map of authentication methods for cyrus

Craig Ringer craig at postnewspapers.com.au
Thu Nov 6 23:04:03 EST 2003 

> This is much better.  I'd probably put the mechanisms outside of the
> libsasl box, since they are (almost always) loaded dynamicly.

OK.

> NTLM can use either Windows NT networking or the auxprop plugins.

I don't quite get you there. I'll have a deeper look into the NTLM 
support and see if I get a better understanding of it.

> GSSAPI/KERBEROS_V4 rely on the Kerberos Domain Controllers (KDC).

Yeah. I left that off because it seemed pretty obvious, but p'haps it's 
best included.

> You should probably add these links to the wiki.  Directly attaching the
> files would be even better.

Sure. I'll do that, I just wanted to make sure it was going to be 
complete and accurate first.

>>Later I'd like to collect and document some common working
>>configurations for the wiki, if folks are OK with that. I suspect that
> 
> There is already a section for this, so it is definately encouraged:
> 
> http://asg.web.cmu.edu/twiki/bin/view/Cyrus/SampleCyrusConfigurations

Sure. I'll collect things up and write it up in a bit.

> I'd discourage people from using pam if they can at all avoid it.
> Certainly going saslauthd->pam->ldap is pretty questionable given that
> saslauthd has an internal LDAP module.

I personally like using PAM because it lets me centralise my 
authentication setup to one place, yet it's flexible enough to handle 
different needs for different apps. I like being able to use multiple 
sources of user information (it's handy when transitioning things). As 
it happens, I don't currently use anything but LDAP, but the flexibility 
is nice. As my Cyrus host doesn't have a high mail load, and has a lot 
of other roles as well, it's been useful to be able to just link Cyrus 
into the main LDAP config.

To be honest, I used pam->ldap simply because I already had libpam_ldap 
working happily and it was easy to integrate Cyrus into it. If I spot 
some good documentation on the use of saslauthd's LDAP support I'll try 
it out. I'd be interested in your reasons for avoiding PAM though.

Craig Ringer

More information about the Info-cyrus mailing list