case sensitive authentication
Dan White
dwhite at olp.net
Wed Feb 4 09:36:30 EST 2009
Stepan Kadlec wrote:
> greetings,
> I have seen some similar questions on the net but without any satisfying solution.
>
> whenever cyrus passes the credentials to sasl, it is in lowercase (no matter what this options are set to: lmtp_downcase_rcpt, username_tolower, normalizeuid). the huge problem appears in case of using virtual domains and kerberos authentication - the domain part of the email address is used as kerberos realm, which is strictly case sensitive (usually uppercase). since sasl always receives the realm lowercased, the authentication never passes.
>
> e.g.:
> username (email): test at domain.tld
> krb principal: test at DOMAIN.TLD
>
> imaptest:~ # imtest -a test at DOMAIN.TLD -m login -p imap localhost -v
>
> saslauthd[19448] :do_auth : auth failure: [user=test] [service=imap] [realm=domain.tld] [mech=kerberos5] [reason=saslauthd internal error]
>
>
> how can this be solved?
>
> btw. there is imho one more problem and it is how the realm is concluded (as the email domain part). some more generic option of mapping email to realms would be nice. is it possible?
>
> thanks for any clue, steve.
>
>
Stepan,
There is a Cyrus IMAP specific solution for this using the
/etc/krb.equiv file. See the 'Kerberos vs. Unix Authorization' section
within the /doc/overview.html file. However, the documentation would
suggest that that would require you to use direct kerberos
authentication, rather than indirect saslauthd/kerberos authentication.
You could also use a sasl canonicalization plugin to accomplish this
(via ldapdb), but that would require an LDAP server. See the
/doc/options.html file within the SASL CVS tree.
More information about the Cyrus-sasl
mailing list