Definition of the PAM config file used by saslauthd per service

Andreas Winkelmann ml at awinkelmann.de
Thu Nov 13 14:50:43 EST 2008 

Am Mittwoch 12 November 2008 18:28:32 schrieb Dan White:

> Veit Wahlich wrote:

> > I authenticate a Cyrus imapd through saslauthd's PAM authmech.
> > Now I'd like to define a secondary imap service in cyrus.conf not
> > accessing /etc/pam.d/imap but another PAM config file such
> > as /etc/pam.d/imap-external.
> > The goal is to have two imapds running (bound to different IPs or TCP
> > ports) with different PAM auth service configs for internal and external
> > access.
> >
> > Is there a configuration option in imapd.conf or so to control which PAM
> > file is being accessed by saslauthd for a service?
>
> Veit,
>
> This was just discussed on the cyrus-imapd list:
>
> http://www.mail-archive.com/info-cyrus@lists.andrew.cmu.edu/msg36412.html
>
> To summarize, you could add a secondary entry in to /etc/cyrus.conf, e.g.:
>
> imap2            cmd="imapd -U 30 -D" listen="127.0.0.7:imap"
>
> In /etc/imapd.conf, you could add:
>
> # First imap instance
> imap_sasl_pwcheck_method: saslauthd
>
> # Second imap instance
> imap2_sasl_pwcheck_method: saslauthd
> imap2_sasl_saslauthd_path: /path/to/second/saslauthd/mux
>
> and then run two instances of saslauthd, the second using a separate
> socket.

Unfortunately this will not help the OP. Yes, this would use separate 
saslauthd-Services for the two imap-Daemons, but unfortunately the Servicename 
which is used to connect to saslauthd is hardcoded in each Daemon. For imapd 
this is "imap". And this Servicename is interesting for the pam.d/file.

Yes, this stuff is really complicated.

The OP has to patch Cyrus-Imapd and use another imapd Binary for that. 
Relevant Sourcecode part is:

./imap/imapd.conf:
...
/*
 * run for each accepted connection
 */
#ifdef ID_SAVE_CMDLINE
int service_main(int argc, char **argv, char **envp __attribute__((unused)))
#else
int service_main(int argc __attribute__((unused)),
                 char **argv __attribute__((unused)),
                 char **envp __attribute__((unused)))
#endif
{
...
    /* create the SASL connection */
    if (sasl_server_new("imap", config_servername,
                        NULL, NULL, NULL, NULL, 0,
                        &imapd_saslconn) != SASL_OK) {
        fatal("SASL failed initializing: sasl_server_new()", EC_TEMPFAIL);
    }
...

The first Argument in sasl_server_new() decides about the pam.d-Configuration 
File. 

> I am not positive that 'imap2' would be passwd as the service name to
> saslauthd however.

--
Andreas

More information about the Cyrus-sasl mailing list