remote cryadm questions
dwhite at olp.net
Thu Mar 3 13:32:23 EST 2011
On 02/03/11 14:18 -0800, Gary Smith wrote:
>We have been using saslauth against pam_mysql for some time now with no
>problems. To use it though we need to use the -r option for sasl, which
>adds the realm to the username. I've been re-working some of my management
>scripts so I can have a central server that issues the commands to the
>remote cyrus servers. The problem is the cyrus administration accounts
>can't seem to connect from remote hosts as the -r option for sasl adds the
>hostname and using user@ connects but doesn't yield admin level privileges
>even if added to the imapd.conf file.
I don't think either the PLAIN or LOGIN mechanisms support passing a SASL
realm value. Neither RFC 4616 or draft-murchison-sasl-login-xx.txt mention
the word 'realm'. So the '-r' option for saslauthd probably doesn't have
any effect for remote cyradm/imap connections, that I can see.
>cyradm --user cyrus remotehost <-- yields invalid password
>cyradm --user cyrus@ remotehost <-- can login but no access, even if both cyrus and cyrus@ are in the imapd.conf file
What username do you see authenticated in syslog? I think that's the
username you'll need to key off of for what goes into imapd.conf.
>I also tried by assing a new user garycyrusadmin
>cyradm --user garycyrusadmin remotehost <-- yields invalid password
>cyradm --user garycyrusadmin @ remotehost <-- can login but no admin access, even if both cyrus and cyrus@ are in the imapd.conf file
>I also tested with one of my hosted email accounts
>cyradm --user gary at domain.com remotehost <-- can login but no admin access, even if gary at domain.com is in imapd.conf file
It's simpler to pass a domain name in the username field like that
rather than trying to pass a sasl realm, which isn't consistently handled
across the various sasl mechanisms.
>Any advice on how to connect to the remote cyrus host with an admin
>account? All of the scripts connect via imaps as well, which shouldn't
>matter in this case.
See the 'Administration' section of:
More information about the Info-cyrus