How to restrict pop/imap access by user/group names

Kjetil Torgrim Homme kjetilho at
Tue Aug 15 20:06:36 EDT 2006

On Wed, 2006-08-16 at 01:21 +0200, former03 | Baltasar Cevc wrote:
> On 15.08.2006, at 19:11, Kai Wang wrote:
> > Currently we use one 
> > imapd.conf file. We configured cyrus -> saslauthd -> pam -> (cas) ldap 
> > to do authentication. We want to use pam.cas but haven't tested it 
> > yet.
> Using that setup I don't think you can achieve what you want. You need 
> some point where you can fetch that information and saslauthd is a 
> single instance which will always produce the same SASL result for the 
> same user/password combination. Even if you could work around that 
> (using multiple instances), you'd have to configure different PAM 
> services to pass on the information.

PAM would be difficult, yes.

> So the way you should go is to check whether hte ldap auxprop plugin 
> gives you some mechnism to restrict answers.

you don't need auxprop, saslauthd has built in LDAP support which is
good enough.  one of the parameters for SASL is service, which is one of
"imap", "pop", "news", "lmtp" etc.  this means you can use a filter

        ldap_filter: (&(uid=%u)(access=%s))

in this example, the access attribute should be multivalued to handle
those who should be allowed access to several services.

the available escapes in ldap_filter are:

 * Parts with the strings provided.
 *   %%   = %
 *   %u   = user
 *   %U   = user part of %u
 *   %d   = domain part of %u if available, othwise same as %r
 *   %1-9 = domain if not available realm, token
 *          (%1 = tld, %2 = domain when %r = domain.tld)
 *   %s   = service
 *   %r   = realm
 *   %R   = prepend '@' to realm
 *   %D   = user DN

Kjetil T.

More information about the Info-cyrus mailing list