Cyrus IMAP with pam_mysql?
Hi, Has anyone managed to get the Cyrus imapd to authenticate with pam_mysql -authentication? In /usr/local/etc/imapd.conf I have: allowanonymouslogin: no allowplaintext: yes sasl_pwcheck_method: saslauthd sasl_mech_list: PLAIN ...among other things. I am running saslauthd with pam authentication: silakka# ps xa |grep saslauthd 258 ?? Is 0:00.01 /usr/local/sbin/saslauthd1 -a pam This is what I have in my /etc/pam.conf: # Mail services imapauth sufficient pam_mysql.so user=mail passwd=uBerSecRETPASS host=localhost db=mail table=accountuser usercolumn=username passwdcolumn=password crypt=1 imapaccount required pam_mysql.so user=mail passwd=uBerSecRETPASS host=localhost db=mail table=accountuser usercolumn=username passwdcolumn=password crypt=1 The problem, I think, is the service column. The authentication is done via PAM since when I change the password for my shell account the mail password is changed too. But saslauthd uses some other service to authenticate, not imap and thus not pam_mysql. Why doesn't it reconize the above lines for Cyrus? I am running FreeBSD 4.8R This is giving me serious headache :) Thanks in advance for any clues!! Regards, Johan Paul ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Cyrus IMAP with pam_mysql?
Welcome to nightmaresville. I struggled with this for yonks, and found that there were some other files that needed to be setup, e.g.: ajax# cd /usr/local/lib/sasl2 ajax# cat Cyrus.conf pwcheck_method: saslauthd ajax# There is at least one other one, and I'm trying to find it! Are you getting any trace out that you can post? I'd agree with you that it doesn't seem to be contacting the database. If you have a log against mysql, you could check this from the database end. In my view, the docs for Cyrus fall a long way short of what is really needed! Cheers, Jon Mercer Johan Paul wrote: Hi, Has anyone managed to get the Cyrus imapd to authenticate with pam_mysql -authentication? In /usr/local/etc/imapd.conf I have: allowanonymouslogin: no allowplaintext: yes sasl_pwcheck_method: saslauthd sasl_mech_list: PLAIN ...among other things. I am running saslauthd with pam authentication: silakka# ps xa |grep saslauthd 258 ?? Is 0:00.01 /usr/local/sbin/saslauthd1 -a pam This is what I have in my /etc/pam.conf: # Mail services imapauth sufficient pam_mysql.so user=mail passwd=uBerSecRETPASS host=localhost db=mail table=accountuser usercolumn=username passwdcolumn=password crypt=1 imapaccount required pam_mysql.so user=mail passwd=uBerSecRETPASS host=localhost db=mail table=accountuser usercolumn=username passwdcolumn=password crypt=1 The problem, I think, is the service column. The authentication is done via PAM since when I change the password for my shell account the mail password is changed too. But saslauthd uses some other service to authenticate, not imap and thus not pam_mysql. Why doesn't it reconize the above lines for Cyrus? I am running FreeBSD 4.8R This is giving me serious headache :) Thanks in advance for any clues!! Regards, Johan Paul ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- ++ | ___ ___ | |/ || / | | / /| |/ /| | / / | | _ / / ___ | | / /__| |/ ___ \ / /__/ __ \/ _ | | /__ | |/ | / / /_/ / ___ \ / /_/ / / / | | / ___ \ | | / /| | / / __ / / \ \ | ___/__ / / / / / / \ \ | | / / | | | |__/ / / // / | \__/ / | |_| | / // / | | /__\/___\ \_/ /__| /__| \_/ \__/|_| /__| /__| | || | www.achean.com | | == | | Jon Mercer [EMAIL PROTECTED] | || | Mobile07973 256496 | || | Tel. 0117 9561211 | || | Fax 0117 9565637 | ++ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Cyrus IMAP with pam_mysql?
Hi and thanks for you reply! Welcome to nightmaresville. I struggled with this for yonks, and found that there were some other files that needed to be setup, e.g.: F**k! I mean why does it have to be so difficult? In RedHat Linux I got the same configuration up without any problems... ajax# cd /usr/local/lib/sasl2 ajax# cat Cyrus.conf pwcheck_method: saslauthd ajax# Ok, well added that there also. And then I read somewhere that the pwcheck_method -line should be in imapd.conf too. There is at least one other one, and I'm trying to find it! Are you getting any trace out that you can post? I'd agree with you that it doesn't seem to be contacting the database. If you have a log against mysql, you could check this from the database end. This was actually the other thing I was wondering about; a) where is my.cnf in FreeBSD to config MySQL for and b) where does MySQL log the queries? I would love to look into what pam really tries to do with mysql - or doesn't. The only thing I can trace back to is the line I get into /var/log/messages: Aug 26 17:28:27 silakka imapd[3167]: login: my.machine[127.0.0.1] kypeli plaintext Yes, it works but it works dispite it shouldn't since I removed the line from database with my username. In fact I read these postings with this username that shouldn't work :) In my view, the docs for Cyrus fall a long way short of what is really needed! Yep! And this isn't the first time I struggle with Cyrus and notice that the docs are out of date and mailing lists/newsgroups are the only way to get help. Thank god for them :) But the wierdest thing is that I think it in fact does use pam to auth but it uses the wrong service (a one that authenticates from /etc/passwd). Can anyone verify if this is possible? What it the correct service line for pam.conf? Cheers, Jon Mercer Thanks, Johan Paul Johan Paul wrote: Hi, Has anyone managed to get the Cyrus imapd to authenticate with pam_mysql -authentication? In /usr/local/etc/imapd.conf I have: allowanonymouslogin: no allowplaintext: yes sasl_pwcheck_method: saslauthd sasl_mech_list: PLAIN ...among other things. I am running saslauthd with pam authentication: silakka# ps xa |grep saslauthd 258 ?? Is 0:00.01 /usr/local/sbin/saslauthd1 -a pam This is what I have in my /etc/pam.conf: # Mail services imapauth sufficient pam_mysql.so user=mail passwd=uBerSecRETPASS host=localhost db=mail table=accountuser usercolumn=username passwdcolumn=password crypt=1 imapaccount required pam_mysql.so user=mail passwd=uBerSecRETPASS host=localhost db=mail table=accountuser usercolumn=username passwdcolumn=password crypt=1 The problem, I think, is the service column. The authentication is done via PAM since when I change the password for my shell account the mail password is changed too. But saslauthd uses some other service to authenticate, not imap and thus not pam_mysql. Why doesn't it reconize the above lines for Cyrus? I am running FreeBSD 4.8R This is giving me serious headache :) Thanks in advance for any clues!! Regards, Johan Paul ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Cyrus IMAP with pam_mysql?
This was actually the other thing I was wondering about; a) where is my.cnf in FreeBSD to config MySQL for and b) where does MySQL log the queries? I would love to look into what pam really tries to do with mysql - or doesn't. cp /usr/local/mysql/my-medium.cnf /etc/my.cnf ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Cyrus IMAP with pam_mysql?
Are you getting any trace out that you can post? I'd agree with you that it doesn't seem to be contacting the database. If you have a log against mysql, you could check this from the database end. Started mysqld with loging enabled as debug. And now I can verify that pam doesn't touch MySQL for authentication :-( Damn. Regards, Johan Paul ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Cyrus IMAP with pam_mysql?
OK, first off, my.cnf doesn't get created in the ports install on
FreeBSD, but if you check the startup script, all the parameters are
passed to the mysqld process at that time, if you have a play with the
mysql stuff you can modify that script so that it does read it. In fact
that is necessary if you wan to run with InnoDB tables anyway (you
probably don't for pam_mysql). This is what you can modify the script to
look like, where it also sets the log directories:
#!/bin/sh
DB_DIR=/data01/mysql40
PIDFILE=${DB_DIR}/`/bin/hostname -s`.pid
case $1 in
start)
if [ -x /usr/local/bin/mysqld_safe ]; then
/usr/bin/limits -U mysql \
/usr/local/bin/mysqld_safe
--defaults-file=/usr/local/etc/my.cnf --user=mysql
--log-bin-index=${DB_DIR}/logs/ajax-logidx.log
--log-error=${DB_DIR}/logs/errlog.log --skip-bdb --pid-file=${PIDFILE}
--datadir=${DB_DIR} /dev/null
echo -n ' mysqld'
fi
;;
stop)
if [ -f ${PIDFILE} ]; then
/bin/kill `cat ${PIDFILE}` /dev/null 21
echo -n ' mysqld'
else
echo mysql-server isn't running
fi
;;
*)
echo
echo Usage: `basename $0` { start | stop }
echo
exit 64
;;
esac
Default log directories are in the default data directory, which is
something like /var/db/mysql or somesuch (the location is in the
Makefile for mysql) They are changed in the above script prior to
starting the db server for the first time.
Incidentally, here is my version of the relevant section of pam.conf.
# Mail services
imapauthsufficient pam_unix.so
try_first_pass
imapauthoptionalpam_mysql.so user=mail passwd=***
db=mail host=ajax table=mail_users usercolumn=user_col
passwdcolumn=pw_col crypt=2
imapaccount requiredpam_mysql.so user=mail passwd=***
db=mail host=ajax table=mail_users usercolumn=user_col
passwdcolumn=pw_col crypt=2
imaps authsufficient pam_unix.so
try_first_pass
imaps authoptionalpam_mysql.so user=mail passwd=***
db=mail host=ajax table=mail_users usercolumn=user_col
passwdcolumn=pw_col crypt=2
imaps account requiredpam_mysql.so user=mail passwd=***
db=mail host=ajax table=mail_users usercolumn=user_col
passwdcolumn=pw_col crypt=2
pop3authrequiredpam_unix.so
try_first_pass
sieve authsufficient pam_unix.so
try_first_pass
sieve authoptionalpam_mysql.so user=mail passwd=***
db=mail host=ajax table=mail_users usercolumn=user_col
passwdcolumn=pw_col crypt=2
sieve account requiredpam_mysql.so user=mail passwd=***
db=mail host=ajax table=mail_users usercolumn=user_col
passwdcolumn=pw_col crypt=2
It occurrs to me that if you haven't enabled the imap port in
/etc/services, that could cause this kink of problem - but seems an
unlikely scenario.
Lastly _MAY BE IMPORTANT__
From the imapd.conf I have, I can't see the 'sasl_mech_list: PLAIN'
line, so this may be affecting it!
FWIW, I still get shed loads of errors in the logfiles at auth time -
never managed to sort that - and now can't be bothered!
Hope some of this helps! :-)
Johan Paul wrote:
Hi and thanks for you reply!
Welcome to nightmaresville. I struggled with this for yonks, and found
that there were some other files that needed to be setup, e.g.:
F**k! I mean why does it have to be so difficult? In RedHat Linux I got
the same configuration up without any problems...
ajax# cd /usr/local/lib/sasl2
ajax# cat Cyrus.conf
pwcheck_method: saslauthd
ajax#
Ok, well added that there also. And then I read somewhere that the
pwcheck_method -line should be in imapd.conf too.
There is at least one other one, and I'm trying to find it!
Are you getting any trace out that you can post? I'd agree with you
that it doesn't seem to be contacting the database. If you have a log
against mysql, you could check this from the database end.
This was actually the other thing I was wondering about; a) where is
my.cnf in FreeBSD to config MySQL for and b) where does MySQL log the
queries? I would love to look into what pam really tries to do with
mysql - or doesn't.
The only thing I can trace back to is the line I get into
/var/log/messages:
Aug 26 17:28:27 silakka imapd[3167]: login: my.machine[127.0.0.1] kypeli
plaintext
Yes, it works but it works dispite it shouldn't since I removed the line
from database with my username. In fact I read these postings with this
username that shouldn't work :)
In my view, the docs for Cyrus fall a long way short of what is really
needed!
Yep! And this isn't the first time I struggle with Cyrus and notice that
the docs are out of date and mailing lists/newsgroups are the only way
to get help.
