cyrus imap without sasl
David Wright
ichbin at shadlen.org
Thu Sep 19 05:29:24 EDT 2002
> Because we think that there is no need to use SASL library in the
> middle of the way to authenticate via PAM+mysql. Isnt it a better
> performance issue? Or we are completely wrong?
It's true, there isn't a need, meaning Cyrus could have been designed to
use PAM directly as a security layer and not used SASL.
On the other hand, there is a need, because Cyrus wasn't designed that
way. Cyrus-IMAP has no idea how to authenticate via PAM. It only knows
how to use SASL. (Fortunately, saslauthd knows how to use PAM.)
PAM and SASL are not anywhere near API-compatible, which means you can't
just "drop in" libpam as a replacement for libsasl.
Personally, I think SASL is a pain in the ass. But its problems are not
performance-related. In fact, since saslauthd acts as a connection pool
to your authentication datastore, you can probably authenticate more
imapd sessions per second via saslauthd -a pam than you could if PAM
were linked directly into imapd.
More information about the Info-cyrus
mailing list