RE: SASL 2.1.17 with auxprop to Myqsl

From: Simon Matter (simon dot matter at ch dot sauter-bc dot com)
Date: Fri Mar 12 2004 - 01:29:33 EST

  • Next message: ms419 at freezone dot co dot uk: "Re: saslauthd and pam_krb5"

    > We're running all of this on RH 7.3. We may be switching to BSD once

    OT: RedHat has already dropped 'support' for RedHat 7.3. You may look at
    the Fedora Legacy Project for updates.


    > Redhat drops its support at the end of the year... depends on what that
    > entails in it's entirety since we don't really use Redhat's support
    > anyways.
    > But it kind of make me weary since you can't get it working at all. It
    > would
    > really hurt my head to know that we have to switch from RH to BSD and
    > everything we've migrated and done is now useless - that would be hard to
    > explain to our customers... hmmm...
    > I played around with the realm function and it always uses domain1.
    > For instance, when it queries the database, even if we're going for
    > janedoe
    > at domain2 - it says:
    > Select password from users where username='janedoe at domain1 dot com'
    > The %p always returns the auth mech we're using - so the actual
    > query logs report:
    > "select password from users where username='janedoe' and
    > password='saslauthPLAIN'"
    > We could add more realms but then I run into the problem of
    > importing domains where the users are used to using just their username to
    > authenticate (we will be hosting the mail for other domains with thousands
    > of users, so it needs to be a seamless migration; just change an mx record
    > and cross your fingers).
    > Do you have an idea I haven't thought of yet? I suppose I could do a
    > Mysql "like"... but then it would still take the first entry and not the
    > second (or third, or fourth, et cetera).
    > - Demian
    > -----Original Message-----
    > From: Remko Lodder [mailto:remko at elvandar dot org]
    > Sent: Thursday, March 11, 2004 2:38 PM
    > To: dwt; cyrus-sasl at lists dot andrew dot cmu dot edu
    > Subject: RE: SASL 2.1.17 with auxprop to Myqsl
    > Select username from users where password='%p' and username='%u';
    > try using '%u@%r' at the username section
    > => user at realm, so that
    > Note that i am interested in what platform you run it on, on OpenBSD i
    > dont
    > get it working at all :-)
    > Cheers
    > --
    > Kind regards,
    > Remko Lodder
    > Dutch community for helping newcomers on the
    > hackerscene
    > -----Oorspronkelijk bericht-----
    > Van: owner-cyrus-sasl at lists dot andrew dot cmu dot edu
    > [mailto:owner-cyrus-sasl at lists dot andrew dot cmu dot edu]Namens dwt
    > Verzonden: donderdag 11 maart 2004 20:09
    > Aan: cyrus-sasl at lists dot andrew dot cmu dot edu
    > Onderwerp: SASL 2.1.17 with auxprop to Myqsl
    > Hi,
    > I spent quite a bit of time digging through the archives.. 3 hours
    > to be exact. I saw a couple similar requests, yet didn't see one of them
    > get
    > answered. I'm hoping this one has better luck.
    > Smtpd.conf:
    > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    > pwcheck_method: auxprop
    > auxprop_plugin: sql
    > sql_engine: mysql
    > mech_list: plain login
    > sql_user: removed
    > sql_passwd: removed
    > sql_hostnames: localhost
    > sql_database: postfix
    > sql_statement: select Password from users where username='%u';
    > sql_verbose: true
    > ---------------------------------
    > This setup works fine with one domain. Not a single glitch ever.
    > Regardless of how frustrating SASL may be to configure and compile, I have
    > to give it a gold star on reliability. But now I've run into a problem.
    > I'm
    > building a massive server to support multiple domains: Courier IMAP,
    > Postfix, and Mysql as an authentication module on all ends with Cyrus SASL
    > for the outbound authentication. All users for all domains are stored in
    > our
    > one database table, "users".
    > So in this instance we have janedoe at domain1 dot com with password
    > pickles and janedoe at domain2 dot com with password plums. The problem we've
    > found
    > is, when SASL hits up the database to authenticate the user, it finds the
    > first entry and then stops. So when janedoe at domain2 dot com tries to send
    > mail,
    > with her password plums, SASL looks through the database for janedoe and
    > sees the password as pickles and thus rejects the authentication attempt.
    > The solution is to make a statement that looks for the password and
    > the username and then compares the two with the authentication attempt
    > such
    > as:
    > Select username from users where password='%p' and username='%u';
    > I know %p doesn't give me what I want... but I was hoping there was
    > some way I could make it what I want since according to some documentation
    > I
    > read, %p can "technically be anything".
    > Any ideas or suggestions... or if you know exactly how to correct this
    > problem... would be great appreciated.
    > Thank you,
    > - Demian

  • Next message: ms419 at freezone dot co dot uk: "Re: saslauthd and pam_krb5"

    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs

    Powered By FreeBSD   Powered By FreeBSD