authentication using kerberos

[Aleksandar Milivojevic]

Rob Siemborski wrote:
> On Wed, 22 Dec 2004, Aleksandar Milivojevic wrote:
>> Well, password verification is really all I need.  I really don't need 
>> any other functionality provided by kerberos.  If user provided 
>> correct password (over TLS) to IMAPD, I want to let him in.  I just 
>> want to use Active Directory as simple and convinient password store 
>> that returns true or false. I don't really need full kerberos system.  
>> I'm not after single sign-on or anything fancy.  I'm attempting to use 
>> kerberos only because it is the way AD works, and I'm trying to keep 
>> it as simple as possible.  All that I really need is the stuff that 
>> kinit does.  It connects to AD, password is verified, I get true or 
>> false for password, and all the other stuff that kinit does after the 
>> password is verified is not of interest to me.
>>
>> Can Cyrus IMAPD do that?  Or if not, can saslauthd do it?
> 
> Yes, saslauthd can.

OK, but how to do that without adding host key?  How to tell saslauthd 
to only check user's password, not to attempt to authenticate the host 
it is running on as well (which it can't do, since there isn't a host 
key)?  I'd like to keep AD and Unix side as separate as possible (don't 
want any trust on the host level), and only use AD as simple password 
store.  I just want to do stuff kinit does (as described above).

-- 
Aleksandar Milivojevic <amilivojevic at pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html