Failing to authenticate on the frontends

Andrew Morgan morgan at orst.edu
Thu Oct 5 13:52:22 EDT 2006


On Thu, 5 Oct 2006, Jesus Roncero wrote:

> Michael Loftis wrote:
>
>>>> Authentication of the user happens at the frontend.  The frontend then
>>>> uses  the proxy credentials to authorize as the user on the backend.
>>>> The backends  don't need a full user database, just the proxy
>>>> information.
>>> 
>>> Yes and no.  If an IMAP client support referrals, the frontends will
>>> return a referral to the appropriate backend.  So, the client may connect
>>> to the backend as well in some cases.
>> 
>> Oops, I forgot about that detail.  We locally patched referrals out of our 
>> IMAP proxies.
>
> Umm, isn't there an option on the configuration to disable referrals? If not, 
> do you have that patch available?

I've attached the patch to this message.  We use it with Cyrus v2.2.12 
here.  I don't know if it works or applies cleanly to v2.3.x.

 	Andy
-------------- next part --------------
--- cyrus-imapd-2.2.10.dist/imap/proxyd.c	2004-11-23 09:40:15.000000000 -0800
+++ cyrus-imapd-2.2.10/imap/proxyd.c	2005-01-14 12:50:11.965210408 -0800
@@ -1227,7 +1227,7 @@
     
     /* Cleanup Globals */
     proxyd_cmdcnt = 0;
-    disable_referrals = 0;
+    disable_referrals = config_getswitch(IMAPOPT_PROXYD_DISABLE_MAILBOX_REFERRALS);
     supports_referrals = 0;
     proxyd_userisadmin = 0;
     proxyd_starttls_done = 0;
@@ -2823,6 +2823,10 @@
     prot_printf(proxyd_out, "* CAPABILITY ");
     prot_printf(proxyd_out, CAPABILITY_STRING);
 
+    if (config_getswitch(IMAPOPT_PROXYD_DISABLE_MAILBOX_REFERRALS) == 0) {
+      prot_printf(proxyd_out, " MAILBOX-REFERRALS");
+    }
+		
     if (config_getint(IMAPOPT_IMAPIDLEPOLL) > 0) {
 	prot_printf(proxyd_out, " IDLE");
     }
diff -r -u cyrus-imapd-2.2.10.dist/imap/version.h cyrus-imapd-2.2.10/imap/version.h
--- cyrus-imapd-2.2.10.dist/imap/version.h	2004-11-23 09:52:52.000000000 -0800
+++ cyrus-imapd-2.2.10/imap/version.h	2005-01-14 12:46:38.391024296 -0800
@@ -55,7 +55,7 @@
 
 /* CAPABILITIES are now defined here, not including sasl ones */
 #define CAPABILITY_STRING "IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ " \
-	"MAILBOX-REFERRALS NAMESPACE UIDPLUS ID " \
+	"NAMESPACE UIDPLUS ID " \
 	"NO_ATOMIC_RENAME UNSELECT " \
 	"CHILDREN MULTIAPPEND BINARY " \
 	"SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES " \
diff -r -u cyrus-imapd-2.2.10.dist/lib/imapoptions cyrus-imapd-2.2.10/lib/imapoptions
--- cyrus-imapd-2.2.10.dist/lib/imapoptions	2004-07-21 12:07:45.000000000 -0700
+++ cyrus-imapd-2.2.10/lib/imapoptions	2005-01-14 12:47:41.125560426 -0800
@@ -630,6 +630,10 @@
    connections that these referrals would cause, thus resulting in a higher
    authentication load on the respective backend server. */
 
+{ "proxyd_disable_mailbox_referrals", 0, SWITCH }
+/* Set to true to disable the use of mailbox-referrals on the
+   proxy servers.*/
+
 { "proxyservers", NULL, STRING }
 /* A list of users and groups that are allowed to proxy for other
    users, seperated by spaces.  Any user listed in this will be


More information about the Info-cyrus mailing list