On Wed, 19 Mar 2003, Luca Olivetti wrote:
> Ken Murchison wrote:
>
> > When you authenticate, you need to use a SASL mech which supports
> > proxying. Look at doc/mechanisms.html in the SASL distro for a complete
> > list. In your case, you should be able to use at least PLAIN (you can
> > use others if using OpenLDAP 2.2's auxprop plugin). Here's how you'd
> > authenticate as 'cyrus' and login as 'test' using imtest and cyradm:
>
> I'm using saslauthd (readme.html says that PLAIN uses saslauthd),
> mechanisms.html says that PLAIN can proxy, I have in my imapd.conf
>
> sasl_pwcheck_method: saslauthd
> sasl_mech_list: PLAIN
>
>
> but
>
> >
> > imtest -a cyrus -u test -m plain localhost
>
> tells me that plain is not available:
>
> $ imtest -a cyrus -u luca -m plain localhost
> S: * OK saturn.wetron.local Cyrus IMAP4 v2.1.12-Mandrake-RPM-2.1.12-1mdk
> server ready
> C: C01 CAPABILITY
> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
> NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT
> THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS LISTEXT
> LIST-SUBSCRIBED ANNOTATEMORE X-NETSCAPE
> S: C01 OK Completed
> C: A01 AUTHENTICATE PLAIN
> S: A01 NO no mechanism available
> Authentication failed. generic failure
> Security strength factor: 0
>
There's no AUTH=xxx entry, so there are *no* available mechs at this
point. AFAIK, unsafe mechs (the ones that send passwords in cleartext
over the net) are disabled by default. There're enabled if the client
requests a TLS connection via STARTTLS.
Here's the output of similar commands here (this is a test installation
so don't be surprised by the number of available mechs B-)):
$ imtest -m plain -a cyrus -u marco devel
S: * OK devel.ESI Cyrus IMAP4 v2.1.12 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS
ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT THREAD=ORDEREDSUBJECT
THREAD=REFERENCES IDLE STARTTLS AUTH=SRP AUTH=OTP AUTH=NTLM AUTH=DIGEST-MD5
AUTH=CRAM-MD5 AUTH=GSSAPI X-NETSCAPE
S: C01 OK Completed
C: A01 AUTHENTICATE PLAIN
S: A01 NO no mechanism available
Authentication failed. generic failure
Security strength factor: 0
C: Q01 LOGOUT
Connection closed.
But, with SSL/TLS:
$ imtest -s -m plain -a cyrus -u marco devel
verify error:num=18:self signed certificate
TLS connection established: TLSv1 with cipher DES-CBC3-SHA (168/168 bits)
S: * OK devel.ESI Cyrus IMAP4 v2.1.12 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS
ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT THREAD=ORDEREDSUBJECT
THREAD=REFERENCES IDLE STARTTLS AUTH=SRP AUTH=PLAIN AUTH=LOGIN AUTH=OTP AUTH=NTLM
AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=GSSAPI X-NETSCAPE
S: C01 OK Completed
C: A01 AUTHENTICATE PLAIN
S: +
Please enter your password:
C: bWFyY28AY3lydXMAY3lydXM=
S: A01 OK Success (tls protection)
Authenticated.
Security strength factor: 168
. logout
* BYE LOGOUT received
. OK Completed
Connection closed.
The password I typed was the one of 'cyrus' (which is listed in admins:
in this test installation), but the user who logged in was 'marco':
Mar 19 10:27:05 devel imapd[31837]: starttls: TLSv1 with cipher DES-CBC3-SHA (168/168
bits new) no authentication
Mar 19 10:27:08 devel imapd[31837]: login: devel.ESI[127.0.0.1] marco PLAIN+TLS User
logged in
> Note that if I omit the "-m plain" it will logs me in as user cyrus (so
> no proxy):
>
> $ imtest -a cyrus -u luca localhost
> S: * OK saturn.wetron.local Cyrus IMAP4 v2.1.12-Mandrake-RPM-2.1.12-1mdk
> server ready
> C: C01 CAPABILITY
> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
> NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT
> THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS LISTEXT
> LIST-SUBSCRIBED ANNOTATEMORE X-NETSCAPE
> S: C01 OK Completed
> Please enter your password:
> C: L01 LOGIN cyrus {7}
> S: + go ahead
> C: <omitted>
> S: L01 OK User logged in
> Authenticated.
> Security strength factor: 0
That was the LOGIN command, not AUTHENTICATE. I think it bypasses
SASL checks in some ways.
> > cyradm --user cyrus --authz test --auth plain localhost
>
> Will log me in as user cyrus (no proxy) (I gave the same password for
> user cyrus to both prompts):
>
> $ cyradm --user cyrus --authz luca --auth plain localhost
> Password:
> IMAP Password:
> localhost.localdomain> lm INBOX
> localhost.localdomain> lm user.luca
> user.luca (\HasChildren)
> localhost.localdomain>
$ cyradm --authz marco --user cyrus localhost
Password:
devel.ESI> lm
INBOX (\HasChildren) INBOX.test2 (\HasNoChildren)
INBOX.test (\HasNoChildren)
devel.ESI> quit
Again, the password I typed was the one of 'cyrus', yet:
Mar 19 10:36:07 devel imapd[31845]: login: devel.ESI[127.0.0.1] marco SRP User logged
in
I wasn't able to test PLAIN, because I don't know how to tell cyradm
to use TLS.
.TM.
--
____/ ____/ /
/ / / Marco Colombo
___/ ___ / / Technical Manager
/ / / ESI s.r.l.
_____/ _____/ _/ [EMAIL PROTECTED]
