Cyrus imap, saslauthd and case sensitive gssapi realm

Anthony Brock brocka at sterlingcgi.com
Fri Feb 2 02:19:05 EST 2007


I'm attempting to upgrade an older Cyrus IMAP server (using virtual domains)
from 2.1 to 2.2. The new server is running Debian Etch with the
cyrus-imapd-2.2 packages (currently version 2.2.13-10). While most of the
upgrade has gone relatively smoothly, I'm having problems with
authentication.

Previously, I was using saslauthd against an sasldb2 database. This worked
well, but I would like to migrate from this to our Kerberos 5 infrastructure
(multiple domains with cross-domain authentication working). Unfortunately,
it appears there isn't any means to force an upper-case realm for logins. In
fact, the only way I can get everything working seems to be with the
following configuration:

lmtp_downcase_rcpt: yes
username_tolower: no
loginrealms: <DOMAIN1.COM> <DOMAIN2.COM> <DOMAIN3.COM> <DOMAIN4.COM>
<DOMAIN5.COM> <DOMAIN6.COM>
virtdomains: userid
sasl_pwcheck_method: saslauthd

In this configuration, I can authenticate IF I provide a username such as
my.name at DOMAIN1.COM. However, it fails if I try to use my.name at domain1.com.
Even worse, I have some customers using My.Name at domain1.com for their login.
Because of this, I would like to enable the 'username_tolower' option, but
this ALSO lowers the case of the realm!

Any suggestions on how to get IMAP working for virtual domains against
multiple Kerberos domains? Ideally, there should be an option such as
'realmname_toupper' that could be combined with 'username_tolower' to
resolve the entire case issue! Does such an option exist?

Is there a recommended solution? Ideas?

Tony



More information about the Info-cyrus mailing list