Kerberos authorization in IMAP
Nikola.Milutinovic at ev.co.yu
Wed Jul 21 07:47:45 EDT 2004
I have just gotten off a mail conversation conversation with guys from
CyberSafe and we are slightly puzzled (or at least, I am). I asked them
if they could port "./lib/auth_krb5.c" to use CyberSafe's GSS-API and
they did it (Alexey Melnikov).
The problem is with Kerberos Authorization in IMAP Server. Mind you, not
*authentication*, that is handled via SASL and works OK.
The docs state that, if using Krb5 authz, instead of UNIX authz, one can
use ACLs in the form of a Kerberos5 regular expression, like these:
*/admin at FOO.BAR
However, the code in "./lib/auth_krb5.c" does no such thing. It does
however canonicalize principal and strips off realm if it is local
realm, but no "RegEx" matching.
I do notice, however, that the docs on the subject are using Kerberos_IV
notation, but the code in "./lib/auth_krb.c" doesn't look any more
sophisticated/magical than the previous.
So, are we missing something, here? It would be nice to have those
advertised ACLs available, with the growing popularity of Kerberos
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
More information about the Info-cyrus