Kerberos authorization in IMAP

Nikola Milutinovic Nikola.Milutinovic at
Wed Jul 21 07:47:45 EDT 2004

Hello list.

I have just gotten off a mail conversation conversation with guys from 
CyberSafe and we are slightly puzzled (or at least, I am). I asked them 
if they could port "./lib/auth_krb5.c" to use CyberSafe's GSS-API and 
they did it (Alexey Melnikov).

The problem is with Kerberos Authorization in IMAP Server. Mind you, not 
*authentication*, that is handled via SASL and works OK.

The docs state that, if using Krb5 authz, instead of UNIX authz, one can 
use ACLs in the form of a Kerberos5 regular expression, like these:

*/admin at FOO.BAR

However, the code in "./lib/auth_krb5.c" does no such thing. It does 
however canonicalize principal and strips off realm if it is local 
realm, but no "RegEx" matching.

I do notice, however, that the docs on the subject are using Kerberos_IV 
notation, but the code in "./lib/auth_krb.c" doesn't look any more 
sophisticated/magical than the previous.

So, are we missing something, here? It would be nice to have those 
advertised ACLs available, with the growing popularity of Kerberos 

Cyrus Home Page:
Cyrus Wiki/FAQ:
List Archives/Info:

More information about the Info-cyrus mailing list