saslauthd and multiple mechs

Mike Culbertson mculbert at gemstone.com
Thu Jun 17 21:13:16 EDT 2010


John,

Very much appreciated but I think we're doing OK using PAM for now.  
What we did was just point saslauthd at pam, and have PAM perform auth  
against several backend systems.  All of the auth in our case is coming 
through slapd, so the PAM service requested by saslauthd is always 
'ldap'.  This allowed us to configure PAM for saslauthd without 
otherwise messing with the rest of our PAM config.  Our /etc/pam.d/ldap 
looks like this:

<snip>
# Note that we only set up 'auth' here, no password/session/etc.

# This tries KRB5 first, using the system-wide settings
auth    sufficient      pam_krb5.so ignore_root
# Next we try KRB5 again, but with a non-default realm because some of 
our users are not in OTHERREALM.COM
auth    sufficient      pam_krb5.so ignore_root use_first_pass 
realm=OTHERREALM.COM
# lastly, try pam_ldap
auth    sufficient      pam_ldap.so use_first_pass
</snip>

I'd still prefer to have saslauthd handle this, but thankfully with the 
flexibility of pam_krb5 and pam_ldap, we're able to use PAM for 
slapd+saslauthd without interfering with anything else in the system, 
and it's actually working great so far. saslauthd+PAM may end up being 
an advantage for us rather than a workaround.

- Mike

On 06/17/2010 04:46 PM, John Newbigin wrote:
> The the best of my knowledge it is not supported.  I wrote some patches
> against cyrus-sasl-2.1.19 earlier in the year which I am using to allow
> 2 mechs. The patches are a bit messy because I did not want to change
> too much core stuff.
>
> It would not be too difficult to make the support a lot better.
>
> My command line looks like this:
> /usr/sbin/saslauthd -m /var/run/saslauthd -O /etc/saslauthd.conf -a ldap
> -V -O /etc/saslauthd-httpform.conf -a httpform
>
> The return value of the second mech is not currently used but that is
> easy to change. I use the httpform as a way of synchronising passwords
> to other systems. For a generic solution some syntax regarding what to
> do on success or failure would need to be developed.
>
> My patches also allow per realm configuration for the ldap mech and
> fixes some bugs in the httpform mech.
>
> If you want the patches, let me know.
>
> John.
>
>    



More information about the Cyrus-sasl mailing list