problem ntlm won't work with mysql

Ken Murchison ken at oceana.com
Mon Jul 11 16:55:17 EDT 2005 

Thomas Börnert wrote:

> Yes, DIGEST-MD5 don't work too :-(.
> 
> Why is it working with sasldb2 (auxprop) ?

The mechanisms need the plaintext password (or plaintext equivalent) 
stored in the auxprop backend.  The SQL auxprop that ships with SASL 
will work correctly unless you've patched it to store encrypted 
passwords, in which case the SQL auxprop will only work for plaintext 
SASL mechanisms and plaintext authentication protocol commands.

> 
> There exists an patch for cyrus with auxprop/mysql.
> 
> Have anyone tested it ?
> 
> Thanks.
> 
> -Thomas
> 
> On Mon, 2005-07-11 at 08:19 -0400, Ken Murchison wrote:
> 
>>Thomas Börnert wrote:
>>
>>
>>>hi list,
>>>
>>>ntlm with evolution or outlook isn't working:
>>>
>>>imap[17765]: badlogin: localhost.localdomain [127.0.0.1] NTLM [SASL
>>>(-13): authentication failure: incorrect NTLM response]
>>>
>>>i've found: if i use sasldb2 then it works.
>>>
>>>if i use the mysql setup below that it won't work :-(.
>>
>>Do CRAM-MD5 or DIGEST-MD5 work with mysql?
>>
>>
>>
>>>have anyone an idea ?
>>
>>My guess is that you are encrypting the passwords in your mysql 
>>database, which will cause non-plaintext mechanisms like NTLM and 
>>DIGEST-MD5 to fail.
>>
>>
>>
>>>my imapd.conf
>>><---------------------- snip ----------------------->
>>>configdirectory: /var/lib/imap
>>>#duplicatesuppression: 0
>>>partition-default: /var/spool/imap
>>>admins: cyrus
>>>allowanonymouslogin: no
>>>autocreatequota: 1000000
>>>quotawarn: 90
>>>timeout: 30
>>>poptimeout: 10
>>>#popminpoll: 1
>>>servername: pop.domain.net
>>>sievedir: /var/lib/imap/sieve
>>>sieve_maxscriptsize: 32
>>>sieve_maxscripts: 5
>>>sendmail: /usr/sbin/sendmail
>>>hashimapspool: true
>>>allowplaintext: yes
>>>sasl_pwcheck_method: saslauthd
>>>sasl_mech_list: LOGIN PLAIN NTLM DIGEST-MD5 CRAM-MD5
>>>tls_cert_file: /usr/share/ssl/certs/cyrus-imapd.pem
>>>tls_key_file: /usr/share/ssl/certs/cyrus-imapd.pem
>>>tls_ca_file: /usr/share/ssl/certs/cyrus-imapd.pem
>>>sasl_sql_engine: mysql
>>>sasl_sql_hostnames: localhost
>>>sasl_sql_user: mail
>>>sasl_sql_passwd: secret
>>>sasl_sql_database: mail
>>>sasl_sql_select: select password from accountuser where username = '%u'
>>><---------------------- snip ----------------------->
>>>
>>>my cyrus.conf
>>><---------------------- snip ----------------------->
>>># standard standalone server implementation
>>>
>>>START {
>>>  # do not delete this entry!
>>>  recover       cmd="ctl_cyrusdb -r"
>>>
>>>  # this is only necessary if using idled for IMAP IDLE
>>>  idled         cmd="idled"
>>>}
>>>
>>># UNIX sockets start with a slash and are put into /var/lib/imap/sockets
>>>SERVICES {
>>>  # add or remove based on preferences
>>>  imap         cmd="imapd" listen="[localhost]:imap" prefork=5
>>>  imaps         cmd="imapd -s" listen="[localhost]:imaps" prefork=1
>>>  pop3          cmd="pop3d" listen="[pop]:pop3" prefork=3
>>>  pop3s         cmd="pop3d -s" listen="[pop]:pop3s" prefork=1
>>>  sieve         cmd="timsieved" listen="[localhost]:sieve" prefork=0
>>>
>>>  # at least one LMTP is required for delivery
>>>#  lmtp         cmd="lmtpd" listen="[localhost]:lmtp" prefork=0
>>>  lmtpunix      cmd="lmtpd" listen="/var/lib/imap/socket/lmtp" prefork=1
>>>
>>>  # this is only necessary if using notifications
>>>#  notify       cmd="notifyd" listen="/var/lib/imap/socket/notify"
>>>proto="udp" prefork=1
>>>}
>>>
>>>EVENTS {
>>>  # this is required
>>>  checkpoint    cmd="ctl_cyrusdb -c" period=30
>>>
>>>  # this is only necessary if using duplicate delivery suppression
>>>  delprune      cmd="ctl_deliver -E 3" at=0400
>>>
>>>  # this is only necessary if caching TLS sessions
>>>  tlsprune      cmd="tls_prune" at=0400
>>>
>>>  # create SQUAT indexes for all mailboxes
>>>  squatter     cmd="/usr/lib/cyrus-imapd/squatter -r user.%" at=401
>>> 
>>>}
>>><---------------------- snip ----------------------->
>>>
>>>---
>>>Cyrus Home Page: http://asg.web.cmu.edu/cyrus
>>>Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
>>>List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>>>
>>
> 
> 
> ---
> Cyrus Home Page: http://asg.web.cmu.edu/cyrus
> Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
> 


-- 
Kenneth Murchison     Oceana Matrix Ltd.
Software Engineer     21 Princeton Place
716-662-8973 x26      Orchard Park, NY 14127
--PGP Public Key--    http://www.oceana.com/~ken/ksm.pgp
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

More information about the Info-cyrus mailing list