Writing custom authentication plugins for Cyrus SASL

Daniel Corbe daniel.junkmail at gmail.com
Fri Oct 10 17:47:51 EDT 2008 

I want to be able to provide the absolute path to the user's INBOX.
I should probably share a little background information about this project.

I've got a unified messaging system (voicemail) which stores files in a
Maildir-like structure.  It lends itself pretty easily to using an IMAP
server to fetch messages.  Our UM client has IMAP built into it and in fact
this is how it is working today with the vendor's system which we are trying
to replace.

Quite simply, there's a plain text username and password stored in the
database.  I've already got a very simple C program written which is linked
to libmysqlclient which connects to the database and fetches the username
and password as would be presented to it if the IMAP client had sent
something along the lines of:

a01 LOGIN 1234567890 at um01.telcentris.net <password>

I know very little about cyrus IMAP or cyrus SASL; however, the current
vendor's system uses both to do this very function.

So, if I understand the plugproc documentation correctly, I could either

A) Write an auxprop plugin to simply provide SASL with the information I
have fetched and allow it to do the authentication bits

or

B) write a server plugin to handle both.

-Daniel

On Fri, Oct 10, 2008 at 2:14 PM, Dan White <dwhite at olp.net> wrote:

> Daniel,
>
> You have several options. I assume you've looked in to the SQL auxprop
> plugin and determined that it is not sufficient for your needs.
>
> You can write a custom auxprop plugin to retrieve your authentication
> information from. You cannot (by design) have your auxprop plugin perform
> the actual authentication itself, but you can store usernames and passwords
> (in the clear). Auxprop plugins function like a database store.
>
> You can write a custom saslauthd backend to perform the authentication.
> Saslauthd gets passed the username and password and essentially returns a
> yes or no to the server application. Stored passwords don't need to be in
> the clear and can be hashed, as long as your backend has enough knowledge to
> verify the submitted password against it. Using this approach limits the
> number of authentication mechanisms that your IMAP server can offer to
> clients. You won't be able to offer more complex mechanisms, such as
> DIGEST-MD5, that require a known shared secret.
>
> The SQL auxprop plugin might be a good plugin to base your's on.
>
> What information are you wanting to provide the IMAP server with regards to
> its location? The name of the mailbox?
>
> - Dan
>
>
> Daniel Corbe wrote:
>
>> Can you quickly give me a hit of where I need to start?
>>
>> I simply want to be given a username and password, that I can do a
>> database query and acknowledge whether it is correct or not and then provide
>> some basic information to the IMAP server to tell it where the user's INBOX
>> is located, etc.
>>
>> Would I need to write a sasl server plugin or an auxprop plugin for this?
>>
>> -Daniel
>>
>> On Tue, Sep 30, 2008 at 1:28 PM, Dan White <dwhite at olp.net <mailto:
>> dwhite at olp.net>> wrote:
>>
>>    Daniel Corbe wrote:
>>
>>>    Hi,
>>>
>>>    I was wondering if anyone could point me in a general direction
>>>    of writing a custom authentication plugin for SASL so I can get
>>>    Cyrus IMAP working off of my custom database.
>>>
>>>    Thanks.
>>>
>>>    -Daniel
>>>
>>>
>>    There is a short SASL Plugin Programmer's Guide, located in
>>    /doc/plugprog.html within the source.
>>
>>    - Dan
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20081010/d20a957c/attachment.html

More information about the Cyrus-sasl mailing list