Cyrus+SASL+PAM+pam_mysql Migration problem

Phil Pennock info-cyrus-spodhuis at spodhuis.org
Wed Jun 28 15:22:12 EDT 2006 

On 2006-06-27 at 19:25 +0300, Alexandru E. Ungur wrote:
> I'm having a bit of a hard time doing a migration of cyrus from this:

> anyway, on the old server it is a cyrus+saslauthd+pam+pam_mysql+mysql 
> On the new server I got saslauthd working pretty much ok (I think).

Using PAM, you lose those authentication mechanisms which require a
cleartext password (DIGEST-MD5, etc).  Looking on the pam-mysql website,
I see that they cover this and document how to get Cyrus-SASL to work
with MySQL and bypass the PAM layer; their method includes support for
domains.

  <URL:http://pam-mysql.sourceforge.net/Documentation/FAQ.php?seemore=y>
  http://pam-mysql.sourceforge.net/Documentation/FAQ.php?seemore=y

"
Q. I set up saslauthd (of Cyrus-SASL) to use PAM-MySQL for
   authentication and noticed some authentication mechanisms such as
   CRAM-MD5 don't work. Why?

A. CRAM-MD5 are DIGEST-MD5 are Challenge-Response authentication
   mechanisms (indeed CRAM is short for Challange-Response
   Authentication Mechanism), plain-text passwords have to be supplied
   to the instance that handles authentication communication with the
   user (that is, the SASL client library), rather than the
   authenticator (the server). Therefore, it is not possible to use PAM
   with these mechanisms and then you need to configure Cyrus-SASL to
   have "SQL" auxprop plugin with MySQL support and specify "auxprop"
   for the preferred password checking method.

   For instance, if you want to use it in conjunction with Postfix, the
   SASL configuration file "smtpd.conf", which is put in the
   Cyrus-SASL's plugin directory (or the location included in the
   SASL_PATH environment variable), would look like the following:

   pwcheck_method: auxprop
   mech_list: plain login cram-md5 digest-md5
   sql_engine: mysql
   sql_database: sys
   sql_user: someuser
   sql_passwd: fubar
   sql_select: SELECT password FROM users WHERE name='%u' and domain='%r';

   Note that passwords should be stored in plain-text in this case. 
"

To get the domain stuff working with pam_mysql, I suspect that you need
to be looking at the 'where' option, putting the appropriate SQL in
there; the 'where' option is mentioned at:
  <URL:http://pam-mysql.sourceforge.net/Documentation/package-readme.php?seemore=y>
  http://pam-mysql.sourceforge.net/Documentation/package-readme.php?seemore=y
although no escapes are mentioned and OTTOMH I don't recall what can be
done in imapd.conf for this.  Sorry.
-- 
"Everything has three factors: politics, money, and the right way to do it.
 In that order."  -- Gary Donahue

More information about the Info-cyrus mailing list