2010/7/2 Dan White <dwh...@olp.net> > On 02/07/10 14:43 -0300, D G Teed wrote: > >> 2010/7/2 D G Teed <donald.t...@gmail.com> >> >>> Subject: Authentication problems since Redhat 5.5 updates >>> >>>> >>>> We had a nice trouble free cyrus running until it was updated with >>>> updates from Redhat today. >>>> >>>> I've tested with testsaslauthd (no service name given) and it works OK, >>>> so I'd think things are fine on the pam, AD and ldap end. >>>> >>>> In the cyrus server's maillog I'm seeing messages like this from >>>> attempts to connect from the remote webmail: >>>> >>>> Jul 2 13:54:22 navi imap[4073]: badlogin: >>>> webmail.example.com[XXX.YYY.ZZZ.111] CRAM-MD5 [SASL(-13): user not >>>> found: no secret in database] >>>> >>>> >> I have things working again. I had disabled Unix authentication in pam >> temporarily to try troubleshooting with my account. That had the side >> effect of disabling the cyrus user from authentication. So that explains >> the scripts using IMAP::Admin breaking. >> >> I also removed the package cyrus-sasl-md5 and I believe this has an impact >> on the issue I was facing with "CRAM-MD5". >> >> Any tips on how to co-exist with that package are welcomed. >> > > Cyrus imap will offer all available and initializable SASL authentication > plugins it can find (see pluginviewer for that list). In the case where you > have a plugin installed that you don't wish to offer, you can restrict the > list of mechanisms with the sasl_mech_list option. > > If you're depending on saslauthd for authentication, you shouldn't be > offering anything other than plain and login: > > sasl_mech_list: PLAIN LOGIN > > Right, I had more in my list. And since I didn't have the cyrus-sasl-md5 package before, the mentioning of MD5 mech types in the sasl_mech_list didn't matter.
I have read some comments that suggest the MD5 mech options only work with sasl_pwcheck_method of auxprop, and won't work with pam via saslauthd. Is that true? That seems to be what you are saying as well. If not the case, I don't understand what would have been needed to enable the MD5 types of auth mechanism. Any pointers to where the MD5 types of mech are documented for configuration? For some reason, IMAP connections using TLS were not impacted by the change. I'm not sure of all of the ways it was broken because I wanted to get the service back up ASAP, but I do know Horde webmail was unable to connect using IMAP and notls. --Donald
---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
