IMAP auths even without valid mailboxes.

Scott Balmos sbalmos at
Mon Apr 4 10:33:43 EDT 2005

Use pam_ldap in conjunction with the pam_check_service_attr option in 
its config file. Then add authorizedService attributes for every PAM 
service you want. Cyrus can get especially fine-grained, because it has 
four separate PAM services (one each for POP3, IMAP, NNTP, and Sieve). 
See below for a section of my account LDIF. Note that SASL does not 
append "d" to its service entries, like you think it would. That screwed 
me over the first time I tried to get this setup going.

authorizedService: sshd
authorizedService: ftpd
authorizedService: imap
authorizedService: pop
authorizedService: nntp
authorizedService: smtp
authorizedService: sieve


Ezsra McDonald wrote:

>My current system is SuSe 8.1. This version of saslauthd was not
>compiled with LDAP support. It currently hands off authentication to
>pam_ldap. I have looked for the cyrus_sasl src RPM for the version I am
>running. I would rebuild it but apparently it is not available. It looks
>like I will have to hack a later RPM and see if I can get it to work on
>SuSe 8.1.
>Does anyone know how to give pam_ldap a filter to use? That would be my
>quickest fix. I will be investigating that now.
>On Sun, 2005-04-03 at 14:07, Ondřej Surý wrote:
>>It's not task for IMAP server, but for SASL auth daemon.  You have to
>>construct LDAP query in sasl so it allow only users which have mail to
>>login.  Either create some special flag in LDAP.
>>F.E.: "ldap_filter: (&(uid=%u)(allowCyrusLogin=true))" or something
>>On Fri, 2005-04-01 at 13:02 -0800, Ezsra McDonald wrote:
>>>Is there a setting to tell IMAP not to allow
>>>authenticated users who don't have cyrus accounts?

Cyrus Home Page:
Cyrus Wiki/FAQ:
List Archives/Info:

More information about the Info-cyrus mailing list