dwhite at olp.net
Wed Dec 31 10:23:32 EST 2008
Jason Voorhees wrote:
> Hi there:
> I'm planning to use Cyrus IMAP and OpenLDAP to authenticate users.
> Long time ago I used to configure Cyrus IMAP + Cyrus SASL using
> saslauthd with pam module. It was something simple.
> Then I used to configure Cyrus IMAP + Cyrus SASL using saslauthd with
> ldap module and /etc/saslauthd.conf without problems. That's fine.
> Now I would like to use Cyrus IMAP with OpenLDAP too, but I found that
> there are at least 2 ways:
> 1. Use Cyrus SASL with auxprop to authenticate users trough LDAP using
> auxprop_plugin: ldapdb, sasl_ldap_servers among other sasl_* directives.
> 2. The other way is to use ldap_* directives like ldap_uri, ldap_filter
> among others. But I believe that I would need to use 'pts' module in
> auth_mech directive, right?
> The question is: What are pts, unix, krb and krb5 modules used for?
> What's the difference between them? Should I use pts module to make
> Cyrus talk directly to OpenLDAP...? Or should I use Cyrus SASL with
> auxprop plugin to make the authentication to OpenLDAP?
> Is there a place where I can get some clear information about these
> items? Man pages are not too clear :S
> Thanks people :)
Available documentation that I'm aware of includes:
/doc/options.html (within the cyrus-sasl source) which documents how to
configure the ldapdb auxprop plugin
/saslauthd/LDAP_SASLAUTHD (within the cyrus-sasl source) which discusses
how to configure the ldap saslauthd backend
/doc/overview.html (within the cyrus-imap source), in the 'Kerberos vs.
Unix Authorization' section, which discusses authorization.
As I understand it, the ldapdb auxprop plugin is entirely within the
realm of cyrus sasl (authentication), and the auth_mech directive in
imapd.conf is cyrus imapd specific, and only handles authorization.
The auth_mech options (pts, unix, krb and krb5) direct how cyrus imapd
authorizes users to access mailboxes/resources *after* they have been
authenticated. The kerberos options direct imapd to perform some
canonicalization of the authenticating user before opening their mailbox
- so if a user connects as jsmith at EXAMPLE.COM, the kerberos options
could canonicalize that to 'jsmith', so that the server can open the
'jsmith' mailbox instead of searching for a 'jsmith at EXAMPLE.COM' mailbox.
The unix and pts options should only come in to play if you have
specified a 'group:staff' style ACL for your mailboxes. It tells the
imapd server how to resolve group membership to grant access to the
mailbox. The 'unix' option will perform a unix getgrent call, or
something like that, to determine if a user belongs to a group - using
nss for instance, which in turn can use the nss-ldap or nss-mysql
modules to lookup groups. However, that's pretty slow in my experience
and you'd need to make sure you're properly optimizing your LDAP database.
The pts route can be used to reference and LDAP server directly to
resolve group membership within an LDAP database.
More information about the Info-cyrus