#170509 - 14/07/2003 13:03
Anyone running Cyrus IMAPd?
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
I'm trying to upgrade my Cyrus for a couple of reasons and I can't get the SASL2 authentication to work. Anyone using it and authenticating via /etc/sasldb?
_________________________
Bitt Faulk
|
Top
|
|
|
|
#170510 - 14/07/2003 15:01
Re: Anyone runningCyrus IMAPd?
[Re: wfaulk]
|
carpal tunnel
Registered: 24/01/2002
Posts: 3937
Loc: Providence, RI
|
I'm using it, and the relevant people are all people I work with, but I've never used sasldb. If you have a targeted question I can walk down the hall or zephyr a question to the right person. (Technically half the right people left to work for Google and their empty office is next to mine )
|
Top
|
|
|
|
#170511 - 14/07/2003 15:37
Re: Anyone running Cyrus IMAPd?
[Re: Daria]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
Ummm. Yeah. It don't work.
First, you might tell them that including some sort of test utility in the SASL distribution would be a good idea.
Second, the problem I'm having is that it seems to put the username and password in the sasldb, but nothing seems to be able to authenticate against that. One of the problems is that I'm not sure if it's a problem with sasl itself, or if it's a problem with other programs accessing it, or if it's a problem with some configuration, or what. (I recognize that Cyrus is supposed to be intended for internal CMU use and the fact that they release it publically is a nicety, but the documentation still sucks.)
The thing is that I've been using SASL1 for ages without problem, but I need to upgrade and it requires SASL2 which simply doesn't seem to work at all. I've been poking around at it so much that I don't even know what questions to ask.
Okay. - Is the proper imapd.conf option to get it to use sasldb ``sasl_pwcheck_method: sasldb'' or ``sasl_pwcheck_method: auxprop'' or something else?
- If it's ``auxprop'', why does it keep saying it can't find auxprop? There's no apparent way to build libauxprop.a to put into the plugins directory.
- Is there a test SASL program so that I can attempt to authenticate simply just to test to see if the sasldb is working properly at all? Running ``sasldblistusers2'' shows me the users, but I've no idea if the passwords are right.
That's all I can really think of right now. I posted a message to the SASL and Cyrus mailing lists. Maybe you could just prod them to answer me there.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#170512 - 14/07/2003 15:47
Re: Anyone runningCyrus IMAPd?
[Re: wfaulk]
|
veteran
Registered: 19/06/2000
Posts: 1495
Loc: US: CA
|
Is the proper imapd.conf option to get it to use sasldb ``sasl_pwcheck_method: sasldb'' or ``sasl_pwcheck_method: auxprop'' or something else?
sasl_pwcheck_method: saslauthd
You might want to check out http://forums.gentoo.org and search for "cyrus imap sasl." It might give you some insight.
_________________________
Donato MkII/080000565 MkIIa/010101253 ricin.us
|
Top
|
|
|
|
#170513 - 14/07/2003 15:55
Re: Anyone running Cyrus IMAPd?
[Re: ricin]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
saslauthd tells it to use a daemon that runs that allows authentication against /etc/passwd. This is distinctly not what I want to do.
Correct me if I'm wrong.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#170514 - 14/07/2003 15:59
Re: Anyone runningCyrus IMAPd?
[Re: wfaulk]
|
carpal tunnel
Registered: 24/01/2002
Posts: 3937
Loc: Providence, RI
|
First, you might tell them that including some sort of test utility in the SASL distribution would be a good idea.
There's a "testsuite.c" in utils/ which appears to try the sasldb. That's probably not the best answer, since you'd have to whack out the gssapi support to use it. It does look like it includes a complete test of sasldb.
(I recognize that Cyrus is supposed to be intended for internal CMU use and the fact that they release it publically is a nicety, but the documentation still sucks.)
We have no tech writers. I suspect the results are public, so I can tell you that recently in a process we did to try to figure out what problems we had, internally, no documentation was high on that list. It sucks when you bring in new people, or when someone other than the system author needs to work on the system.
Is the proper imapd.conf option to get it to use sasldb ``sasl_pwcheck_method: sasldb'' or ``sasl_pwcheck_method: auxprop'' or something else?
You want auxprop.
If it's ``auxprop'', why does it keep saying it can't find auxprop? There's no apparent way to build libauxprop.a to put into the plugins directory.
auxprop is built into libsasl2. At least, it is in the version I'm looking at.
Is there a test SASL program so that I can attempt to authenticate simply just to test to see if the sasldb is working properly at all? Running ``sasldblistusers2'' shows me the users, but I've no idea if the passwords are right.
Probably the best idea is "run saslauthd and run testsaslauthd against it". In fact, if you're running pwcheck for real, and not saslauthd, I recommend you switch. It should honor the pwcheck method.
|
Top
|
|
|
|
#170515 - 14/07/2003 16:00
Re: Anyone running Cyrus IMAPd?
[Re: wfaulk]
|
carpal tunnel
Registered: 24/01/2002
Posts: 3937
Loc: Providence, RI
|
Correct me if I'm wrong.
See my second reply. Basically, saslauthd will do what you want.
Realize we use GSSAPI and not local passwords or sasldb here, so if it didn't support pluggable backends, we'd be sad.
|
Top
|
|
|
|
#170516 - 14/07/2003 16:08
Re: Anyone running Cyrus IMAPd?
[Re: Daria]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
Eh? I don't follow.
I want an auth database totally separate from /etc/passwd and I'm not running any Kerberos/GSSAPI stuff. I don't think I want to do pwcheck (as that was the old pluggable mechanism, right?).
I use SASL pretty much solely for mail. IMAP right now, and I'm trying to get Postfix to use it, but I'm kinda behind on both installations. I have mail users that have no Unix accounts and vice versa.
So will saslauthd still do what I want?
_________________________
Bitt Faulk
|
Top
|
|
|
|
#170517 - 14/07/2003 16:18
Re: Anyone running Cyrus IMAPd?
[Re: wfaulk]
|
carpal tunnel
Registered: 24/01/2002
Posts: 3937
Loc: Providence, RI
|
want an auth database totally separate from /etc/passwd and I'm not running any Kerberos/GSSAPI stuff. I don't think I want to do pwcheck (as that was the old pluggable mechanism, right?).
No, you don't want pwcheck.
saslauthd will do what you want, and there's no "still" because you haven't ruled out anything relevant: it still supports pluggable backends for passwords. sasldb is just a backend.
|
Top
|
|
|
|
#170518 - 14/07/2003 16:46
Re: Anyone running Cyrus IMAPd?
[Re: wfaulk]
|
carpal tunnel
Registered: 24/01/2002
Posts: 3937
Loc: Providence, RI
|
(I recognize that Cyrus is supposed to be intended for internal CMU use and the fact that they release it publically is a nicety, but the documentation still sucks.)
Amusingly there's a piece of email printed and hanging on Larry's door (never mind that Larry left) complaing about someone's configuration problems. Paraphrasing since I don't remember exactly, it ends:
"I hate u. i wish u just die."
|
Top
|
|
|
|
#170519 - 14/07/2003 17:44
Re: Anyone running Cyrus IMAPd?
[Re: Daria]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
saslauthd will do what you want ... it still supports pluggable backends for passwords. sasldb is just a backend. Okay. But isn't ``auxprop'' supposed to do that without having a separate daemon running (which I'd prefer to avoid as it's on an already overloaded Pentium 166)? And if so, why isn't it working?
I understand that the daemon probably deals with concurrent access better, but this is just for home use, and another daemon means more wasted memory and process time; there's very little concurrent access to the mail system.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#170521 - 15/07/2003 06:39
Re: Anyone running Cyrus IMAPd?
[Re: Daria]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
I got a response from the mailing list. It may be that the config script didn't find my BerkeleyDB library, built it using dbm or something, but then didn't change the internal name of the dbfile properly (sasldb2 to sasldb2.db). I'm recompiling now.
_________________________
Bitt Faulk
|
Top
|
|
|
|
|
|