documentation

[Craig Ringer]

> Trying to set up LDAP is even worse.  It's trying to authenticate my 
> 'ldapadd' against the /etc/sasldb2 data files.
> How that happened is well beyond my imaginations.

OK, my understanding of the situation:

openldap is capable of authenticating using cyrus-sasl, the 
authentication libraries originally written for cyrus. The fact that 
your openldap tools are using this isn't actually much to do with cyrus.

If you don't want to stuff about getting LDAP authentication working 
using kerberos/sasl or TLS, you can use 'basic' authentication with LDAP 
by passing the '-x' flag to the tools. This will result in passwords 
being sent unencrypted so be careful.

The trick in my experience is getting LDAP working well, /then/ worrying 
about Cyrus. There was a thread just recently on using LDAP 
authentication that you might want to look up.

> In general, when it comes the the authentication models for cyrus-imap 
> you're on your own if you can't wade your way through whitepapers.  Not 
> a solution based on practical application.

I must agree ... I choose not to complain, though, as I'm getting the 
software for free ;-)

> I'm sorely dissappointed with the level of documentation for cyrus-imap.
> I can't even find enough documentation and/or consistency in the code to 
> consider getting my own documentation together in efforts to resolve 
> this deficiency.

I've been meaning to write a howto/faq on "getting Cyrus to authenticate 
against LDAP", focusing on cyrus->saslauthd->pam->ldap and using 
directory_administrator for account admin. Of course, now somebody will 
pipe up and say "but there's already one >here<"...

> I will see about rebulding this stupid box from scratch and seeing what 
> I can get working a second time around without dabbling with 
> /etc/sasldb, that tended to really screw up my system.  Maybe I can at 
> least get things working to a authentication model based on /etc/passwd 
> for now and try for something better in the future.

I find that using LDAP via PAM via saslauthd works well.

/etc/imapd.conf
sasl_pwcheck_method: saslauthd

As I don't have kerberos or TLS set up yet I also have

/etc/imapd.conf
# murder the security
allowplaintext: yes
sasl_mech_list: PLAIN
sasl_minimum_layer: 0

which I really must get around to fixing up - it may be an intranet mail 
server on a switched network, but it's still possible to steal passwords :-(

With this setup, I run saslauthd as
	saslauthd -a pam
with the appropriate /etc/pam.d/{imap,pop} files (see earlier posts re 
ldap) and it works very well.

> I suspect that most of the problems I am seeing are more related to 
> sieveshell than cyrus-imap itself.  But if this is the only mechanism 
> available for filtering email under cyrus-imap then it's a requirement 
> that it works correctly and consistently.

I haven't used sieveshell myself, so I can't comment. I get great 
results with sieve, but I let users edit their sieve configs directly at 
the moment. Most of them are basic users and only use a few client-side 
filters anyway - there's not much point.

Craig Ringer