Authenticating by active directory
Ken Murchison
ken at oceana.com
Mon Nov 22 14:26:59 EST 2004
Nikola Milutinovic wrote:
> Igor Brezac wrote:
>
>>
>> On Sun, 21 Nov 2004, Dick Davies wrote:
>>
>>> * Vernon A. Fort <vfort at provident-solutions.com> [1136 15:36]:
>>>
>>>> I have squid and samba authenticating by active directory and was
>>>> trying
>>>> to figure out the best approach in getting the cyrus-imap accounts to
>>>> auth via active directory as well.
>>>>
>>>> Can someone point me in the right direction - I cannot find an
>>>> configuration example for cyrus-imap or cyrus-sasl.
>>>
>>>
>>>
>>> Best way is probably to have cyrus auth via saslauthd, then saslauthd
>>> in turn talk to PAM, and use pam_ldap.
>>>
>>
>> You can also use saslauthd built-in ldap or kerberos5 authentication
>> mechanisms.
>
>
> You can use also GSSAPI SASL plugin. Let me clarify.
>
> This is a story about authentication. There are two things to consider.
>
> 1. How are your IMAP clients going to authenticate to the server
> 2. How does your infrastructure provide authentication
>
> IMAP protocol uses SASL, which in turn has several defined mechanisms:
>
> 1. PLAIN
> 2. CRAM-MD5, DIGEST-MD5
> 3. KERBEROS_IV, GSSAPI
> 4. EXTERNAL
> 5. OTP
> 6. NTLM
> ...
>
> Of these, only PLAIN (and perhaps OTP) is relay-able,
NTLM (Outlook calls it SPA) is relayable and the Cyrus SASL
implementation will do this with a domain controller when configured.
--
Kenneth Murchison Oceana Matrix Ltd.
Software Engineer 21 Princeton Place
716-662-8973 x26 Orchard Park, NY 14127
--PGP Public Key-- http://www.oceana.com/~ken/ksm.pgp
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
More information about the Info-cyrus
mailing list