Bug 11573

Summary: Authentication Fails when logging into cyrus-imapd
Product: [Retired] Red Hat Powertools Reporter: Oliver Jones <oliver>
Component: cyrus-saslAssignee: Nalin Dahyabhai <nalin>
Status: CLOSED RAWHIDE QA Contact:
Severity: high Docs Contact:
Priority: medium    
Version: 6.1   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2000-05-29 21:53:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Oliver Jones 2000-05-22 10:43:39 UTC 
Why no cyrus-imapd component to powertools-6.2???  The rpm's are there!!

On RedHat Linux 6.1.

After a download/compile/install of:

cyrus-imapd-1.6.19-2.src.rpm
cyrus-sasl-1.5.11-2.src.rpm

I can't login to the imapd server.

From my understanding PAM is the default auth method.  And even with
"sasl_pwcheck_method: PAM" added to the /etc/imapd.conf I still can't
login.

This is what "imtest -m login -p imap localhost" produces:

S: * OK binary.deeper.co.nz Cyrus IMAP4 v1.6.19 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS
X-NON-HIERARCHICAL-RENAME NO_ATOMIC_RENAME AUTH=PLAIN AUTH=DIGEST-MD5
UNSELECT
S: C01 OK Completed
Password:
+ go ahead
<<pause for 3 seconds or so>>
L01 NO Login failed. Error=-13
Authenticated.
Security strength factor: 0

All in all very strange.
Comment 1 Nalin Dahyabhai 2000-05-22 16:24:59 UTC 
This is an unfortunate interaction of PAM and the Cyrus SASL library.  The
pam_unix and pam_pwdb modules use setuid-root helpers to check passwords, but
due to security concerns, a program executing as any user other than root can
only authenticate for the user it is running as (in this case, "cyrus", the
user the imap server is executing as).

Changing this behavior in PAM would weaken the security of the pam_unix and
pam_pwdb modules, so I'm reluctant to make such a change.  It may very well
work properly using pam_radius, pam_krb5, or pam_userdb.
Comment 2 Oliver Jones 2000-05-23 02:55:59 UTC 
Well this leads me in the right direction I guess.  I'm intending on playing
with pam_ldap.  Would this be a suitable variant to try?  It doesn't require on
setuid programs does it?
Comment 3 Nalin Dahyabhai 2000-05-29 21:53:59 UTC 
No, not that I'm aware of.  Please follow up if this does in fact work for you.
Comment 4 Nalin Dahyabhai 2000-08-04 06:48:20 UTC 
With more experience using it, I can now verify that pam_ldap should work in
this situation.  Closing this bug report.
Comment 5 Oliver Jones 2001-05-01 00:13:54 UTC 
Indeed it does.  I've been using pam_ldap with cyrus for some time now. 
Performance is much much much better than wu-imapd.  I personally believe RedHat
should package cyrus with RedHat Linux rather than wu-imapd.  I notice that the
imap daemon has changed in the latest (7.x) releases but I do not have
experience with it.  

The benefits cyrus provides include superior performance, more security with
TLS/SSL support, non shell login mail accounts, ldap integration, integrated
email filtering with SIEVE and more.