cyrus sasl realm problem

Georg Gell georg_1 at have2.com
Mon Oct 3 09:57:38 EDT 2005


brad schrieb:
> On Sat, 2005-10-01 at 13:25 +0200, Georg Gell wrote:
> 
>>Hello,
>>
>>I have an old server with about 50 mail users, which uses cyrus imapd
>>with sasl and pam_mysql. The server settings are:
>>unixhierarchysep: no
>>virtdomains: no
>>
>>On the new server, I want users to be able to log in with their email
>>addresses as username, but I want to let the old users use their old
>>username/password combinations. So I set
>>unixhierarchysep: yes
>>virtdomains: yes
>>defaultdomain: servername.domainname.com
>>sasl_pwcheck_method: auxprop
>>sasl_sql_engine: mysql
>>sasl_sql_select: SELECT password FROM accountuser WHERE username = '%u@%r'
>>...
>>
>>This works well. But I want to migrate the old account to the new
>>machine. As I understand the docs, this should work, because username
>>without realm are used with defaultdomain as result. But this doesn't
>>happen for sasl authentication.
>>
>>Let's say I have user georg with password georgpass on the old server. I
>>thought on the new server, I would leave the mailbox on cyrus like
>>user/georg, and for auth in the mysql database I would just add to each
>>username the @servername.domainname.com, so that if the default domain
>>is added to the username we should be able to log in.
>>
>>But something else happens (trying to use the pop server):
>>If I log in from a remote computer, reading the debug log, I see that
>>the user is being tested with domainname.com as realm (username:
>>georg at domainname.com).
>>But if I log in from localhost, no realm is added(username: georg).
>>
>>What I don't understand after spending much time reading the docs is this:
>>Who adds the realm, imapd or sasl? And why are they different depending
>>on the location from where I try to log in? And whatever adds the realm,
>>how is it decided what to use? And finally, how can I change it?
>>
>>Thanks in advance!
>>
>>Best regards
>>
>>Georg
> 
> 
> With virtdomains turned on then cyrus will use the domain sent with the
> username if the user logs in fully qualified.  Otherwise cyrus does a
> reverse lookup on the IP that the user logged in on uses the domain from
> that lookup as the user's domain.  The lookup can be either from DNS or
> hosts file or any other means.
> 
> Hope that helps,
> 
Thanks for the quick reply. Sadly this is not true on my system.
trying imtest:
moritz> imtest -a georg localhost (on moritz.have2.com)
ebug.log:
Oct  3 15:46:21 [imap] sql plugin doing query SELECT password FROM
accountuser WHERE username = 'georg at moritz.have2.com';_
 moritz.have2.com is the fqdn of my sever.

moritz> imtest -a georg moritz.have2.com (on moritz.have2.com)
Oct  3 15:49:23 [imap] sql plugin doing query SELECT password FROM
accountuser WHERE username = 'georg at have2.com';_

notebook> imtest -a georg moritz.have2.com (from home dial up)
Oct  3 15:49:23 [imap] sql plugin doing query SELECT password FROM
accountuser WHERE username = 'georg at have2.com';_

Where does the realm part come from? If I connect to localhost, it uses
the server's fqdn (which is also the defaultdomain in my imapd.conf),
that's what I'd expect. If I connect from the same machine to the
external IP, I have have2.com as realm. Why? And even worse from my
dial-up ip (reverse lookup looks like dial-up-XXX.highway.telekom.at), I
have also have2.com as realm. So the realm cannot be related to the ip
of the logged in user, or am I missing something?

Regards

Georg



More information about the Info-cyrus mailing list