The more I have thought about it, I do not wish to have my users' passwords in plaintext anywhere. I have about 250 users with already encrypted md5 passwords in the shadow file. Is there a utility to migrate this information the the MySQL mail database?
This will allow me to manage the user accounts with web-cyradm and also use the MySQL squirrelmail plugin so users can easily change their passwords. I am trying to get a simple secure solution to upgrading from Cyrus Imap 1.6.24 to 2.2. Is there a way to migrate md5 shadow passwords to MySQL and use them with sasl/pam ? I plan to use auth PLAIN/LOGIN and TLS. thanks Shelley Waltz On Fri, 23 Jan 2004, Ken Murchison wrote: Shelley Waltz wrote: > Ken, > Thanks for the very clear instructions on how this works. One thing > which does not make sense is the removal of the mech_list option > subsequent to all users in the shadow file having auth'd once. ??? Because once the users are transitioned to the sql database, then you can use *any* of the available SASL mechs. > Also, why are the transitioned passwords stored in plaintext in the mysql > database? The auxprop plugins are designed to *retrieve* the password rather than just *verify* the password. The plaintext password is needed to support SASL mechs like CRAM-MD5, DIGEST-MD5, NTLM. > On Thu, 22 Jan 2004, Ken Murchison wrote: > > Shelley Waltz wrote: > > Ken, Thanks for the reply. > > > > Yes, my new server is RH ES3 with all the most recent versions of > > Cyrus imap/sasl/postfix/mysql ... > > Which version of SASL? You definitely want 2.1.17. > > > Where do I read about autotransition into the SQL auxprop plugin? > > Does this mean that after I transition my existing users, I still > > need to create /etc/shadow entries in order to esatblish new accounts > > in thge mysql database. I planned to use webcyradm to manage accounts. > > Just read the docs on how to configure the SQL auxprop plugin. Then in > your imapd.conf file, you'll have options like the following: > > sasl_mech_list: PLAIN LOGIN > sasl_auto_transition: yes > sasl_pwcheck_method: auxprop saslauthd > sasl_auxprop_plugin: sql > sasl_sql_engine: mysql > sasl_sql_select: ... > sasl_sql_insert: ... > sasl_sql_update: ... > > > And you'll need to run: > > saslauthd -a shadow > > > This config will limit the server to plaintext authentication which will > happen against /etc/shadow and then the password will be inserted into > mysql. The next time the user authenticates, the password will be > pulled from mysql (given the order of pwcheck_method). > > Once all of your users have authenticated at least once, you can remove > the mech_list option or add other mechs to the list. > > > On Thu, 22 Jan 2004, Ken Murchison wrote: > > > > Shelley Waltz wrote: > > > > > I am installing a new postfix-cyrus mail server. > > > I currently have cyrus-imap 1.6.24 authing PLAIN > > > from /etc/shadow. > > > > > > I wish to migrate the passwords(md5) from the shadow file to > > > a mysql database and use this to auth PLAIN using TLS. > > > Is there a script available to do so - to migrate the users > > > from the shadow file and create the records for mysql authentication? > > > > > > I did search, but found nothing. > > > > First, I'd strongly suggest that you upgrade to a recent version of > > Cyrus, either 2.1.16 or 2.2.3. To do this, you'll need a recent version > > of SASL (I'd suggest 2.1.17). Then, you just configure Cyrus/SASL to > > authentication plaintext from /etc/shadow and have it autotransition > > passwords into the SQL auxprop plugin. > > > > > > > > > > > > >
