phr2101 at columbia.edu
Tue Apr 5 12:50:14 EDT 2005
I have a question about the
--with-auth=unix method for authorization.
I would assume that a user would only be authorized to access mailboxes
that the user has rights to if the user has a unix account in the first
e.g. If there are 2 mailboxes 'box1' with acls 'testuser lrswipcda'
and mailbox 'box2' with acls 'anyone lrswipcda'.
If testuser has no unix account I would not expect him to see box1
(since no unix account == no authorization), but be able to see box2
From my testing, these does not seem to be the case.
testuser has no unix account but can still access all mailboxes that
have a acl with his name.
It appears that --with-auth=unix is good for doing authorization with
in the code I would have assumed if ( from auth_unix.c, method struct
auth_state *auth_newstate(const char *identifier) )
getpwnam(identifier) returned null (the unix account does not exist)
then *newstate should remain null, and the login would only be
authorized for anyone, anonymous acl stuff
I have read a bunch of post about doing ldap filters with saslauthd or
pam_ldap to control who has access, but I'd prefer using the
--with-auth mechanism for various reasons (one of which is we prefer
running salsauthd -a kerberos5)
Is the behavior I see from -with-auth=unix the intended and desired
does -with-auth-pts with -with-pts=ldap behave the same as
--with-auth=unix? i.e. If user can login he is authorized to view his
own mailbox regardless of wether he exist according to the
or if there is no user matching user in ldap, will it fail and not let
them login (acceptable for our use)?
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
More information about the Info-cyrus