cyrus and ldap changing passwords?

[Adam Tauno Williams]

On Wed, 2006-12-13 at 15:17 +0000, Mike wrote:
> I'm close to moving LDAP to production and am running a 
> few checks. The one this morning is changing my password,
> seeing that password updated in ldap, and logging in to
> linux with the old password (fails) and the new password
> (passes). Then I tried to copy an email message from my
> workstations outlook express from a local folder to the
> imap (cyrus) server on linux. The copy failed (good). I
> changed the password to the new password and the copy
> failed (bad).
> The message in /var/log/maillog is:
> Dec 13 09:06:55 $HOST imap[19577]: badlogin: [10.1.2.92] \
>   plaintext mikee SASL(-13): authentication failure: checkpass failed
> I changed back to the origianl password and the copy in
> outlook express succeeded. Actually, the program is plain
> outlook, not outlook express.

So you are using what SASL mech?

> The workstation is xp with all the current patches. The
> server is red hat fedora core 5 with patches older than
> one week. The cyrus server is working, there is just a
> problem with ldap and changing passwords.

Did you change the password through an ldap modify operation or the
change password extended operation?  Is the password hash type in LDAP
the same as prior to the change or did the password change switch hash
types?

> Where do I look or any ideas on what to change? This box
> is begining to be used by others, so there is a limit
> to what I can do during the day.

This really seems more likely to be an LDAP related issue than a Cyrus
one.

Are you authenticating via straight SASL or via saslauthd?  If saslauthd
have you tested with testsaslauthd?

> Oh, with the new password I was able to login using 
> 'telnet localhost 143', '1 login $USER $PASS', '2 list "" ""',
> '3 logout'.

That probably hits PAM unless you are using Kerberos,  are you
authenticating to Cyrus using saslauthd & PAM or some other method?