ondrej at sury.org
Tue Aug 23 05:43:24 EDT 2005
On Tue, 2005-08-23 at 14:31 +0530, Gobbledegeek wrote:
> OK I got it working with sasl_pwcheck-method = auxprop in /etc/imapd.conf.
> But why isn't there a simple statement advising this in the loads of
> documentation? So much time wasted for want of a simple communiqe.
> [...useless rant...]
> f!@#$% programmers!
f!@#$% users who cannot read documentation? Even if somebody recommends
them to read it?
from doc/sysadmin.html (from cyrus-sasl distribution tarball):
The principal concern for system administrators is how the
authentication identifier and password are verified. The Cyrus SASL
library is flexible in this regard:
checks passwords agains the userPassword attribute supplied by
an auxiliary property plugin. For example, SASL ships with a
sasldb auxiliary property plugin, that can be used to
authenticate against the passwords stored in /etc/sasldb2. Since
other mechanisms also use this database for passwords, using
this method will allow SASL to provide a uniform password
database to a large number of mechanisms.
contacts the saslauthd daemon to to check passwords using a
variety of mechanisms. More information about the various
invocations of saslauthd can be can be found in saslauthd(8).
Generally you want something like saslauthd -a pam. If plaintext
authentications seem to be taking some time under load,
increasing the value of the -n parameter can help.
Saslauthd keeps its named socket in "/var/state/saslauthd" by
default. This can be overridden by specifying an alternate value
to --with-saslauthd=/foo/bar at compile time, or by passing the
-m parameter to saslauthd (along with setting the saslauthd_path
SASL option). Whatever directory this is, it must exist in order
for saslauthd to function.
Once you configure (and start) saslauthd, there is a
testsaslauthd program that can be built with make testsaslauthd
in the saslauthd subdirectory of the source. This can be used to
check that that the saslauthd daemon is installed and running
properly. An invocation like testsaslauthd -u rjs3 -p 1234 with
appropriate values for the username and password should do the
If you are using the PAM method to verify passwords with
saslauthd, keep in mind that your PAM configuration will need to
be configured for each service name that is using saslauthd for
authentication. Common service names are "imap", "sieve", and
contacts Courier-IMAP's authdaemond daemon to check passwords.
This daemon is simliar in functionality to saslauthd, and is
shipped separately with the Courier mail server.
Note: this feature is not compiled in the library by default,
and its provided for sites with custom/special requirements only
(because the internal authentication protocol its not documented
anywhere so it could change at any time). We have tested against
the authdaemond included with Courier-IMAP 2.2.1.
To enable authdaemond support, pass --with-authdaemon to the
configuration script, set pwcheck_method to ``authdaemond'' and
point authdaemon_path to authdaemond's unix socket. Optionally,
you can specify --with-authdaemond=PATH to the configure script
so that authdaemond_path points to a default, static, location.
checks passwords with the use of a separate, helper daemon. This
feature is for backwards-compatibility only. New installations
should use saslauthd.
Ondrej Sury <ondrej at sury.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : https://lists.andrew.cmu.edu/mailman/private/info-cyrus/attachments/20050823/404f9abf/attachment.bin
More information about the Info-cyrus