Cyrus IMAP server + multiple kerberos realms/virtual domains

[Derrick J Brashear]

On Wed, 1 Dec 2004, Nikola Milutinovic wrote:

> Can Cyrus IMAPD (and how) support multiple Kerberos realms via  SASL/GSSAPI?

Depending on context, yes, let's see what you want:

> It will be neccessary for us to have at least one Cyrus IMAPD that will serve 
> users from two or more dirs/domains/realms. Since Cyrus 2.2.x supports 
> virtual domains, delivery is no problem - although I will have some address 
> rewriting issues to solve, but that is for the MTA to handle.
>
> My idea was to use GSSAPI and GSSAPI capable mail readers (Outlook Express) 
> in conjunction with MS ADS. I've seen posts of people who did it and it 
> sounded like a relatively easy thing to do. I understand that I must have a 
> complete match between Cyrus VDomain and ADS domain for a particular user.
>
> My question is, will authentication work for multiple domains? Can Cyrus IMAP 
> be supplied with more than one principal? Will it choose appropriate server 
> principal for a particular user principal?

Exchange keys between realms and install only the correct service key on 
the imap server? I'm not sure why you'd want to use more than one service 
key for the server. If you did, well, perhaps the right answer is 2 IP 
addresses, one master running on each, with different config files, but 
using the same mail backend (or a murder setup with multiple frontends); 
But all of these are really far more complicated than just doing key 
exchange between realms and putting all the mailboxes in one realm; more 
recent cyrus' murder features are actually being used by cmu to have 2 
realms (actually 3, but the 3rd is a test realm) with a common mailbox 
namespace behind it. but, even that may be more complex than you need or 
want. I'm not sure.

---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html