Cyrus+SASL+kerberos V
Rob Siemborski
rjs3 at andrew.cmu.edu
Thu Oct 16 11:38:57 EDT 2003
On Thu, 16 Oct 2003, Stephan Buys wrote:
> Hi all,
>
> We are using unixhierarchysep and lmtp on our server, with usernames in the
> form of user at domain.com, user information and passwords resides in LDAP and
> is accessed through SASL.
>
> The fact that we use unixhierarchysep allows us to easily support
> multiple domains, ie. user at domain1, user at domain2, etc.
>
> I was wondering what mechanism was used to associate a Cyrus mailbox
> with a Kerberos user principal? Kerberos will obviously not allow for
> usernames in the form that we use them, although multiple realm support
> is an option.
You can look at auth_krb.c for how usernames are canonicalized.
> As I understand it SASL only support the default realm as well?
No, this isn't the case. The default/local realm is stripped from the
user identifiers, but you can use the loginrealms option to allow logins
from other realms (the userids still keep the @ sign + realm though)
> Would it be possible to use SASL + Kerberos V at all in this situation?
Depending on what exactly you need, "maybe", With Cyrus 2.1 you really
don't have a good way of doing virtual domains.
-Rob
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456
Research Systems Programmer * /usr/contributed Gatekeeper
More information about the Info-cyrus
mailing list