I found this post very helpful while troubleshooting. Using RHEL 4 RPMs for install of Cyrus IMAP 2.2.12 with murder. I am able to see that proxy user (proxyservers:) is able to auth properly (to backend) while using TLS with "imtest". After configuring "frontend" and "backend" for murder config, proxy is not authing from frontend to backend properly - I now assume that this is because proxy user is trying PLAIN without a TLS connection.
How do I fix this? A) use MD5 or something else rather than PLAIN (I have read this is not possible unless using auxprop sasldb???). I am using saslauthd MECH=pam (for all of our LDAP users). B) force "proxy" to be performed over TLS. Am I correct to assume that this would need to apply to imap and lmtp?? Are any of the above assumptions even valid????? What is "best practice" here? Thanks, Jake List: info-cyrus Subject: Re: Does Proxy User Work? From: phr2101 () columbia ! edu Date: 2005-06-02 2:45:49 Message-ID: <1117680349.429e72dd53745 () cubmail ! cc ! columbia ! edu> [Download message RAW] Glad I could help. The -t "" option will cause imtest to do starttls. Once the connection is secure the server will allow the PLAIN mech to be used. -Patrick Quoting "John C. Amodeo" <[EMAIL PROTECTED]>: > Patrick, > > That worked. Before, I was never using the -t "" option, so I > assume we > are forcing the use of the PLAIN mech and that makes all the > difference > in the world? > > Thank you soo much for your input. > > -John > > Patrick Radtke wrote: > > > You can proxy as another user automatically with the cyrus user > > > > imtest -t "" -a cyrus -u tc2154 host. > > > > You give the cyrus password for authentication and then are > authorized > > as tc2154. > > > > If you want to use an account besides cyrus for authentication > set > > these in imapd.conf > > > > proxy_authname: proxyname > > proxy_password: password > > > > Now you could do > > > > imtest -t "" -a proxyname -u tc2154 host. > > and give the proxyname's password > > > > -Patrick > > > > > > On Jun 1, 2005, at 4:18 PM, Tim Pushor wrote: > > > >> How about backing up the ldap directory, resetting the > passwords to a > >> known (to you) password, do the transition, and restore the > directory? > >> > >> If thats not possible, how about setting up a new temporary > directory > >> with your user accounts and the known password, temporarily > point > >> cyrus to it until after the transition, then point it back? > >> > >> Thanks, > >> Tim > >> > >> John C. Amodeo wrote: > >> > >>> I've been researching a way to proxy as another user for 2 > days > >>> without luck. It seems that Cyrus/SASL has the ability to > take a > >>> proxy command, but I cannot find any feasible application of > it. I > >>> need help. > >>> > >>> Here's the situation: > >>> > >>> I need to migrate 4 legacy Cyrus 2.0.17 servers to a new > Cyrus > >>> 2.1.15 server. For multiple reasons, I would rather perform > the > >>> migration via imap using a sync utility like imapsync (or the > >>> equivalent) rather than trying to merge the 4 servers through > a > >>> manual upgrade / reconstruct. > >>> > >>> I need to be able to "login" as a normal user, say Bob Smith, > as the > >>> Cyrus superuser using Cyrus's credentials. If not, it will > be a > >>> nightmare (and a bad practice) to collect my user's id's and > >>> passwords to run the conversion... I would love to work in > batch > >>> mode where I would only need to supply userid (of the user) > and then > >>> the cyrus super account credentials (or equivalent...) > >>> > >>> I'm reading all over the place about the difference between > authcid > >>> and authzid, proxyservers: cyrus, etc. etc. but can't find > any true > >>> application for how this might work in real life. I've tried > every > >>> manageable combination of command line arguments with imtest > to no > >>> avail... > >>> > >>> Both my 2.0.16 boxes and my 2.1.15 box authenticate against a > >>> central LDAP directory using sasl_mech_list: PLAIN. > >>> > >>> Does anyone have any ideas or suggestions? I really want to > avoid > >>> hacking the SASL code to take a "master" password for any > user. > >>> > >>> Thanks in advance. > >>> > >>> -John > >>> > >> --- > >> Cyrus Home Page: http://asg.web.cmu.edu/cyrus > >> Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu > >> List Archives/Info: > http://asg.web.cmu.edu/cyrus/mailing-list.html > > > > > > -- > ______________________________________________________________ > John C. Amodeo :: Associate Director of Information Technology > Faculty of Arts and Sciences > Rutgers, The State University of New Jersey > Voice: 732.932.9455 Fax: 732.932.0013 > > --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html [prev in list] [next in list] [prev in thread] [next in thread] ____________________________________ Jake Holmquist Associate Director Computer Services Network Administrator Manhattan College --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
