map of authentication methods for cyrus

Simon Matter simon.matter at
Fri Nov 7 02:57:37 EST 2003

>> This is much better.  I'd probably put the mechanisms outside of the
>> libsasl box, since they are (almost always) loaded dynamicly.
> OK.
>> NTLM can use either Windows NT networking or the auxprop plugins.
> I don't quite get you there. I'll have a deeper look into the NTLM
> support and see if I get a better understanding of it.
>> GSSAPI/KERBEROS_V4 rely on the Kerberos Domain Controllers (KDC).
> Yeah. I left that off because it seemed pretty obvious, but p'haps it's
> best included.
>> You should probably add these links to the wiki.  Directly attaching the
>> files would be even better.
> Sure. I'll do that, I just wanted to make sure it was going to be
> complete and accurate first.
>>>Later I'd like to collect and document some common working
>>>configurations for the wiki, if folks are OK with that. I suspect that
>> There is already a section for this, so it is definately encouraged:
> Sure. I'll collect things up and write it up in a bit.
>> I'd discourage people from using pam if they can at all avoid it.
>> Certainly going saslauthd->pam->ldap is pretty questionable given that
>> saslauthd has an internal LDAP module.
> I personally like using PAM because it lets me centralise my
> authentication setup to one place, yet it's flexible enough to handle
> different needs for different apps. I like being able to use multiple
> sources of user information (it's handy when transitioning things). As
> it happens, I don't currently use anything but LDAP, but the flexibility
> is nice. As my Cyrus host doesn't have a high mail load, and has a lot
> of other roles as well, it's been useful to be able to just link Cyrus
> into the main LDAP config.

To make it short: In simple cases, saslauthd's LDAP support is all you
need. In complex corporate environments, you may depend on the flexibility
of PAM because you simply want your mailserver to authenticate against all
kind of different services and auth databases. I'm not speaking about the
ideal way to do things but about how your boss/company wants you to do it

> To be honest, I used pam->ldap simply because I already had libpam_ldap
> working happily and it was easy to integrate Cyrus into it. If I spot
> some good documentation on the use of saslauthd's LDAP support I'll try
> it out. I'd be interested in your reasons for avoiding PAM though.

My experiences with PAM against LDAP and others are very good. There were
reports about memory leaks in the past but I don't see this even on quite
heavy loaded servers with stacked PAM modules. Looks like those problems,
whether they existed in cyrus-sasl or pam, have been fixed.


> Craig Ringer

More information about the Info-cyrus mailing list