cyradm auth mechanism

Igor Brezac igor at ipass.net
Mon Jul 4 23:53:34 EDT 2005 

On Mon, 4 Jul 2005, Thomas Vogt wrote:

> Hi everyone
>
> I've a problem with my new clean, cyrus installation. I  can't login with my 
> cyradm admin account. The account information is stored in my ldap database. 
> The sasldb2 is empty. I don't use it. Can you give me some advice?
>
> For cyradm I use this command:
> cyradm --user nmeth2vdiysttboz --server localhost --auth plain
> Password:
> IMAP Password: <i use the ldap password here>
>
> Error message:
> Invalid user at /usr/local/lib/perl5/site_perl/5.8.7/mach/Cyrus/IMAP/Admin.pm 
> line 118
> cyradm: cannot authenticate to server with plain as nmeth2vdiysttboz
>
> Logfile:
> Jul  4 21:00:36 mail03 imap[58290]: badlogin: localhost [127.0.0.1] PLAIN 
> [SASL(-16): encryption needed to use mechanism: security flags do not match
               ^^^^^^^^^^

This error is self explanatory.

> Jul  4 21:00:39 mail03 perl: No worthy mechs found
> Jul  4 21:00:40 mail03 imap[58290]: ptload(): bad response from ptloader 
> server: identifier not found

pts/ldap configuration problem.  Double check ldap_* params in 
imapd.conf.

Is there a reason you are using pts authorization module?

> Jul  4 21:00:40 mail03 imap[58290]: bad userid authenticated
> Jul  4 21:00:40 mail03 imap[58290]: badlogin: localhost [127.0.0.1] plaintext 
> nmeth2vdiysttboz invalid user

>
> testsaslauthd -u nmeth2vdiysttboz -p 1234
> 0: OK "Success."
>
>
> imtest -m LOGIN -a nmeth2vdiysttboz localhost
> S: * OK mail03.test.ch Cyrus IMAP4 v2.2.12 server ready
> C: C01 CAPABILITY
> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS 
> NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY 
> SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE LISTEXT 
> LIST-SUBSCRIBED X-NETSCAPE
> S: C01 OK Completed
> Please enter your password: <type in here>
> C: L01 LOGIN nmeth2vdiysttboz {16}
> S: L01 NO Invalid user
> Authentication failed. generic failure
> Security strength factor: 0
>
>
>
> ldap entry for admin:
>
> # nmeth2vdiysttboz, people, test, test.ch
> dn: uid=nmeth2vdiysttboz,ou=people,ou=test,dc=test,dc=ch
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> uid: nmeth2vdiysttboz
> cn: Cyrus Admin
> userPassword:: 1234
>
>
> saslauthd.conf
> ldap_servers: ldap://127.0.0.1/
> ldap_search_base: ou=people,ou=test,dc=test,dc=ch
>
>
> imapd.conf:
> configdirectory: /m/imap
> partition-default: /m/spool/imap
> allowplaintext: yes
> admins: nmeth2vdiysttboz
> quotawarn: 90
> timeout: 30
> imapidlepoll: 60
> poptimeout: 10
> logtimestamps: yes
> singleinstancestore: yes
> sieveusehomedir: false
> sievedir: /m/imap/sieve
> hashimapspool: true
>
> sasl_pwcheck_method: saslauthd
> sasl_mech_list: plain login
>
> ptloader_sock: /var/imap/socket/ptsock
> lmtpsocket: /var/imap/socket/lmtp
> idlesocket: /var/imap/socket/idle
> notifysocket: /var/imap/socket/notify
>
> ldap_base: dc=test,dc=ch
> ldap_deref: search
> ldap_sasl: 0
> ldap_group_scope: sub
> ldap_bind_dn: dc=test,dc=ch
> ldap_restart: 1
> ldap_scope: sub
> ldap_start_tls: 0
> ldap_time_limit: 10
> ldap_timeout: 15
> ptscache_timeout: 1
> ldap_tls_check_peer: no
> ldap_tls_ciphers: TLSv1:SSLv3:!NULL:!EXPORT:!DES:!LOW:@STRENGTH
> ldap_uri: ldap://127.0.0.1/

Do you need ldap_password here?  Can you debug slapd?

> Saslauth runs with -a ldap
> slapd runs with -h "ldapi:///var/run/openldap/ldapi/ ldap://127.0.0.1 "
                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This will not work, although saslauthd is working fine with you current 
configuration.  (Use ldapi://%2fvar%2frun%2fopenldap%2fldapi/

-- 
Igor
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

More information about the Info-cyrus mailing list