Sorry Carsten,
I am using uw-imap for more than a year... And I never found your package in
the package search form fink.sourceforge.net nor in the packages list
(stable or unstable). I looked for imap... Without success. This is the
reason why I never used your work.
As uw-imap was compiling out of the box for any version before 10.2 server,
I actually never bothered making a .info (I feel guilty now).
The problem that appeared with 10.2 server (and not 10.2 "client") is that
Apple introduced a new way to manage passwords. You now have the ability to
specify that a user should use password server instead of basic
authentication mechanism.
First question is: what is this password server usefull for ?
Answer is: there is a lot of ways used by programs to check passwords: unix
uses crypt, SMB uses MD5 (among others but I am not sure of this one), other
programs use Kerberos... And the big problem is that these ways of checking
passwords often rely on a unidirectional hash (wich means that once you have
hashed a password, there is no way to come back to the original password in
order to generate another hash for another system). In other words, all
these hashes must be computed at the same time: when the user types his
password (in workgroup manager).
In OS X server 10.1, there was an obscure proprietary piece of code called
tim which was keeping unix and windows password synchronised. In OSX server
there is Password Server... Password server relies on SASL protocol to
provide a client/server way to check that a certain user with a certain
password has access to the server... In short, you give password server a
user name, a password and an authentication mechanism and password server
tells you if you are authorised. Password server is a good thing because it
is much less obscure than tim and is expandable.
Now, what happens if you do nidump passwd / and password server has been
activated :
aduchate:********:100:20::0:0:Antoine Duchateau:...
bbollind:stFAKEy0ycCRYPT01:109:20::0:0:Bernard Bollinder:...
Answer: you get ********* (password server is on for aduchate, off for
bbollind)
And that's also what you get with this code snippet for a user with password
server on:
struct passwd * pw = getpwnam("aduchate");
fprintf(stdout, "%s\n", pw->pw_passwd);
result: *********
getpwnam is unfortunately often used to check a unix password... If you have
defined that a user must use password server, authentication is broken.
Next question is: is there an easy standard way to check passwords in OSX
10.2 SERVER which will work when password server is enabled and disabled.
Answer is YES. By chance, Apple has implemented PAM support inside MacOS
server 10.2. When you use PAM for authentication instead of getpwnam,
authentication works whatever the authentication mechanism chosen for a
specific user.
For uw imap, you have to use this make command:
make osx PASSWDTYPE=pam
in order to enable PAM support (you also have to make sure that
security/pam.h is replaced by pam/pam.h because this is the place where
Apple put the pam.h inside /usr/include). Alas when you do this, though the
PAM part of the authentication works (as long as you create a pop/imap file
inside /etc/pam.d), later on, you get rejected because for some reason, in
the process of PAM authentication, the passwd structure gets altered: your
user name and uid is replaced by root/0. As you pointed out, the root
restriction causes uw-imap to kick you out though YOU WERE LOGGING IN AS A
NORMAL USER. This is why I needed to change the source code. My question is
now: IS THERE A WAY TO BUILD A /etc/pam.d/imap FILE SO THAT THIS PROBLEM
DOES NOT SHOW UP ?
For this question, I have got no answer (yet).
Cheers,
Antoine
> Hi Antoine,
>
> Are you trying to build my uw-imapd package?
>
> The uw-imapd works for me in 10.2 without any code modification. It
> should recognize usernames from the system automatically (indeed there
> is nothing to configure in uw-imapd). By design uw-imapd also does not
> allow root to login for security reasons (your root must use a .forward
> file) but this doesn't sound like the problem you are having.
>
> Which version of Mac OS X are you using?
>
> You might want to contact UW about modifying their code, maybe they
> have a mailing list to help with that.
>
> Carsten
>
> On Monday, October 14, 2002, at 03:40 am, Antoine Duch�teau wrote:
--------------------------------
Antoine Duchateau / ___ __
Abaque sprl / / | / /_ ____ _ ____ _ __ __ ___
Av. Louis Dehoux, 25 / / /| | / __ \ / __ `// __ `// / / // _ \
1160 Brussels - Belgium / / ___ | / /_/ // /_/ // /_/ // /_/ // __/
email: [EMAIL PROTECTED] / /_/ |_|/_.___/ \__,_/ \__, / \__,_/ \___/
phone: +32 2 675 33 33 / /_/
--------------------------------------------------------------------------
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Fink-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/fink-devel
