Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

cyrus-sasl >=2.1.17 Breaks pam_mysql
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
mach.82
Tux's lil' helper
Tux's lil' helper


Joined: 30 Oct 2003
Posts: 75
Location: 43°N/79°W
PostPosted: Wed Oct 06, 2004 7:23 pm    Post subject: cyrus-sasl >=2.1.17 Breaks pam_mysql Reply with quote
I have the following error in /var/log/auth.log after following the Virtual Mailhosting System with Postfix Guide:
Quote:
... saslpasswd2: sql_select option missing
... saslpasswd2: auxpropfunc error no mechanism available
... saslpasswd2: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: sql

After emerge cyrus-sasl again using the following command:
Code:
USE=”-ldap –mysql” emerge cyrus-sasl

The emerge command displayed the following warnings:
Quote:
* Starting with version 2.1.17 of cyrus-sasl, the cyrus-sasl team has switched

* to an authentication style that BREAKS pam_mysql.
*
* If you are using pam_mysql, it is recommended you convert to cyrus-sasl's
* auxprop sql authentication support using smtpd.conf.
*
* If you do not wish to change your configuration, you may put "pam-mysql"
* in your USE flags to revert to the old (deprecated) authentication behavior.

I am using:
    dev-libs/cyrus-sasl-2.1.18-r2,
    mail-mta/postfix-2.1.3, and
    dev-db/mysql-4.0.20-r1

I had to make the following changes to avoid the error in /var/log/auth.log as described above:
Code:
USE=”mysql” emerge cyrus-sasl

The etcat –u cyrus-sasl produces the following output after emerge:
Quote:
[ Colour Code : set unset ]
[ Legend : (U) Col 1 - Current USE flags ]
[ : (I) Col 2 - Installed With USE flags ]

U I [ Found these USE variables in : dev-libs/cyrus-sasl-2.1.18-r2 ]
- - gdbm : Adds support for sys-libs/gdbm (GNU database libraries)
+ + ldap : Adds LDAP support (Lightweight Directory Access Protocol)
+ + mysql : Adds mySQL support
+ + postgres : Adds support for the postgresql database
+ + kerberos : Adds kerberos support
- - static : !!do not set this during bootstrap!! Causes things to be statically linked instead of dynamically
+ + ssl : Adds support for Secure Socket Layer connections
+ + java : Adds support for Java
+ + pam : unknown
- - pam-mysql : Switch to deprecated pam_mysql authentication method
- - debug : Tells configure and the makefiles to build for debugging. Effects vary across packages, but generally it will at least add -g to CFLAGS. Remember to set FEATURES=nostrip too

If you are following the Virtual Mailhosting System with Postfix Guide, you must now re-edit /etc/sasl2/smtpd.conf as follows:
Quote:
pwcheck_method: auxprop
auxprop_plugin: sql
mech_list: plain login

sql_engine: mysql
sql_hostnames: localhost
sql_user: mailsql
sql_passwd: <mailsql_password>
sql_database: mailsql
sql_select: select clear from users where email = '%u@%r'

#pwcheck_method: saslauthd
#mech_list: LOGIN PLAIN
    Note: Comment out the two red lines and change <mailsql_password> to your password.

We must now issue the following command and reload saslauthd:
Code:
 # /etc/init.d/saslauthd restart

You can now send a message to postfix and in /var/log/auth.log, it will now show:
Quote:
... saslauthd[6077]: server_exit : master exited: 6077
... saslauthd[25972]: detach_tty : master pid is: 25972
... saslauthd[25972]: ipc_init : listening on socket: /var/lib/sasl2/mux
... postfix/smtpd[25986]: sql auxprop plugin using mysql engine

Hope this helps!!
Back to top
View user's profile Send private message
mki
n00b
n00b


Joined: 18 Mar 2004
Posts: 2
PostPosted: Mon Oct 11, 2004 12:09 pm    Post subject: Reply with quote
This only works if you are using standard plaintext passwords or oldstyle des crypt within your sql tables. Unfortunately the portage tree hasn't incorporated the appropriate patches so that cyrus-sasl can correctly deal with md5 and blowfish style crypts where the salts are of the $1$...$ format. Kind of disappointing, perhaps a bug report ought to be filed.

Anyways. To get your standard md5 crypted passwords to work with postfix, you have to read and get the appropriate patches from:

http://frost.ath.cx/software/cyrus-sasl-patches/

You could temporarily get postfix/smtpd to shut up by adding the saslauthd entry to the pwcheck_method: list like so:

pwcheck_method: saslauthd auxprop

This will cause some additionally annoying messages in auth.log such as the verbose connect/disconnect/user auth messages. Which by the way can't be turned off unless you patch cyrus-sasl with the above patch.
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 20588
PostPosted: Tue Oct 12, 2004 4:38 am    Post subject: Reply with quote
Moved from Other Things Gentoo.
_________________
Quis separabit? Quo animo?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy