Cyrus IMAP server + multiple kerberos realms/virtual domains

Nikola Milutinovic Nikola.Milutinovic at ev.co.yu
Wed Dec 1 01:58:55 EST 2004 

Hi all.

The question may seam complex, but here goes:

QUESTION
--------

Can Cyrus IMAPD (and how) support multiple Kerberos realms via  SASL/GSSAPI?

CLARIFICATION/RATIONALE
-----------------------

This question arises from our planned move to MS Active Directory 
Service. Since we are a large company, we will have several 
sub-directories or sub-domains. This will result in having multiple 
Kerberos "sub-realms". I do know that Kerberos has no concept of 
hierarchy, that's why I'm using quatation marks.

It will be neccessary for us to have at least one Cyrus IMAPD that will 
serve users from two or more dirs/domains/realms. Since Cyrus 2.2.x 
supports virtual domains, delivery is no problem - although I will have 
some address rewriting issues to solve, but that is for the MTA to handle.

My idea was to use GSSAPI and GSSAPI capable mail readers (Outlook 
Express) in conjunction with MS ADS. I've seen posts of people who did 
it and it sounded like a relatively easy thing to do. I understand that 
I must have a complete match between Cyrus VDomain and ADS domain for a 
particular user.

My question is, will authentication work for multiple domains? Can Cyrus 
IMAP be supplied with more than one principal? Will it choose 
appropriate server principal for a particular user principal?

EXAMPLE
-------

Let's say I have two ADS domains (Kerberos realms), with the following 
principals:

Domain:  up.ev.co.yu
Realm:   UP.EV.CO.YU
Service: IMAP/IMAP.up.ev.co.yu at UP.EV.CO.YU
user:    milutinovicn at UP.EV.CO.YU

Domain:  pb.ev.co.yu
Realm:   PB.EV.CO.YU
Service: IMAP/IMAP.pb.ev.co.yu at PB.EV.CO.YU
user:    nixie at PB.EV.CO.YU

Now suppose I have 2 client machines and users from those machines want 
to access their mailboxes, which are regularly created. How will IMAPD 
handle this situation? What service key will be used? Will it choose one 
key for "UP.EV.CO.YU" and the other for "PB.EV.CO.YU", depending on what 
realm the client uses?

Any hints for the config?

Nix.


---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

More information about the Info-cyrus mailing list