cyradm cannot connect to cyrus imap server

Willy Offermans Willy at Offermans.Rompen.nl
Fri Feb 21 10:11:41 EST 2014 

Hallo Dan,

On Fri, Feb 21, 2014 at 08:50:41AM -0600, Dan White wrote:
> On 02/21/14 10:50 +0100, Willy Offermans wrote:
> >Indeed, I needed to specify an authentication mechanism and then I could
> >use the command line interface of cyradm:
> >
> >cyradm --user username --auth PLAIN localhost
> >
> >If we are at this point anyway, I was wondering what I need to do to use
> >another authentication mechanism. Is this possible? And what do I need to
> >consider?
> >
> >The IMAP server response with the following authentication mechanism:
> >
> >AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM AUTH=PLAIN AUTH=LOGIN
> >
> >If I login with SCRAM-SHA-1:
> >
> >MyName at MyComputer:~$ cyradm --user username --auth SCRAM-SHA-1 localhost
> >Password:
> >verify error:num=19:self signed certificate in certificate chain
> >cyradm: cannot authenticate to server with SCRAM-SHA-1 as username
> >
> >In the logs:
> >
> >Feb 21 09:48:36 MyComputer imap[17576]: badlogin: localhost [127.0.0.1] SCRAM-SHA-1 [SASL(-13): user not found: unable to canonify user and get auxprops]
> >
> >I'm pretty sure that the user is registered in the ldap database.
> 
> DIGEST-MD5, CRAM-MD5, and SCRAM-SHA-1 all require cyrus sasl to have access
> to the shared secret (clear text password) to complete authentication. If
> you're using LDAP to store your user credentials, you'll need to use the
> ldapdb auxprop plugin and store users' clear text passwords in userPassword.
> Presumably you're using 'sasl_pwcheck_method: saslauthd' currently, which
> is sufficient for PLAIN and LOGIN authentication.
> 
> If you choose not to go the ldapdb route, I recommend specifying a
> sasl_mech_list to limit your mechanisms to PLAIN and LOGIN (and EXTERNAL if
> you intend to do starttls client authentication). If you don't do that, in
> your current setup, most clients will attempt to first authenticate using a
> shared secret mechanism (including cyradm in your initial attempt), which
> will always fail on that attempt.
> 
> -- 
> Dan White

Thank you a lot for the clarification. I did some search on the internet
myself and I got some increased understanding myself. I changed the
imapd.conf on the imap server and added:

sasl_mech_list: PLAIN LOGIN

to the settings.

This solved several issues. So I can already confirm your suggestion for
solution. But many thnx anyway.

You are pointing to EXTERNAL, next to PLAIN and LOGIN. I do not understand
this mechanism yet. At the moment I believe I have PLAIN password wrapped
into TLS. So I already do starttls client authentication. What will EXTERNAL
do?

-- 
Met vriendelijke groeten,
With kind regards,
Mit freundlichen Gruessen,
De jrus wah,

Wiel

*************************************
 W.K. Offermans
Home:   +31 45 544 49 44
Mobile: +31 681 15 87 68
e-mail: Willy at Offermans.Rompen.nl

More information about the Info-cyrus mailing list