Also note that sasl will look for the plugins in /usr/lib/sasl even if
you install to /usr/local/lib
I had plugins from the RedHat cyrus-sasl RPM in /usr/lib/sasl so I
renamed /usr/lib/sasl to /usr/lib/sasl.OLD and made a link from
/usr/local/lib/sasl to /usr/lib/sasl to only use the plugins I wanted.
Marco Colombo wrote:
>On Mon, 20 Aug 2001, Amos Gouaux wrote:
>
>>>>>>>On Sun, 19 Aug 2001 21:51:33 -0700,
>>>>>>>David Wright <[EMAIL PROTECTED]> (dw) writes:
>>>>>>>
>>dw> Cyrus-imapd (1.6.24) insists on advertising AUTH=CRAM-MD5, even
>>dw> though this is a lie. This is (I think) one of the (many bad)
>>dw> side-effects of SASL -- because of SASL cyrus advertises this AUTH,
>>dw> but in fact my sasldb is utterly empty (all authentication is via
>>dw> PAM) and so any client that takes cyrus up on the offer gets told
>>dw> the user doesn't exist.
>>
>>dw> So... how can I get cyrus to stop advertising AUTH=CRAM-MD5?
>>
>>Configure cyrus-sasl accordingly. Use the various --disable-*
>>options to configure. See --help for details.
>>
>>
>
>You don't need to recompile, just remove the crammd5 mech pluging
>from the pluging directory (/usr/lib/sasl on my system). I had the
>same problem with GSSAPI (Pine starts complaining for the lack of kerberos
>setup on the client - then it falls back to CRAM-MD5, but if CRAM-MD5
>fails, it doesn't try PLAIN).
>
>I think the client should try different mechs if the preferred one fails,
>since a certain mech can be unavailable to some users, but the users can
>be authenticated by means of a different mech. It is true that some
>clients (or some servers, like sendmail) can be configured to require
>secure authentication, and thus they refuse to fallback to PLAIN. If
>this is your case, the only way to enable PLAIN is to have the client
>use setup a SSL/TLS connection before authentication. Sendmail offers
>PLAIN only *after* a successful STARTTLS.
>
>.TM.
>
