SASL Docs

David H. Lynch Jr. dhlii at 1dla.com
Thu Nov 7 04:59:30 EST 2002


Ron, Thank you;
	
	I am still trying to "grok" the authentication/authorization
process for Cyrus IMAP.

	It does not help that virtually all the "HOWTO's" that are on
the net, as well as the book, 
	are all pretty much obsolete and this particular issue is the
one they are most out of date about.

	I am not trying to be negative. 
	I greatly appreciate the enormous amount of effort that has been
put into Cyrus IMAP, 
	and appreciate the fact that CMU, and Ken and the rest of you
have made it available to the rest of us.

	But I am also very frustrated. 

	Most aspects of setting Cyrus IMAP up are not particularly
difficult. 
	But authorization/authentication is excruciatingly complex.

	I looked through doc/sysadmin.html. It does answer a few of my
questions, but not most of them.
	I also looked through doc/options.html but it still does not
give me a clue how the NTLM method 
	knows what domain or server to query.

	let me see if I understand correctly:
			no method except sasldb actually depends on
sasldb.
			However some methods require some form of local
user database, and sasldb can be used to supply that database for those
methods.
			The methods that do NOT require a local user
database are:
					LOGIN, PLAIN, GSSAPI,
Kerberos_V4, and ANONYMOUS.

			(local above means specific to SASL, since LDAP
or MYSQL could be remote)
			I am assuming LDAP for SASL purposes is only a
place to store under information 
			NOT an authentication method ?

			NTLM requires backend support ?
			I am presuming that means that it must have some
form of SASL database with users in it ?

	As best as I can tell the distinction between auxprop methods
and saslauthd methods, 
	is that an auxprop method could involve exchanging
authentication information between the client and SASL 
	in a secure form and that with saslauthd the exchange between
the client and SASL/imap is plain text.
	The exchange between saslauthd and whatever authenticates the
user could still be secure.

	Is this basically correct ?





More information about the Info-cyrus mailing list