Problem with Cyrus IMAP, saslauthd, virtdomains, and defaultdomain
darkness-keyword-cyrus.74b062 at caliginous.net
Tue Oct 12 19:10:52 EDT 2004
I'm having problems getting Cyrus IMAP to authenticate users within the
domain specified by defaultdomain when using "virtdomains: userid".
Background: For authentication, I'm going from saslauthd to PAM to
pam_pgsql, which is a PAM module to authenticate against tables in the
PostgreSQL RDBMS. pam_pgsql is looking at a table of user names in the
format "user at fqdn". I'm running saslauthd with -r so the realm gets
appended to the user name, and thus PAM should see "user at fqdn" for the
With "virtdomains: userid" and "defaultdomain: foo.com", if I try to login
as "user at bar.com" to the IMAP server saslauthd sends "user at bar.com" to
PAM. This behavior is what I expect and want. However, if I try to login
as "user at foo.com" (i.e., a user within defaultdomain) the IMAP server
strips off "@foo.com" and then sends just "user" as the user name to
saslauthd with no realm, causing PAM to only get "user" instead of
"user at foo.com", and thus the lookup fails. This stripping of the
defaultdomain is my problem. I believe I've tracked this down to Cyrus
IMAP's imap/global.c:canonify_userid function.
What's the correct way to get the IMAP server to always send
"user at foo.com" to SASL regardless of the defaultdomain setting? I could
remove the defaultdomain setting, but from reading docs and mailing lists,
I gather that would break global admin functionality. Additionally I may
have some misconfigured clients that are using their unqualified user name
to log in, so keeping defaultdomain would be nice, though not strictly
necessary. Alternatively, I could remove the section in canonify_userid
that remove the domain from the end of the user name if it matches
defaultdomain, but I'm worried that, too, might break global admins.
If SASL is going to treat "user at fqdn" as a user="user" and realm="fqdn",
perhaps the IMAP server shouldn't discard the "@fqdn" part of the user
name? I think Cyrus (or at least the saslauthd pwcheck method) is calling
sasl_checkpass which doesn't have a realm parameter. Maybe Cyrus should
append "@defaultdomain" to the user name before passing it to saslauthd?
Should saslauthd have a default realm setting? If not globally within
saslauthd, then for PAM at least? Given PAM's lack of a concept of
"realms" this doesn't seem like the right thing to do. I could hack up
pam_pgsql to include a "default domain" kind of setting and then have it
append that to the user name if it doesn't contain '@' but that seems ugly
I believe I cannot use auxprop because I have encrypted passwords that I'm
authenticating against -- unless I patch auxprop with the "encrypted
password" patches, which sounds generally frowned upon. Even then, though,
would I just code an SQL statement that tries to "SELECT ... WHERE
(username = '%u@%r') OR (username = '%u at mydefaultdomain.com')"? This
still seems ugly.
Any and all comments, help, advice, etc. appreciated. I'm fine hacking on
the code, I'm just unfamiliar with the APIs and code bases involved, and
so I'm not sure what is the right (or least wrong) way to do what I want.
I've been reading archives for a day or two and can't find anyone who
seems to have this problem.
I'm running Linux, Fedora Core 2, cyrus-imapd 2.2.8 RPMs from
http://www.invoca.ch/pub/packages/cyrus-imapd/, cyrus-sasl 2.1.19 from
Fedora development, pam_pgsql 0.5.2. saslauthd gets run like "saslauthd
-m /var/run/saslauthd -a pam -r -c". My imapd.conf file contains:
tls_cert_file: /usr/share/ssl/certs/cyrus-imapd.pem tls_key_file:
/usr/share/ssl/certs/ca-bundle.crt virtdomains: userid
I'll be glad to share any other configuration information.
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
More information about the Info-cyrus