digest-md5 password store
dwhite at olp.net
Wed Dec 5 10:26:58 EST 2007
Guillermo Gómez wrote:
> Ive been looking on how to work cyrus imap with mysql and found two options:
> cyrus pam with pam_mysql
> cyrus sasl sql plugin
> In the first one it look like the store can have the password encrypted MD5
> The second one needs the passwords in the clear in the db
> customer says they have a mysql db with md5 passwords in it.
> Im still confused on how this should work, can anyone please give me
> some insights on this regard
pam_mysql would correlate to saslauthd, and the cyrus sasl plugin
would correlate to auxprop.
See documentation on the SASL pwcheck_method setting
(sasl_pwcheck_method in /etc/imapd.conf).
When set to saslauthd, the pwcheck_method will allow the use of
the PLAIN and LOGIN mechanisms, and will pass the username and
password from the client on to PAM. PAM can internally hash the
password and compare it against an already md5/crypted password.
When set to auxprop, SASL will retrieve the cleartext password
and use it to compare (in the case of PLAIN and LOGIN), or to use
in multi-step negotiation of other mechanisms, such as DIGEST-MD5.
The auxprop plugin gives you the ability to authenticate using
the PLAIN, LOGIN, DIGEST-MD5, CRAM-MD5, NTLM and OTP mechs (and
saslauthd only gives you the ability to authenticate using PLAIN
and LOGIN (I believe), which may or may not be sufficient for you.
More information about the Info-cyrus