Authenticating by active directory

Nikola Milutinovic Nikola.Milutinovic at ev.co.yu
Mon Nov 22 08:35:10 EST 2004


Igor Brezac wrote:

> 
> On Sun, 21 Nov 2004, Dick Davies wrote:
> 
>> * Vernon A. Fort <vfort at provident-solutions.com> [1136 15:36]:
>>
>>> I have squid and samba authenticating by active directory and was trying
>>> to figure out the best approach in getting the cyrus-imap accounts to
>>> auth via active directory as well.
>>>
>>> Can someone point me in the right direction - I cannot find an
>>> configuration example for cyrus-imap or cyrus-sasl.
>>
>>
>> Best way is probably to have cyrus auth via saslauthd, then saslauthd
>> in turn talk to PAM, and use pam_ldap.
>>
> 
> You can also use saslauthd built-in ldap or kerberos5 authentication 
> mechanisms.

You can use also GSSAPI SASL plugin. Let me clarify.

This is a story about authentication. There are two things to consider.

1. How are your IMAP clients going to authenticate to the server
2. How does your infrastructure provide authentication

IMAP protocol uses SASL, which in turn has several defined mechanisms:

1. PLAIN
2. CRAM-MD5, DIGEST-MD5
3. KERBEROS_IV, GSSAPI
4. EXTERNAL
5. OTP
6. NTLM
...

Of these, only PLAIN (and perhaps OTP) is relay-able, which means that 
authentication credentials provided by the client can be passed along to 
some other mechanism (relayed). *-MD5 require a local store of user/pass 
on the IMAP server, GSSAPI is Kerberos related and EXTERNAL uses digital 
certificates (think: SSL/TLS).

If you want to use ADS Kerberos as your authentication infrastructure, 
you are left with two choices.

1. PLAIN -> SASLAuthD -> [PAM (optional)] -> (LDAP or Kerberos5)
2. GSSAPI

Every IMAP client on the planet can use PLAIN, but it has two major 
drawbacks. Firstly, it is totally unsecure, since user/pass is only 
base64 encoded. That would force you to use PLAIN-over-TLS, which has 
it's problems (you need regular certificates or your clients will 
constantly complain on the identity of the certificate owner).

Secondly, using "saslauthd" as Kerberos5 client (relay) means that for 
every authentication attempt "saslauthd" would indulge itself in a full 
client session initialization, which is CPU consuming and burdens both 
IMAP server and ADS KDC.

GSSAPI is how Kerberos was intended to be used. In that setup IMAP 
client is authenticated with ADS KDC and has obtained a ticket for the 
IMAP service (IMAP/host.domain.com at REALM). The IMAP server is supplied 
with it's Kerberos principal service key and they both use the 
underlying Kerberos infrastructure.

The only problem is that not many clients support this. 
Mozilla/Thunderbird certainly doesn't. MS IE does and I've only heard 
reports that Eudora and CyrusSoft Mullbery also have GSSAPI support.

Nix.
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html




More information about the Info-cyrus mailing list