On 29-Oct-04, at 11:44 AM, Ken Murchison wrote:
I'm not sure I get what you mean by selecting the same column twice -- unless I'm mistaken, the query selects the PASSWORD column just once.
From the log that you posted, it looks like its selecting PASSWORD twice for user 'patrick'. Am I incorrect?
Ah yes, I see what you mean -- this is what I meant by a redundant query. The same query is run twice in a row.
As for not being able to get rid of the second query -- is this a SASL bug?
Depends on your point of view. I'd say no, but others might disagree.
> I can't understand why on earth it would be doing this.
SASLv1 used to save a separate secret for each SASL mechanism, e.g. cmusaslsecretDIGEST-MD5, cmusaslsecretPLAIN.
SASLv2 now saves only the userPassword secret which is shared amongst the mechanisms (except for special cases like OTP).
When each SASL mechanism goes to fetch the secret from the auxprop plugin, it doesn't know if the old secret has been upgraded to the new secret (which only happens with a plaintext login), so it asks for both, and will use whatever it receives.
*beam of light shining on problem* Okay, that's starting to make sense now.
I've disabled plaintext passwords (allowplaintext: no), and now if I configure my email client to connect using POP3, password authentication, it only does one look-up for the password; however, IMAP logins (using password or MD5 challenge/response) still results in two queries being performed.
I'm pretty new to SASL, so this business of old and new secrets is a bit foreign to me. Given that this is a fresh setup, is there a way for me to force the server to assume that all old secrets have been upgraded to the new? Is this what the "sasl_auto_transition" option is for?
Thanks,
Patrick
--- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
