IMAP auths even without valid mailboxes.

Scott Balmos sbalmos at members.simunex.com
Mon Apr 4 11:39:45 EDT 2005


I completely forget where I originally got this. I'm pretty sure it was
after some annoying late-night Googling. This is supposedly referenced in
one of the pam_ldap mailing list archive posts... somewhere, in some
galaxy, at some time. :)

(random FYI, objectClass hostObject, below, is if you were using
host-based checking in pam_ldap. Don't ask me where the host attribute is,
though... I think cosine)

[sbalmos at flyingpig /usr/local/etc/openldap/schema] > more ldapns.schema
# $Id: ldapns.schema,v 1.3 2003/05/29 12:57:29 lukeh Exp $

# LDAP Name Service Additional Schema

# <a
href="http://www.iana.org/assignments/gssapi-service-names">http://www.iana.org/assignments/gssapi-service-names</a>

attributetype ( 1.3.6.1.4.1.5322.17.2.1 NAME 'authorizedService'
        DESC 'IANA GSS-API authorized service name'
        EQUALITY caseIgnoreMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )

objectclass ( 1.3.6.1.4.1.5322.17.1.1 NAME 'authorizedServiceObject'
        DESC 'Auxiliary object class for adding authorizedService attribute'
        SUP top
        AUXILIARY
        MAY authorizedService )

objectclass ( 1.3.6.1.4.1.5322.17.1.2 NAME 'hostObject'
        DESC 'Auxiliary object class for adding host attribute'
        SUP top
        AUXILIARY
        MAY host )

> Scott,
>
> I was just browsing my LDAP schema. Where should if find
> authorizedService?
>
> --Ez
>
> On Mon, 2005-04-04 at 09:33, Scott Balmos wrote:
>> Use pam_ldap in conjunction with the pam_check_service_attr option in
>> its config file. Then add authorizedService attributes for every PAM
>> service you want. Cyrus can get especially fine-grained, because it has
>> four separate PAM services (one each for POP3, IMAP, NNTP, and Sieve).
>> See below for a section of my account LDIF. Note that SASL does not
>> append "d" to its service entries, like you think it would. That screwed
>> me over the first time I tried to get this setup going.
>>
>> authorizedService: sshd
>> authorizedService: ftpd
>> authorizedService: imap
>> authorizedService: pop
>> authorizedService: nntp
>> authorizedService: smtp
>> authorizedService: sieve
>>
>> --Scott
>>

<snip>

-- 
Scott Balmos
President - SimuNex, Ltd.
sbalmos at members.simunex.com
http://www.simunex.com


---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html




More information about the Info-cyrus mailing list