cyrus auth paths?
M.Kondrin
mkondrin at hppi.troitsk.ru
Wed Nov 23 05:42:34 EST 2005
Bill Kearney wrote:
>So, let me get this straight, using current versions of postfix, cyrus and
>sasl2 it's possible to authenticate in several different ways:
>
>postfix - 1) via sql directly in main.cf
>postfix - 2) via saslauthd
> a) using sql configured in /usr/lib/sasl2/smtpd.conf
> or
> b) using pam configured in /etc/pam.d/smtp (using
>pam_mysql)
> where smtpd.conf says to use pam.
>
>cyrus - 3) via sql directly in imapd.conf
> - 4) via saslauthd
> a) using sql configured in /usr/lib/sasl2/imapd.conf
> or
> b) using pam configured in /etc/pam.d/imap (using
>pam_mysql)
> where imapd.conf says to use pam.
>
>Does this about summarize the routes possible to basically accomplish the
>"same thing"?
>
>If so, what are the configuration syntaxes appropriate for each?
>
>In 2a & 2b, postfix tells salsauthd what to use via the
>'smtpd_sasl_application_name' variable. In 2a it would expect there to be
>SQL config directives in the smtpd.conf file. 2b would fall through to pam
>which would use smtp based on the port being looked up from /etc/services.
>Correct?
>
>How would cyrus-imap do the same thing in 4a & 4b? By setting
>'imap_sasl_application_name' , 'imapd_sasl_application_name' or something
>else? How does cyrus inform saslauthd a la postfix? Can it? How would
>saslauthd 'know' where to go looking for the config info needed? In 4b it's
>clear, it simply falls through to pam which handles it based on the port
>lookup from /etc/services.
>
>Again, sorry if this seems tedious to some of the more learned members of
>the lists. But I think if these are better documented to match up with the
>current versions of the various pieces involved it'll go a long way toward
>shaking off the notions about cyrus and sasl being complicated.
>
>-Bill Kearney
>
>
Hello!
You have leaved out sasldb mechanism which can be used by postfix and
cyrus-imapd.
I am not an sasl-programmer and my opinion is just my opinion and not
the ultimate answer. IMHO it looks like you think about sasl as separate
service but this is not the case. This is just a library which is called
by sasl-enabled applications. So the sasl code is executed in the
context of application which has called the library. The application
may choose to configure sasl by itself (in this case it uses options
specified in application's config file) or may choose to leave this
task to the library (in this case the sasl library will look
through the config file in sasl2 directory - sasl knows the name of
application and hence knows the name of config file to seek). Depending
on config-file options the sasl library can either connect saslauthd
daemon, do select from databases (mysql or sasldb) or use pam/kerberos
infrastructure.
M.Kondrin
More information about the Cyrus-sasl
mailing list