saslauthd cache / cyrus-imap and several passwords per login

[Patrick Lamaiziere]

Helo,

We use cyrus-imapd on Centos 6 at work and I've got the following issue
on authentication:

Users can login via a mailer (imap/pop) or use a webmail (horde). The
webmail uses a SSO-CAS and horde uses a CAS token to log in
cyrus-imap). As the CAS tokens are one-time tokens they must been
cached by saslauthd.

For this we use PAM with saslauthd and 3 PAM modules. pam_cas checks if
the password is a valid CAS token, then we try ldap and then a local
account.

cyrus-imap -> saslauthd (cache) -> PAM (pam_cas, pam_ldap, pam_unix)

That works fine.

The problem is: when a user uses the webmail and uses also a mailer
(using imap), saslauthd will remove the CAS token previously cached when
the mailer connects. So the webmail is disconnected.

There is a patch to allow saslauthd to cache several passwords for one
login but I would like to avoid this.

As far I can see, the cache depends on the service used (ie if I
connect via pop, the imap password is not cleared from the
saslauthd cache).

So I'm asking if there is a way to introduce another "service" on
cyrus-imap that will be used by the webmail (on another port than 143).
I mean a service in the saslauthd / PAM way (the parameter '-s' in
testsaslauthd: imap, pop, sieve).

I don't know where to start. Is there a way to achieve this?
Thanks, best regards.