:$1}' AND \
clear = '${quote_mysql:$2}'} {yes}{no}}
server_set_id = $1
fyi, both auth mechs (PLAIN & LOGIN) ARE set in imapd.conf, and the releveant libs DO exist in the sasl2 plug-in lib.
ideas/suggestions?
thanks,
richard
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
More information about the Info-cyrus
mailing list