saslauthd and multiple mechs
Mike Culbertson
mculbert at gemstone.com
Thu Jun 17 21:13:16 EDT 2010
John,
Very much appreciated but I think we're doing OK using PAM for now.
What we did was just point saslauthd at pam, and have PAM perform auth
against several backend systems. All of the auth in our case is coming
through slapd, so the PAM service requested by saslauthd is always
'ldap'. This allowed us to configure PAM for saslauthd without
otherwise messing with the rest of our PAM config. Our /etc/pam.d/ldap
looks like this:
<snip>
# Note that we only set up 'auth' here, no password/session/etc.
# This tries KRB5 first, using the system-wide settings
auth sufficient pam_krb5.so ignore_root
# Next we try KRB5 again, but with a non-default realm because some of
our users are not in OTHERREALM.COM
auth sufficient pam_krb5.so ignore_root use_first_pass
realm=OTHERREALM.COM
# lastly, try pam_ldap
auth sufficient pam_ldap.so use_first_pass
</snip>
I'd still prefer to have saslauthd handle this, but thankfully with the
flexibility of pam_krb5 and pam_ldap, we're able to use PAM for
slapd+saslauthd without interfering with anything else in the system,
and it's actually working great so far. saslauthd+PAM may end up being
an advantage for us rather than a workaround.
- Mike
On 06/17/2010 04:46 PM, John Newbigin wrote:
> The the best of my knowledge it is not supported. I wrote some patches
> against cyrus-sasl-2.1.19 earlier in the year which I am using to allow
> 2 mechs. The patches are a bit messy because I did not want to change
> too much core stuff.
>
> It would not be too difficult to make the support a lot better.
>
> My command line looks like this:
> /usr/sbin/saslauthd -m /var/run/saslauthd -O /etc/saslauthd.conf -a ldap
> -V -O /etc/saslauthd-httpform.conf -a httpform
>
> The return value of the second mech is not currently used but that is
> easy to change. I use the httpform as a way of synchronising passwords
> to other systems. For a generic solution some syntax regarding what to
> do on success or failure would need to be developed.
>
> My patches also allow per realm configuration for the ldap mech and
> fixes some bugs in the httpform mech.
>
> If you want the patches, let me know.
>
> John.
>
>
More information about the Cyrus-sasl
mailing list