Authenticating by active directory
Nikola Milutinovic
Nikola.Milutinovic at ev.co.yu
Mon Nov 22 08:35:10 EST 2004
Igor Brezac wrote:
>
> On Sun, 21 Nov 2004, Dick Davies wrote:
>
>> * Vernon A. Fort <vfort at provident-solutions.com> [1136 15:36]:
>>
>>> I have squid and samba authenticating by active directory and was trying
>>> to figure out the best approach in getting the cyrus-imap accounts to
>>> auth via active directory as well.
>>>
>>> Can someone point me in the right direction - I cannot find an
>>> configuration example for cyrus-imap or cyrus-sasl.
>>
>>
>> Best way is probably to have cyrus auth via saslauthd, then saslauthd
>> in turn talk to PAM, and use pam_ldap.
>>
>
> You can also use saslauthd built-in ldap or kerberos5 authentication
> mechanisms.
You can use also GSSAPI SASL plugin. Let me clarify.
This is a story about authentication. There are two things to consider.
1. How are your IMAP clients going to authenticate to the server
2. How does your infrastructure provide authentication
IMAP protocol uses SASL, which in turn has several defined mechanisms:
1. PLAIN
2. CRAM-MD5, DIGEST-MD5
3. KERBEROS_IV, GSSAPI
4. EXTERNAL
5. OTP
6. NTLM
...
Of these, only PLAIN (and perhaps OTP) is relay-able, which means that
authentication credentials provided by the client can be passed along to
some other mechanism (relayed). *-MD5 require a local store of user/pass
on the IMAP server, GSSAPI is Kerberos related and EXTERNAL uses digital
certificates (think: SSL/TLS).
If you want to use ADS Kerberos as your authentication infrastructure,
you are left with two choices.
1. PLAIN -> SASLAuthD -> [PAM (optional)] -> (LDAP or Kerberos5)
2. GSSAPI
Every IMAP client on the planet can use PLAIN, but it has two major
drawbacks. Firstly, it is totally unsecure, since user/pass is only
base64 encoded. That would force you to use PLAIN-over-TLS, which has
it's problems (you need regular certificates or your clients will
constantly complain on the identity of the certificate owner).
Secondly, using "saslauthd" as Kerberos5 client (relay) means that for
every authentication attempt "saslauthd" would indulge itself in a full
client session initialization, which is CPU consuming and burdens both
IMAP server and ADS KDC.
GSSAPI is how Kerberos was intended to be used. In that setup IMAP
client is authenticated with ADS KDC and has obtained a ticket for the
IMAP service (IMAP/host.domain.com at REALM). The IMAP server is supplied
with it's Kerberos principal service key and they both use the
underlying Kerberos infrastructure.
The only problem is that not many clients support this.
Mozilla/Thunderbird certainly doesn't. MS IE does and I've only heard
reports that Eudora and CyrusSoft Mullbery also have GSSAPI support.
Nix.
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
More information about the Info-cyrus
mailing list