cyrus sasl realm problem

brad brad at bradandkim.net
Mon Oct 3 09:06:02 EDT 2005


On Sat, 2005-10-01 at 13:25 +0200, Georg Gell wrote:
> Hello,
> 
> I have an old server with about 50 mail users, which uses cyrus imapd
> with sasl and pam_mysql. The server settings are:
> unixhierarchysep: no
> virtdomains: no
> 
> On the new server, I want users to be able to log in with their email
> addresses as username, but I want to let the old users use their old
> username/password combinations. So I set
> unixhierarchysep: yes
> virtdomains: yes
> defaultdomain: servername.domainname.com
> sasl_pwcheck_method: auxprop
> sasl_sql_engine: mysql
> sasl_sql_select: SELECT password FROM accountuser WHERE username = '%u@%r'
> ...
> 
> This works well. But I want to migrate the old account to the new
> machine. As I understand the docs, this should work, because username
> without realm are used with defaultdomain as result. But this doesn't
> happen for sasl authentication.
> 
> Let's say I have user georg with password georgpass on the old server. I
> thought on the new server, I would leave the mailbox on cyrus like
> user/georg, and for auth in the mysql database I would just add to each
> username the @servername.domainname.com, so that if the default domain
> is added to the username we should be able to log in.
> 
> But something else happens (trying to use the pop server):
> If I log in from a remote computer, reading the debug log, I see that
> the user is being tested with domainname.com as realm (username:
> georg at domainname.com).
> But if I log in from localhost, no realm is added(username: georg).
> 
> What I don't understand after spending much time reading the docs is this:
> Who adds the realm, imapd or sasl? And why are they different depending
> on the location from where I try to log in? And whatever adds the realm,
> how is it decided what to use? And finally, how can I change it?
> 
> Thanks in advance!
> 
> Best regards
> 
> Georg

With virtdomains turned on then cyrus will use the domain sent with the
username if the user logs in fully qualified.  Otherwise cyrus does a
reverse lookup on the IP that the user logged in on uses the domain from
that lookup as the user's domain.  The lookup can be either from DNS or
hosts file or any other means.

Hope that helps,

-- 
Brad Crotchett, RHCE
brad at bradandkim.net




More information about the Info-cyrus mailing list