cyradm cannot connect to cyrus imap server
Dan White
dwhite at olp.net
Fri Feb 21 09:50:41 EST 2014
On 02/21/14 10:50 +0100, Willy Offermans wrote:
>Indeed, I needed to specify an authentication mechanism and then I could
>use the command line interface of cyradm:
>
>cyradm --user username --auth PLAIN localhost
>
>If we are at this point anyway, I was wondering what I need to do to use
>another authentication mechanism. Is this possible? And what do I need to
>consider?
>
>The IMAP server response with the following authentication mechanism:
>
>AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM AUTH=PLAIN AUTH=LOGIN
>
>If I login with SCRAM-SHA-1:
>
>MyName at MyComputer:~$ cyradm --user username --auth SCRAM-SHA-1 localhost
>Password:
>verify error:num=19:self signed certificate in certificate chain
>cyradm: cannot authenticate to server with SCRAM-SHA-1 as username
>
>In the logs:
>
>Feb 21 09:48:36 MyComputer imap[17576]: badlogin: localhost [127.0.0.1] SCRAM-SHA-1 [SASL(-13): user not found: unable to canonify user and get auxprops]
>
>I'm pretty sure that the user is registered in the ldap database.
DIGEST-MD5, CRAM-MD5, and SCRAM-SHA-1 all require cyrus sasl to have access
to the shared secret (clear text password) to complete authentication. If
you're using LDAP to store your user credentials, you'll need to use the
ldapdb auxprop plugin and store users' clear text passwords in userPassword.
Presumably you're using 'sasl_pwcheck_method: saslauthd' currently, which
is sufficient for PLAIN and LOGIN authentication.
If you choose not to go the ldapdb route, I recommend specifying a
sasl_mech_list to limit your mechanisms to PLAIN and LOGIN (and EXTERNAL if
you intend to do starttls client authentication). If you don't do that, in
your current setup, most clients will attempt to first authenticate using a
shared secret mechanism (including cyradm in your initial attempt), which
will always fail on that attempt.
--
Dan White
More information about the Info-cyrus
mailing list