sasl/pam/ldap authentication process

Kevin Williams kwilliams at tarity.com
Fri Aug 6 14:06:41 EDT 2004 

All,

I'm installing my first cyrus imap server that uses LDAP for
authentication.  I understand the sasldb2/auxprop mechanism all right,
but am confused when it comes to saslauthd/PAM/LDAP.  I'm want to use
PLAIN over TLS against an LDAP server.  Seems like there's a LOT of ways
to do that (auxprop, sasl-ldap, and sasl-pam-ldap).

All the different ways confuse me, and I want to clarify my options. 
Would someone please verify what I THINK is supposed to happen?

1. 
--imapd.conf file has NO sasl parameters.
--imapd file in sasl2 folder has one paramter pwcheck_method:pam  

This option does NOT run against the saslauthd daemon.  IMAP knows to
use SASL, and checks for the sasl config file which says don't use SASL,
forward to PAM directly.  I have my PAM imap file configured to use LDAP
(/etc/ldap.conf).

2.  
--imapd.conf file has sasl_pwcheck_method:pam
This is the same as #1


3.
--imapd.conf file has no sasl parameter.
--imapd file is sasl2 folder has one parameter pwcheck_method:saslauthd

This option tells the imapd to forward the parameters to the saslauthd
daemon.  When the sasl daemon is started, the desired login mechanism is
passed as a parameter (saslauthd -a pam).  I have my PAM imap file
configured to use LDAP (/etc/ldap.conf)

4.
--imapd.conf file has sasl_pwcheck_method:saslauthd

Same as #3.


5.
--imapd.conf file has no sasl parameter.
--imapd file in sasl2 folder has one parameter pwcheck_method:ldap

This is similar to PAM process (#1) imap looks up imapd file and
determines it's pam and uses sasl to configure against pam.  The
saslauthd.conf file stores the ldap config information.

6.
--imapd.conf file has sasl_pwcheck_method:ldap

Same as 5.  The saslauthd.conf file stores the ldap config information.


7.
--imapd.conf file has no sasl parameter.
--imapd file is sasl2 folder has one parameter pwcheck_method:saslauthd

This option tells the imapd to forward the parameters to the saslauthd
daemon.  When the sasl daemon is started, the desired login mechanism is
passed as a parameter (saslauthd -a ldap).  The saslauthd daemon uses
the /saslauthd.conf file to store it's ldap config information.

8.
--imapd.conf file has sasl_pwcheck_method:saslauthd

Same as #7.


Another question:
1.  Does cyradm authenticate against the imapd.conf authentication
process, or do I have to use the sasldb2 database regardless?  I'd like
to keep all authentication in LDAP, but one user in the sasldb2 database
wouldn't be too bad...

Thanks in advance for clarifying this for me.  Hopefully this can help
others down the road as well!

Kevin Williams


---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

More information about the Info-cyrus mailing list