Bug 11573 – Authentication Fails when logging into cyrus-imapd

Bug 11573 - Authentication Fails when logging into cyrus-imapd

Summary:	Authentication Fails when logging into cyrus-imapd

Status:	CLOSED RAWHIDE

Aliases:	None

Product:	Red Hat Powertools
Classification:	Retired
Component:	cyrus-sasl (Show other bugs)
Sub Component:
Version:	6.1
Hardware:	i386 Linux

Priority	medium Severity high
Target Milestone:	---
Target Release:	---
Assigned To:	Nalin Dahyabhai
QA Contact:
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2000-05-22 06:43 EDT by Oliver Jones
Modified:	2008-05-01 11:37 EDT (History)
CC List:	0 users

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2000-05-29 17:53:18 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Oliver Jones 2000-05-22 06:43:39 EDT

Why no cyrus-imapd component to powertools-6.2???  The rpm's are there!!

On RedHat Linux 6.1.

After a download/compile/install of:

cyrus-imapd-1.6.19-2.src.rpm
cyrus-sasl-1.5.11-2.src.rpm

I can't login to the imapd server.

From my understanding PAM is the default auth method.  And even with
"sasl_pwcheck_method: PAM" added to the /etc/imapd.conf I still can't
login.

This is what "imtest -m login -p imap localhost" produces:

S: * OK binary.deeper.co.nz Cyrus IMAP4 v1.6.19 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS
X-NON-HIERARCHICAL-RENAME NO_ATOMIC_RENAME AUTH=PLAIN AUTH=DIGEST-MD5
UNSELECT
S: C01 OK Completed
Password:
+ go ahead
<<pause for 3 seconds or so>>
L01 NO Login failed. Error=-13
Authenticated.
Security strength factor: 0

All in all very strange.

Comment 1 Nalin Dahyabhai 2000-05-22 12:24:59 EDT

This is an unfortunate interaction of PAM and the Cyrus SASL library.  The
pam_unix and pam_pwdb modules use setuid-root helpers to check passwords, but
due to security concerns, a program executing as any user other than root can
only authenticate for the user it is running as (in this case, "cyrus", the
user the imap server is executing as).

Changing this behavior in PAM would weaken the security of the pam_unix and
pam_pwdb modules, so I'm reluctant to make such a change.  It may very well
work properly using pam_radius, pam_krb5, or pam_userdb.

Comment 2 Oliver Jones 2000-05-22 22:55:59 EDT

Well this leads me in the right direction I guess.  I'm intending on playing
with pam_ldap.  Would this be a suitable variant to try?  It doesn't require on
setuid programs does it?

Comment 3 Nalin Dahyabhai 2000-05-29 17:53:59 EDT

No, not that I'm aware of.  Please follow up if this does in fact work for you.

Comment 4 Nalin Dahyabhai 2000-08-04 02:48:20 EDT

With more experience using it, I can now verify that pam_ldap should work in
this situation.  Closing this bug report.

Comment 5 Oliver Jones 2001-04-30 20:13:54 EDT

Indeed it does.  I've been using pam_ldap with cyrus for some time now. 
Performance is much much much better than wu-imapd.  I personally believe RedHat
should package cyrus with RedHat Linux rather than wu-imapd.  I notice that the
imap daemon has changed in the latest (7.x) releases but I do not have
experience with it.  

The benefits cyrus provides include superior performance, more security with
TLS/SSL support, non shell login mail accounts, ldap integration, integrated
email filtering with SIEVE and more.

Note You need to log in before you can comment on or make changes to this bug.