hi all,
i've setup Exim(4.43), Cyrus-IMAP(2.1.19) & Cyrus-SASL(2.2.8) for use with VExim --
i.e. MySQL(4.1.7) usage/mgmt of virtual domains. replies from the folks on the vexim list
suggest that i might be better off with this issue here ...
after setup, with saslauthd's "-r" option set (sasldauth -r -a pam) so as to correcly handle
users with "@" signs, i can validate PLAIN auth:
% imtest -p imap -m PLAIN -t "" -a [EMAIL PROTECTED] tiedgar
> Authenticated.
where syslog shows:
saslauthd[2391]: SELECT crypt FROM users WHERE username='siteadmin'
so far, so good. but, LOGIN auth fails with:
% imtest -p imap -m LOGIN -t "" -a [EMAIL PROTECTED] tiedgar
> S: L01 NO Login failed: authentication failure
> Authentication failed. generic failure
where snips from syslog.log show:
saslauthd[2232]: pam_mysql: where clause =
saslauthd[2232]: SELECT crypt FROM users WHERE username='[EMAIL PROTECTED]'
saslauthd[2232]: pam_mysql: select returned more than one result
saslauthd[2232]: returning 7 after db_checkpasswd.
saslauthd[2232]: DEBUG: auth_pam: pam_authenticate failed: Permission denied
saslauthd[2232]: do_auth : auth failure: [EMAIL PROTECTED]
[service=imap] [realm=internal.testserver.com] [mech=pam] [reason=PAM auth error]
imap[2294]: badlogin: testserver.internal.testserver.com [10.0.0.6] plaintext
siteadmin SASL(-13): authentication failure: checkpass failed
now, after a little digging, i've learned that:
"When there is no record match in mysql table, pam-mysql returned error "select returned more
than one result" a miss-leading message."
cref:
<http://groups.google.com/groups?hl=en&lr=&threadm=ckt0af%24273h%241%40news.hgc.com.hk&rnum=1&prev=/groups%3Fq%3Dpam_mysql:%2Bselect%2Breturned%2Bmore%2Bthan%2Bone%2Bresult%26hl%3Den%26lr%3D%26sa%3DN%26scoring%3Dd>
which makes sense, since the query on '[EMAIL PROTECTED]' WILL return an empty result
as there's no such user ... rather the user is '[EMAIL PROTECTED]'.
clearly, there's an issue w/ the SELECT statement's username ... but i dunno where
it's contructed/pluued-from. in the first case (PLAIN auth) there's only a localpart,
in the 2nd case (LOGIN auth) there a localpart + fqdn, but the WRONG fqdn.
is the answer in the Exim authenticators? from my exim.conf:
plain_login:
driver = plaintext
public_name = PLAIN
server_condition = ${lookup mysql{SELECT '1' FROM users WHERE \
username = '${quote_mysql:$2}' AND \
clear = '${quote_mysql:$3}'} {yes}{no}}
server_set_id = $2
fixed_login:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
server_condition = ${lookup mysql{SELECT '1' FROM users WHERE \
username = '${quote_mysql:$1}' AND \
clear = '${quote_mysql:$2}'} {yes}{no}}
server_set_id = $1
fyi, both auth mechs (PLAIN & LOGIN) ARE set in imapd.conf, and the releveant libs
DO exist in the sasl2 plug-in lib.
ideas/suggestions?
thanks,
richard
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
