sasldb: userPassword vs. cmusaslsecret*

Marco Colombo cyrus-list at
Tue Apr 17 05:36:41 EDT 2007


we're long time users of cyrus-imapd. Due to various migrations, our
SASL2 password database currently contains two kinds of entries:

# sasldblistusers2 -f sasldb2 | cut -f2 -d" " | sort | uniq -c
    102 cmusaslsecretCRAM-MD5
    102 cmusaslsecretDIGEST-MD5
    102 cmusaslsecretPLAIN
     88 userPassword

As you can see, we've got 102 users with the old, scrambled, password
entries and 88 with the new userPassword cleartext passwords.

As I understand it, the old kind of cmusaslsecret* entries are
superseeded by the new one. Now saslpasswd2 creates only userPassword by
default, that's how we got those 88 entries in our database - anytime a
password is changed via saslpasswd2 the old entries are deleted and a
new userPassword is created, plus of course new users that now are
created with a single userPassword entry from the start.

Well, we would like to migrate those 102 user to the new userPassword
format. Last time I checked, the autotransition options creates
cmusaslsecret* entries if cmusaslsecretPLAIN is present, at the time the
password is checked (that is, when the cleartext sent by the remote user
is available).

So, here's the question: is there a way to effect that migration?

I think cleartext passwords can't be restored from cmusaslsecret*
entries, but if the user authenticates via PLAIN (or LOGIN in
cyrus-imapd, which is the mostly used here) the password could be saved
as userPassword entry just like an autotransition.

We currently run cyrus-imapd 2.3.1 from Fedora Core Extra 5.


More information about the Info-cyrus mailing list