cyrus auth paths?

M.Kondrin mkondrin at hppi.troitsk.ru
Wed Nov 23 05:42:34 EST 2005


Bill Kearney wrote:

>So, let me get this straight, using current versions of postfix, cyrus and
>sasl2 it's possible to authenticate in several different ways:
>
>postfix - 1) via sql directly in main.cf
>postfix - 2) via saslauthd
>                    a) using sql configured in /usr/lib/sasl2/smtpd.conf
>                        or
>                    b) using pam configured in /etc/pam.d/smtp (using
>pam_mysql)
>                            where smtpd.conf says to use pam.
>
>cyrus  - 3) via sql directly in imapd.conf
>           - 4) via saslauthd
>                    a) using sql configured in /usr/lib/sasl2/imapd.conf
>                        or
>                    b) using pam configured in /etc/pam.d/imap (using
>pam_mysql)
>                            where imapd.conf says to use pam.
>
>Does this about summarize the routes possible to basically accomplish the
>"same thing"?
>
>If so, what are the configuration syntaxes appropriate for each?
>
>In 2a & 2b, postfix tells salsauthd what to use via the
>'smtpd_sasl_application_name' variable.  In 2a it would expect there to be
>SQL config directives in the smtpd.conf file.  2b would fall through to pam
>which would use smtp based on the port being looked up from /etc/services.
>Correct?
>
>How would cyrus-imap do the same thing in 4a & 4b?  By setting
>'imap_sasl_application_name' , 'imapd_sasl_application_name' or something
>else?  How does cyrus inform saslauthd a la postfix?  Can it?   How would
>saslauthd 'know' where to go looking for the config info needed?  In 4b it's
>clear, it simply falls through to pam which handles it based on the port
>lookup from /etc/services.
>
>Again, sorry if this seems tedious to some of the more learned members of
>the lists.  But I think if these are better documented to match up with the
>current versions of the various pieces involved it'll go a long way toward
>shaking off the notions about cyrus and sasl being complicated.
>
>-Bill Kearney
>  
>
Hello!
You have leaved out sasldb mechanism which can be used by postfix and 
cyrus-imapd.
I am not an sasl-programmer and my opinion is just my opinion and not 
the ultimate answer. IMHO it looks like you think about sasl as separate 
service but this is not the case. This is just a library which is called 
by sasl-enabled applications. So the sasl code is executed in the 
context of application  which has called the library. The application 
may choose to configure sasl by itself (in this case it uses options 
specified in application's  config  file)  or may choose  to leave this 
task  to  the library  (in this case  the sasl  library  will look 
through the config file in sasl2 directory - sasl knows the name of 
application and hence knows the name of config file to seek). Depending 
on config-file options the sasl library can either connect saslauthd 
daemon, do select from databases (mysql or sasldb) or use pam/kerberos 
infrastructure.

M.Kondrin


More information about the Cyrus-sasl mailing list