Definition of the PAM config file used by saslauthd per service

Andreas Winkelmann ml at awinkelmann.de
Thu Nov 13 15:54:23 EST 2008


Am Donnerstag 13 November 2008 21:21:56 schrieb Dan White:

> Andreas Winkelmann wrote:
> > Am Mittwoch 12 November 2008 18:28:32 schrieb Dan White:
> >> Veit Wahlich wrote:
> >>> I authenticate a Cyrus imapd through saslauthd's PAM authmech.
> >>> Now I'd like to define a secondary imap service in cyrus.conf not
> >>> accessing /etc/pam.d/imap but another PAM config file such
> >>> as /etc/pam.d/imap-external.
> >>> The goal is to have two imapds running (bound to different IPs or TCP
> >>> ports) with different PAM auth service configs for internal and
> >>> external access.
> >>>
> >>> Is there a configuration option in imapd.conf or so to control which
> >>> PAM file is being accessed by saslauthd for a service?
> >>
> >> Veit,
> >>
> >> This was just discussed on the cyrus-imapd list:
> >>
> >> http://www.mail-archive.com/info-cyrus@lists.andrew.cmu.edu/msg36412.htm
> >>l
> >
> > Unfortunately this will not help the OP. Yes, this would use separate
> > saslauthd-Services for the two imap-Daemons, but unfortunately the
> > Servicename which is used to connect to saslauthd is hardcoded in each
> > Daemon. For imapd this is "imap". And this Servicename is interesting for
> > the pam.d/file.
>
> Thank for the correction. I suppose a work around might be to run one of
> the saslauthd's in a chrooted environment, with a separate set of pam
> libraries and configs.

Yes, that would be possible. Of course this depends on the pam-Config. If the 
OP wants to use pam to connect to other Daemons (mysql, ldap, kerberos) this 
may need to do changes to these Daemons as well. 

--
Andreas


More information about the Cyrus-sasl mailing list