saslauth problem / imap login does not work *fixed?*

[Bernhard Reiter]

Hi Michael,

first: your question to kolab-user is completely fine.
Kolab-devel is for people that are interested 
to help us with technical details.

The problem for authentification to imap
seems to be that the information for the users
in the ldap and the maildomain do not properly match.

You can check this comparing /kolab/etc/imap/imap.conf
loginrealms with /kolab/sbin/slapcat | grep postfix-mydomain.
This should match.

Next the users maildomain should also match this.
I think that the reason that there are not many people hitting
this problem is, that once you have this right, the stuff work nicely.
Our issue660 is about adding a check when adding users.

Note that if you want to debug imap, here  is a rawhowto.
http://kolab.org/cgi-bin/viewcvs-kolab.cgi/doc/raw-howtos/speaking-imap-for-debugging.txt
Using tls or ssl is not necessary to test imap or use kolab,
but it protects you against unwanted listeners.

Bernhard

On Tuesday 15 March 2005 00:28, Michael Schmitt wrote:
> Maybe final conclusion ;) a friend of mine helped me to debug the actual
> problem. It is more or less unrelated to things that were suggested.
> Here it is:
>
> On monday, 14.03.2005, 23:35 +0100 Maurice Massar (from the university
> of Karlsruhe/Germany) wrote:
>
> hi,
>
> I've seen "saslauthd: Domain/Realm not available" errors in the log too,
> but I've been able to successfully authenticate and still get these.
>
> First, I tried to login without SSL/TLS, and this failed with the real
> error message being in /kolab/var/imapd/log/misc.log:
>
> # /kolab/bin/imtest localhost -a test -w 1234 -v -m plain
>
> <notice> imap[25826]: badlogin: kolab [127.0.0.1] PLAIN [SASL(-16):
> encryption needed to use mechanism: security flagsdo not match required]
>
> Ok, lets use ssl:
> /kolab/bin/imtest localhost -a test -w 1234 -v -m plain  -t ""
>
> and it still fails:
> <notice> imap[25835]: cross-realm login test at kolab.tcw.local denied
> <notice> imap[25835]: badlogin: kolab [127.0.0.1] PLAIN [SASL(-13):
> authentication failure: cross-realm login test at kolab.tcw.local denied]
>
> I noticed that /kolab/etc/imapd/imapd.conf only includes
> loginrealms:            tcw.local
>
> so I changed my test command again:
> /kolab/bin/imtest localhost -a test at tcw.local -w 1234 -v -m plain  -t ""
>
> S: A01 OK Success (tls protection)
>
> and it works (:
>
>
> conclusion:
> 1) use SSL/TLS
> 2) login with user at domain instead of just user
>
> cu
> maurice
>
> Some additional notes:
>
> In conclusion 2) of Maurice, "user" refers to the actual uid of that
> user. IF there is no seperat uid and the uid is just the primary
> emailaddress... that could led to some really weird stuff. I did not
> test that issue completely though. But I am really amazed that so less
> people seem to stumble across that.
> It may be a good idea to note that somewhere in the docs or (what I
> would prefer) fix the real problem behind that issue. There is already a
> bugreport concerning this at
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=298902
> This bug is not only debian-related, as it seems it is in the upstream
> release too. Maybe it is just a wishlist report, but in combination with
> Kolab it can be really nasty ;) There is also a diff concerning this. It
> was reported that this is already fixed in the new cyrus22 release
> though.
> What is (may be) left... saslauthd: Domain/Realm not available... as it
> seems it does not cause any problems here, but a "fix" would be great
> nevertheless.
>
> regards
> Michael
>
> _______________________________________________
> Kolab-users mailing list
> Kolab-users at kolab.org
> https://kolab.org/mailman/listinfo/kolab-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2145 bytes
Desc: signature
URL: <http://lists.kolab.org/pipermail/users/attachments/20050317/a0445637/attachment.p7s>