Trouble with cyrus-imap + saslauthd + pam_mysql

Tue Jul 26 20:03:16 EDT 2005

I'm trying to implement a virtual-domain/virtual-user setup where 
'john at foo.org' and 'john at bar.org' are separate users/accounts/mailboxes.

I'm using RHEL4 and all its official RPMs except for pam_mysql which 
comes from a third party that rebuilds FC3 rpm's to work in RHEL4.  Here 
are the relevant packages:
cyrus-imapd-2.2.12-3.RHEL4.1
cyrus-imapd-utils-2.2.12-3.RHEL4.1
cyrus-sasl-md5-2.1.19-5.EL4
cyrus-sasl-devel-2.1.19-5.EL4
cyrus-sasl-2.1.19-5.EL4
cyrus-sasl-plain-2.1.19-5.EL4
pam_mysql-0.50-6

In /etc/imapd.conf I changed
-------------------------------------
unixhierarchysep: yes
-------------------------------------

In /usr/lib/sasl2/smtpd.conf I have
-------------------------------------
pwcheck_method: saslauthd
-------------------------------------

In /etc/sysconfig/saslauthd I set
-------------------------------------
MECH=pam
-------------------------------------

My /etc/pam.d/imap looks like this
-------------------------------------
auth required pam_mysql.so user=mail passwd=***** host=localhost db=mail 
table=accounts usercolumn=user passwdcolumn=pass crypt=1

account required pam_mysql.so user=mail passwd=***** host=localhost 
db=mail table=accounts usercolumn=user passwdcolumn=pass crypt=1
-------------------------------------

My mysql table is brutally simple:

mysql> select * from accounts;
+-----------------------+---------------+
| user                  | pass          |
+-----------------------+---------------+
| john at foo.org          | jTx9WNkRMWLZE |
| cyrus                 | 6.loOz32/WGiA |
| john at bar.org          | zTFsFui6YVuKI |
+-----------------------+---------------+

The above is all "working" in that the following commands work, 
indicating the two are working as separate users and it can tell when 
you get the password right.
-------------------------------------
[root at donnie ~]# testsaslauthd -u john at foo.org -p foo
0: OK "Success."
[root at donnie ~]# testsaslauthd -u john at bar.org -p foo
0: NO "authentication failed"
[root at donnie ~]# testsaslauthd -u john at bar.org -p bar
0: OK "Success."
[root at donnie ~]# testsaslauthd -u john at foo.org -p bar
0: NO "authentication failed"
-------------------------------------

After running those four commands, the following expected errors show up 
in /var/log/messages
-------------------------------------
saslauthd[13079]: do_auth : auth failure: [user=john at bar.org] 
[service=imap] [realm=] [mech=pam] [reason=PAM auth error]
saslauthd[13080]: do_auth : auth failure: [user=john at foo.org] 
[service=imap] [realm=] [mech=pam] [reason=PAM auth error]
-------------------------------------

Thats all well and good.  Now comes the part I can't figure out... when 
I try to run cyradm as the users it fails:
-------------------------------------
[root at donnie ~]# cyradm --user john at foo.org localhost
IMAP Password: <<I type in "foo" here>>
               Login failed: authentication failure at 
/usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi/Cyrus/IMAP/Admin.pm 
line 118
cyradm: cannot authenticate to server with  as john at foo.org
-------------------------------------

And I get this in /var/log/messages
-------------------------------------
saslauthd[13080]: do_auth : auth failure: [user=john] [service=imap] 
[realm=foo.org] [mech=pam] [reason=PAM auth error]
-------------------------------------

For some reason testsaslauthd keeps "john at foo.org" as the username, but 
cyradm breaks it up into user=john realm=foo.org, which then fails to 
authenticate.  Similarly if I try to connect with an IMAP client 
(thunderbird) I get the same error as above where it breaks the username 
up into seperate user and realm parts.

What am I doing wrong here?  Should I have a different table structure 
in mysql?  Is there some config change I need to make to get it to *not* 
breakup the username?  Why does testsaslauthd work and nothing else?

Thank you for anyone who even read this far :)

-jim

---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html