Cyrus and authentication

[Craig Ringer]

>>I've rebuilt and installed Simon Matter's Cyrus RPMs on RH9 without any
>>difficulty. I don't want to create user accounts on the system, just in
>>Cyrus. However, I'm completely lost trying to figure out the best way to do
>>this. Should I use PAM, Kerberos, SASL? None of which mean very much to
> 
> It's really difficult to tell you what's the best method here. There are
> so many way to do it.
> I'm using saslauthd->PAM->shadow or saslauthd->shadow on small workgroup
> servers where every user has a unix account anyway. On dedicated
> mailservers, I'm usually using saslauthd->PAM->LDAP or saslauthd->LDAP.

I personally get great results with saslauthd->PAM->LDAP and like that 
setup a lot. I would consider saslauthd->LDAP but found it much easier 
to get going via PAM. I've had no problems and have found some of the 
other capabilities provided by PAM very handy, so I think this is a good 
choice.

One thing that I didn't see mentioned in the docs: when using PAM, you 
need to make sure the PAM service name is the cyrus service name, ie 
"imap" or "pop", _not_ "saslauthd". So create a file, /etc/pam.d/imap, 
containing (basic redhat-ish config:)

auth       required     /lib/security/pam_stack.so service=system-auth
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth

and run saslauthd as 'saslauthd -a pam' - it should work then. Assuming 
I'm not forgetting something.

Craig Ringer