Cyrus and authentication

Simon Matter simon.matter at ch.sauter-bc.com
Wed Oct 22 07:36:59 EDT 2003 

>>>I've rebuilt and installed Simon Matter's Cyrus RPMs on RH9 without any
>>>difficulty. I don't want to create user accounts on the system, just in
>>>Cyrus. However, I'm completely lost trying to figure out the best way to
>>> do
>>>this. Should I use PAM, Kerberos, SASL? None of which mean very much to
>>
>> It's really difficult to tell you what's the best method here. There are
>> so many way to do it.
>> I'm using saslauthd->PAM->shadow or saslauthd->shadow on small workgroup
>> servers where every user has a unix account anyway. On dedicated
>> mailservers, I'm usually using saslauthd->PAM->LDAP or saslauthd->LDAP.
>
> I personally get great results with saslauthd->PAM->LDAP and like that
> setup a lot. I would consider saslauthd->LDAP but found it much easier
> to get going via PAM. I've had no problems and have found some of the
> other capabilities provided by PAM very handy, so I think this is a good
> choice.

I want to back this. I have several servers running against PAM->LDAP with
great success. The nice thing is that you can mix several authentication
methods via PAM. Having local unix user and additional LDAP users or mysql
users or whatever.

>
> One thing that I didn't see mentioned in the docs: when using PAM, you
> need to make sure the PAM service name is the cyrus service name, ie
> "imap" or "pop", _not_ "saslauthd". So create a file, /etc/pam.d/imap,

My rpms include all the required files, so there is nothing to do in the
default config.

> containing (basic redhat-ish config:)
>
> auth       required     /lib/security/pam_stack.so service=system-auth
> account    required     /lib/security/pam_stack.so service=system-auth
> password   required     /lib/security/pam_stack.so service=system-auth
> session    required     /lib/security/pam_stack.so service=system-auth

As an example, I'm doing the following in a simple setup:
[root at imap01 pam.d]# cat [imap|pop|sieve]
#%PAM-1.0
auth        required      /lib/security/pam_stack.so service=ldap-auth
account     required      /lib/security/pam_stack.so service=ldap-auth

[root at imap01 pam.d]# cat ldap-auth
#%PAM-1.0
# Authenticate against LDAP but only if username is lowercase
auth        requisite     /lib/security/pam_deny_uc.so
auth        required      /lib/security/pam_ldap.so
account     required      /lib/security/pam_ldap.so

This way you can configure all cyrus-imapd related configuration in one
place.

Simon

>
> and run saslauthd as 'saslauthd -a pam' - it should work then. Assuming
> I'm not forgetting something.
>
> Craig Ringer
>
>
>

More information about the Info-cyrus mailing list