Allow PLAIN login cyrus 2.2.12

Mon Feb 13 15:32:21 EST 2012

On 02/13/12 17:22 +0100, Manel Gimeno Zaragozá wrote:
>
>Hello,
>
>I've execute testsaslauthd as cyrus user a it's OK
>
>[root log]# su - cyrus
>[cyrus1 ~]$ /usr/sbin/testsaslauthd -u test-adm -p password
>0: OK "Success."
>
>On the other hand, I've done some test and I've execute imtest getting the following:
>
># imtest -m plain 192.168.65.130 -a cyrus
>S: * OK Datadec-Online Cyrus IMAP4 v2.2.12-Invoca-RPM-2.2.12-19 server ready
>C: C01 CAPABILITY
>S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
>NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND
>BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE
>LISTEXT LIST-SUBSCRIBED X-NETSCAPE
>S: C01 OK Completed
>C: A01 AUTHENTICATE PLAIN
>S: A01 NO encryption needed to use mechanism
>Authentication failed. generic failure
>Security strength factor: 0
>. login test-adm password
>. OK User logged in
>C: Q01 LOGOUT
>Connection closed.
>
>
>=========log==============
>
>Feb 13 17:16:02 srv-vln-pre1 imap1[29801]: telling master 2
>
>Feb 13 17:16:02 srv-vln-pre1 imap1[29801]: accepted connection
>
>Feb 13 17:16:02 srv-vln-pre1 imap1[29801]: telling master 3
>
>Feb 13 17:16:02 srv-vln-pre1 master[24579]: service imap1 pid 29801 in READY state: now unavailable and in BUSY state
>
>Feb 13 17:16:02 srv-vln-pre1 master[24579]: service imap1 now has 1 ready workers
>
>Feb 13 17:16:02 srv-vln-pre1 master[24579]: service imap1 pid 29801 in BUSY state: now serving connection
>
>Feb 13 17:16:02 srv-vln-pre1 master[24579]: service imap1 now has 1 ready workers
>
>*Feb 13 17:16:02 srv-vln-pre1 imap1[29801]: badlogin:
>xmlfrwk.pre.datadec-online.com [192.168.65.130] PLAIN [SASL(-16):
>encryption needed to use mechanism: security flags do not match
>required]
>
>*Feb 13 17:16:11 srv-vln-pre1 imap1[29801]: login:
>xmlfrwk.pre.datadec-online.com [192.168.65.130] test-adm plaintext User
>logged in
>
>==========================
>
>
>
>As you can see on the first try I get "badlogin" but when I try ". login
>test-adm password" I'm able to log in.

In the first case you are authenticating using SASL PLAIN, with user
'cyrus', and in the second case you are authenticating using the
login/pass with user 'test-adm', which is an apples to oranges
comparison.

It would be better to use 'imtest -m login -a cyrus <ip>' (which should perform
login/pass authentication) and compare that to 'imtest -m login -a
test-adm <ip>', and then compare the two with '-m plain'.

'encryption needed to use mechanism: security flags do not match required'
seems to indicate that you need to specify:

sasl_minimum_layer: 0

but you said you already tried that. A hack to get this to work would be to
tell imapd that it's operating under an external security layer. In
/etc/cyrus.conf, you could modify your imapd line(s) to include '-p 256',
e.g.:

imap            cmd="imapd -p 256" listen="imap"

See the manpage for imapd(8).

-- 
Dan White