Saslauthd and 2 authentication mechanism

Andrew Morgan morgan at orst.edu
Fri Jul 1 12:50:26 EDT 2005


On Fri, 1 Jul 2005, Igor Brezac wrote:

>> Saslauthd with pam seems to be the more-stable and flexable alternative.
>
> It is more flexible, but not more stable (see archives), performance is 
> suspect as well.
>
>> 
>> Is it possible in pam to use more then one module?
>
> Yes.

Here is what my /etc/pam.d/imap file contains:

auth    sufficient      pam_unix.so
auth    required        pam_ldap.so

account sufficient      pam_unix.so
account required        pam_ldap.so


Also, I would recommend running saslauthd as:

saslauthd -n0 -a pam


The -n0 tells saslauthd to fork a new process for each authentication 
request.  This prevents memory leaks in the pam libraries from accumulting 
in saslauthd, although it does add some more overhead to the 
authentication process.  We haven't noticed any performance problems here. 
I'm sure straight ldap (non-pam) is faster, but not enough to make a 
difference for us.

 	Andy
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html




More information about the Info-cyrus mailing list