I remember why I got out of being a sysadmin, it’s a lot like being a plumber.
Some software – Dovecot for example – is a joy to use, because it’s well documented, and just works, even when you want it to do slightly strange things. Other software, in this case Cyrus saslauthd, is so follicle destroyingly bad, that it needs to be taken out the back and drowned. Twice.
Having procured a shiny new Android phone and talked Vodafone into supplying me with lots of traffic, I set about setting it up to talk my email and Jabber server, and blog, and all that goodness, and everything is shiny.
Later, it occurred to me, that if my phone is stolen, and the thief is clever enough to extract my password, he has ssh and sudo access to my server. The odds of this happening are exceedingly low, but the results of this happening are catastrophically high. Compounding this is that everything on this server hangs off the Kerberos database for authentication, which means that my users don’t have different passwords for different services, but presents problems once users start saving these passwords on to their phones.
But, I had a great idea. Run up local SQL database that has a list of alternate hashes that only work for email, chat, blogs and other non-shell activity. Awesome. I built the database schema and connected dovecot to in the space of a lunch hour., and all was happy. Tonight, I attempted to connect up other systems. After spending an hour and half battling the mysterious server_set_id in exim, I tried to make the saslauthd connect to the database.
After much cursing, I have discovered that the saslauthd SQL plugin requires that the password is stored in plain text, because the SELECT string isn’t capable of substituting the password into the query string. It also doesn’t handle more that a single row response, which means the entire exercise is looking somewhat futile, because my blogging software (wordpress) and chat software (Openfire) and various other bits and pieces all go through the LDAP server which can only do plain text authentication to Kerberos via saslauthd. It is possible to get exim to use the dovecot sasl server, but this architecturally seems like the wrong way of doing things.
And this is why I hated being a sysadmin, so much software out there is just rubbish.
Update: I set exim to use Dovecots SASL daemon. Works great.