digest-md5 password store

[Dan White]

Guillermo Gómez wrote:
> Ive been looking on how to work cyrus imap with mysql and found two options:
> 
> cyrus pam with pam_mysql
> cyrus sasl sql plugin
> 
> In the first one it look like the store can have the password encrypted MD5
> The second one needs the passwords in the clear in the db
> 
> customer says they have a mysql db with md5 passwords in it.
> 
> Im still confused on how this should work, can anyone please give me
> some insights on this regard

pam_mysql would correlate to saslauthd, and the cyrus sasl plugin 
would correlate to auxprop.

See documentation on the SASL pwcheck_method setting 
(sasl_pwcheck_method in /etc/imapd.conf).

When set to saslauthd, the pwcheck_method will allow the use of 
the PLAIN and LOGIN mechanisms, and will pass the username and 
password from the client on to PAM. PAM can internally hash the 
password and compare it against an already md5/crypted password.

When set to auxprop, SASL will retrieve the cleartext password 
and use it to compare (in the case of PLAIN and LOGIN), or to use 
in multi-step negotiation of other mechanisms, such as DIGEST-MD5.

The auxprop plugin gives you the ability to authenticate using 
the PLAIN, LOGIN, DIGEST-MD5, CRAM-MD5, NTLM and OTP mechs (and 
probably more).

saslauthd only gives you the ability to authenticate using PLAIN 
and LOGIN (I believe), which may or may not be sufficient for you.

- Dan