Murder installation: authentication hints.

[Rob Siemborski]

On Mon, 9 Jun 2003, Dmitry Novosjolov wrote:

> As I understand the murder concept: imapproxyd at frontends proxies
> connections to the backends, and it authenticates incoming connections (for
> example, person1) at frontend, and then authenticates itself at the backend
> server as some other user (for example, proxy1) (which is allowed to proxy)
> and acts on behave of the user (person1).
> Right ?

Almost.  For referrals-supporting clients (cyradm, pine), the frontends
will occasionally refer a request to the backend.

> timsieved works in other way: it supports referrals and so it authenticates at
> the backend directly (person1), so the password for the user (person1) should
> be the same on a fronend and on backend servers.
> Correct ?

They need to be the same.

> In general every fronend authenticates incoming IMAP connections locally, so
> if I want to have *exactly* the same frontends I should take care of syncying
> passwords between my frontends and If I use sieve I also should sync user
> passwords on backends and fronends as well.

You should have the same password store for your users on all the
systems.  The frontends, however, only need to be able to authenticate to
the backends (not to eachother).

> So the question is how I can achieve that ?
> Maybe I should use some other way of performing authentication which uses a
> centrilized password storage?
> Please point me in right direction.

Yes, this is definately preferred.  Kerberos authentication is ideal for
this sort of thing.  Otherwise you probably want a MySQL password store.

-Rob

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456
Research Systems Programmer * /usr/contributed Gatekeeper