sasl/pam/ldap authentication process

Simon Matter simon.matter at ch.sauter-bc.com
Mon Aug 9 04:18:36 EDT 2004 

> All,
>
> I'm installing my first cyrus imap server that uses LDAP for
> authentication.  I understand the sasldb2/auxprop mechanism all right,
> but am confused when it comes to saslauthd/PAM/LDAP.  I'm want to use
> PLAIN over TLS against an LDAP server.  Seems like there's a LOT of ways
> to do that (auxprop, sasl-ldap, and sasl-pam-ldap).

Hi,

I'm little confused. I don't know about an auxprop ldap plugin, the two
ways I know are saslauthd->ldap and saslauthd->pam->ldap. IIRC you never
put a file into the sasl2 lib folder, only use imapd.conf to configure it.
For both methods I know, I think the following config is what you need in
imapd.conf:
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN

There is no sasl_pwcheck_method pam or ldap with cyrus-imapd 2.1 and 2.2.
Then you have to configure saslauthd to either use its builtin ldap
support or use pam. The way to do this depends on how you installed
cyrus-sasl but it basically means you just start saslauthd with '-a ldap'
or '-a pam'.
saslauthd's ldap is configured with the file /etc/saslauthd.conf
for pam, you have to configure the used services like
imap,lmtp,mupdate,news,pop and sieve.

Simon

>
> All the different ways confuse me, and I want to clarify my options.
> Would someone please verify what I THINK is supposed to happen?
>
> 1.
> --imapd.conf file has NO sasl parameters.
> --imapd file in sasl2 folder has one paramter pwcheck_method:pam
>
> This option does NOT run against the saslauthd daemon.  IMAP knows to
> use SASL, and checks for the sasl config file which says don't use SASL,
> forward to PAM directly.  I have my PAM imap file configured to use LDAP
> (/etc/ldap.conf).
>
> 2.
> --imapd.conf file has sasl_pwcheck_method:pam
> This is the same as #1
>
>
> 3.
> --imapd.conf file has no sasl parameter.
> --imapd file is sasl2 folder has one parameter pwcheck_method:saslauthd
>
> This option tells the imapd to forward the parameters to the saslauthd
> daemon.  When the sasl daemon is started, the desired login mechanism is
> passed as a parameter (saslauthd -a pam).  I have my PAM imap file
> configured to use LDAP (/etc/ldap.conf)
>
> 4.
> --imapd.conf file has sasl_pwcheck_method:saslauthd
>
> Same as #3.
>
>
> 5.
> --imapd.conf file has no sasl parameter.
> --imapd file in sasl2 folder has one parameter pwcheck_method:ldap
>
> This is similar to PAM process (#1) imap looks up imapd file and
> determines it's pam and uses sasl to configure against pam.  The
> saslauthd.conf file stores the ldap config information.
>
> 6.
> --imapd.conf file has sasl_pwcheck_method:ldap
>
> Same as 5.  The saslauthd.conf file stores the ldap config information.
>
>
> 7.
> --imapd.conf file has no sasl parameter.
> --imapd file is sasl2 folder has one parameter pwcheck_method:saslauthd
>
> This option tells the imapd to forward the parameters to the saslauthd
> daemon.  When the sasl daemon is started, the desired login mechanism is
> passed as a parameter (saslauthd -a ldap).  The saslauthd daemon uses
> the /saslauthd.conf file to store it's ldap config information.
>
> 8.
> --imapd.conf file has sasl_pwcheck_method:saslauthd
>
> Same as #7.
>
>
> Another question:
> 1.  Does cyradm authenticate against the imapd.conf authentication
> process, or do I have to use the sasldb2 database regardless?  I'd like
> to keep all authentication in LDAP, but one user in the sasldb2 database
> wouldn't be too bad...
>
> Thanks in advance for clarifying this for me.  Hopefully this can help
> others down the road as well!
>
> Kevin Williams
>
>
> ---
> Cyrus Home Page: http://asg.web.cmu.edu/cyrus
> Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>
>


---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

More information about the Info-cyrus mailing list