On Thu, 27 May 2004, Simon Josefsson wrote:
Hello. Is it possible to get client authenticated STARTTLS working with Cyrus IMAPD, without a password login?
I'm assuming EXTERNAL would be used for this, so here is what I put in imapd.conf:
sasl_mech_list: PLAIN CRAM-MD5 DIGEST-MD5 EXTERNAL
Yes, it can, provided you authenticate with a proper trusted client cert (and that there is an authzid that is usable in the certificate).
However, even after successful client auth STARTTLS, the EXTERNAL mechanism is not available. Any ideas?
To be honest, this hasn't gotten much testing because it isn't really used by anyone (due to the need to have some way to convert client certs CNs to IMAP IDs reliably). I'd look for a problem in either cmd_starttls in imapd.c (to not set the SASL_AUTH_EXTERNAL value properly) or possibly in the code in server.c:mech_permitted in SASL. I do know that there was a bug in the handling of external that was fixed in 2.1.18, btw (revision 1.136 of server.c)...
-Rob
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 Research Systems Programmer * /usr/contributed Gatekeeper
--- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
