map of authentication methods for cyrus

[Craig Ringer]

Hi folks

I've noticed a fair few questions on the list since I've been subscribed 
that ask about authentication. I'd go so far as to say that it's the #1 
or #2 topic (behind migration or mailbox recovery). Perhaps I can do 
something to help, as a non-coder.

I know that when setting up Cyrus I found it quite hard to wrap my head 
around the way the authentication worked, the first time around. Of 
course now it all makes sense, but I suspect I'm not the only one. I'm 
trying to jot down info for a sort of cyrus authentication FAQ, but also 
thought I'd try to map it out visually.

If you're interested, here are the beginnings of that effort:

http://www.postnewspapers.com.au/~craig/cyrus_authentication_map.pdf
http://www.postnewspapers.com.au/~craig/cyrus_authentication_map.sxd

I'd really appreciate feedback on this - what have I missed, do I have 
anything just plain wrong, etc. I've left out some things - like the 
'shadow' mechanism of saslauthd - that seem best solved using other 
methods (getpwent in that case). Also left out are the specific-vendor 
mechanisms like saslauthd's dce and sia methods.

I should probably also include rimap. Is this best done via saslauthd?

The diagram is also somewhat linux-specific I guess, at least in the use 
of PAM and nss. I don't know how widely - if at all - other UNIXes use 
NSS, though AFAIK PAM is available on at least Solaris. I don't think 
there's too much harm in that personally, as it'll be pretty obvoious if 
your platform doesn't support some of these mechanisms.

If someone can fill me in a bit on the auxprop-based mechanisms (at 
least those suitable for use in new deployments), that'd be really helpful.

I'm trying to only show the "current" mechanisms, ignoring depreciated 
ones (or those that appear depreciated) like pwcheckd and saslauthd->sasldb.

So ... does this look like any use? Suggestions appreciated.

Craig Ringer