I'm trying to implement a virtual-domain/virtual-user setup where
'[EMAIL PROTECTED]' and '[EMAIL PROTECTED]' are separate users/accounts/mailboxes.
I'm using RHEL4 and all its official RPMs except for pam_mysql which
comes from a third party that rebuilds FC3 rpm's to work in RHEL4. Here
are the relevant packages:
cyrus-imapd-2.2.12-3.RHEL4.1
cyrus-imapd-utils-2.2.12-3.RHEL4.1
cyrus-sasl-md5-2.1.19-5.EL4
cyrus-sasl-devel-2.1.19-5.EL4
cyrus-sasl-2.1.19-5.EL4
cyrus-sasl-plain-2.1.19-5.EL4
pam_mysql-0.50-6
In /etc/imapd.conf I changed
-------------------------------------
unixhierarchysep: yes
-------------------------------------
In /usr/lib/sasl2/smtpd.conf I have
-------------------------------------
pwcheck_method: saslauthd
-------------------------------------
In /etc/sysconfig/saslauthd I set
-------------------------------------
MECH=pam
-------------------------------------
My /etc/pam.d/imap looks like this
-------------------------------------
auth required pam_mysql.so user=mail passwd=***** host=localhost db=mail
table=accounts usercolumn=user passwdcolumn=pass crypt=1
account required pam_mysql.so user=mail passwd=***** host=localhost
db=mail table=accounts usercolumn=user passwdcolumn=pass crypt=1
-------------------------------------
My mysql table is brutally simple:
mysql> select * from accounts;
+-----------------------+---------------+
| user | pass |
+-----------------------+---------------+
| [EMAIL PROTECTED] | jTx9WNkRMWLZE |
| cyrus | 6.loOz32/WGiA |
| [EMAIL PROTECTED] | zTFsFui6YVuKI |
+-----------------------+---------------+
The above is all "working" in that the following commands work,
indicating the two are working as separate users and it can tell when
you get the password right.
-------------------------------------
[EMAIL PROTECTED] ~]# testsaslauthd -u [EMAIL PROTECTED] -p foo
0: OK "Success."
[EMAIL PROTECTED] ~]# testsaslauthd -u [EMAIL PROTECTED] -p foo
0: NO "authentication failed"
[EMAIL PROTECTED] ~]# testsaslauthd -u [EMAIL PROTECTED] -p bar
0: OK "Success."
[EMAIL PROTECTED] ~]# testsaslauthd -u [EMAIL PROTECTED] -p bar
0: NO "authentication failed"
-------------------------------------
After running those four commands, the following expected errors show up
in /var/log/messages
-------------------------------------
saslauthd[13079]: do_auth : auth failure: [EMAIL PROTECTED]
[service=imap] [realm=] [mech=pam] [reason=PAM auth error]
saslauthd[13080]: do_auth : auth failure: [EMAIL PROTECTED]
[service=imap] [realm=] [mech=pam] [reason=PAM auth error]
-------------------------------------
Thats all well and good. Now comes the part I can't figure out... when
I try to run cyradm as the users it fails:
-------------------------------------
[EMAIL PROTECTED] ~]# cyradm --user [EMAIL PROTECTED] localhost
IMAP Password: <<I type in "foo" here>>
Login failed: authentication failure at
/usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi/Cyrus/IMAP/Admin.pm
line 118
cyradm: cannot authenticate to server with as [EMAIL PROTECTED]
-------------------------------------
And I get this in /var/log/messages
-------------------------------------
saslauthd[13080]: do_auth : auth failure: [user=john] [service=imap]
[realm=foo.org] [mech=pam] [reason=PAM auth error]
-------------------------------------
For some reason testsaslauthd keeps "[EMAIL PROTECTED]" as the username, but
cyradm breaks it up into user=john realm=foo.org, which then fails to
authenticate. Similarly if I try to connect with an IMAP client
(thunderbird) I get the same error as above where it breaks the username
up into seperate user and realm parts.
What am I doing wrong here? Should I have a different table structure
in mysql? Is there some config change I need to make to get it to *not*
breakup the username? Why does testsaslauthd work and nothing else?
Thank you for anyone who even read this far :)
-jim
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
