Cyrus 2.0.7/RedHat-7/LDAP . . . CRAM-MD5 complaining?

Mon, 27 Nov 2000 13:30:27 -0800 


Folks,

I've installed 2.0.7 using RedHat's PowerTools source RPM, built locally with a
few trivial mods, outlined in a previous post to this list:

        Message-id: <[EMAIL PROTECTED]>

Overall, I'm very impressed. Nice work! I even managed to get LDAP
authentication to work by adding the following to /etc/imapd.conf:

        sasl_pwcheck_method: pam

/etc/pam.d/imap reads as:

        #%PAM-1.0
        auth       sufficient   /lib/security/pam_ldap.so
        auth       required     /lib/security/pam_unix_auth.so try_first_pass
        account    sufficient   /lib/security/pam_ldap.so
        account    required     /lib/security/pam_unix_acct.so

My problem is that although I can get plaintext logins from Eudora to work just
fine:

* OK mail2.iworkwell.com Cyrus IMAP4 v2.0.7 server ready
00000 CAPABILITY
* CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS 
NO_ATOMIC_RENAME UNSELECT MULTIAPPEND ID SORT THREAD=ORDEREDSUBJECT 
AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5 X-NETSCAPE
00000 OK Completed
00001 LOGIN dnickerson xxxxxxxxx
00001 OK User logged in

I do not have the same luck when using CRAM-MD5, which I MUST use. I'm not sure
what sequence each of these events happens in, since sniffit does not give me
any timestamps. The client (Eudora) says:

00000 CAPABILITY
00001 AUTHENTICATE CRAM-MD5
ZG5pY2tlcnNvbiBkZmYyZjUyOTZkNmQxN2I5NmNlZWFhYjFiYTZlMjNkZQ==
00002 AUTHENTICATE GSSAPI

And the server says:

* OK mail2.iworkwell.com Cyrus IMAP4 v2.0.7 server ready
00000 CAPABILITY
* CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS NO_ATOMIC_RENAME 
UNSELECT MULTIAPPEND ID SORT THREAD=ORDEREDSUBJECT AUTH=GSSAPI AUTH=DIGEST-MD
5 AUTH=CRAM-MD5 X-NETSCAPE
00000 OK Completed
+ PDU3OTk1NzYwMC4yMjcyNTAwQG1haWwyLml3b3Jrd2VsbC5jb20+
00001 NO authentication failure
+ 
00002 BAD Invalid base64 string


Maybe I'm missing a fundamental point here - I notice that on my old server,
where CRAM-MD5 is working just fine, I'm still using sasldb, and it has two
entries, as well as realms:

        user: testuser realm: mail.iworkwell.com mech: PLAIN
        user: testuser realm: mail.iworkwell.com mech: CRAM-MD5

for each user. Do I need anything special in the LDAP schemas to support
cram-md5 authentication? Can anyone tell me how to fix CRAM-MD5?

Thanks in advance for any hints.

-Darren

Reply via email to