Murder without Kerberos?

Andrew Findlay andrew.findlay at skills-1st.co.uk
Fri Jul 7 11:53:59 EDT 2006


On Thu, Jul 06, 2006 at 04:38:24PM -0400, Patrick Radtke wrote:

> I haven't tried it with 2.3.6, but PLAIN should work.

The result seems to be the same as with MD5: ordinary user connections
work fine, but admin stuff that goes through to the backends fails.
PLAIN would not work at all until I enabled TLS.

> I would suggest starting with
> sasl_mech_list: PLAIN
> 
> in all your imapd.conf files (make sure it says only PLAIN).
> 
> and make sure there is no
>  force_sasl_client_mech
> lines anywhere.
> 
> Then make sure you can use imtest (with -m PLAIN and -t ""  (for  
> tls)) to connect to backends, and then see if the backends will  
> communicate correctly.

Similar results: here, frontend is the proxy authentication ID and
fred at fred.com is an ordinary user. ms1.srv.tile is a backend store:

imtest -t '' -m plain -u fred at fred.com -a frontend ms1.srv.tile

	Gave the password for 'frontend'.

	Connects OK, the backend logs that fred at fred.com has logged
	in, and an IMAP LIST command shows fred's mailboxes.

imtest -t '' -m plain -u admin -a frontend ms1.srv.tile

	Gave the password for 'frontend'.

	Connects and logs in OK. Backend logs that admin has logged in,
	but IMAP LIST does not show anything.

imtest -t '' -m plain -u admin -a admin ms1.srv.tile

	Gave the password for 'admin'.

	Connects OK, backend logs that admin has logged in, and
	IMAP LIST shows all mailboxes on the server.

So it looks as if the backend will not accept proxied admin accounts.

I am still stuck!

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------


More information about the Info-cyrus mailing list