Basic question

Dan White dwhite at olp.net
Wed Dec 31 10:23:32 EST 2008 

Jason Voorhees wrote:
> Hi there:
>
> I'm planning to use Cyrus IMAP and OpenLDAP to authenticate users.
> Long time ago I used to configure Cyrus IMAP + Cyrus SASL using
> saslauthd with pam module. It was something simple.
>
> Then I used to configure Cyrus IMAP + Cyrus SASL using saslauthd with
> ldap module and /etc/saslauthd.conf without problems. That's fine.
>
>
> Now I would like to use Cyrus IMAP with OpenLDAP too, but I found that
> there are at least 2 ways:
>
> 1. Use Cyrus SASL with auxprop to authenticate users trough LDAP using
> auxprop_plugin: ldapdb, sasl_ldap_servers among other sasl_* directives.
> Right?
>
> 2. The other way is to use ldap_* directives like ldap_uri, ldap_filter
> among others. But I believe that I would need to use 'pts' module in
> auth_mech directive, right?
>
> The question is: What are pts, unix, krb and krb5 modules used for?
> What's the difference between them? Should I use pts module to make
> Cyrus talk directly to OpenLDAP...? Or should I use Cyrus SASL with
> auxprop plugin to make the authentication to OpenLDAP?
>
> Is there a place where I can get some clear information about these
> items? Man pages are not too clear :S
>
> Thanks people :)
>   

Jason,

Available documentation that I'm aware of includes:

/doc/options.html (within the cyrus-sasl source) which documents how to 
configure the ldapdb auxprop plugin

/saslauthd/LDAP_SASLAUTHD (within the cyrus-sasl source) which discusses 
how to configure the ldap saslauthd backend

/doc/overview.html (within the cyrus-imap source), in the 'Kerberos vs. 
Unix Authorization' section, which discusses authorization.

As I understand it, the ldapdb auxprop plugin is entirely within the 
realm of cyrus sasl (authentication), and the auth_mech directive in 
imapd.conf is cyrus imapd specific, and only handles authorization.

The auth_mech options (pts, unix, krb and krb5) direct how cyrus imapd 
authorizes users to access mailboxes/resources *after* they have been 
authenticated. The kerberos options direct imapd to perform some 
canonicalization of the authenticating user before opening their mailbox 
- so if a user connects as jsmith at EXAMPLE.COM, the kerberos options 
could canonicalize that to 'jsmith', so that the server can open the 
'jsmith' mailbox instead of searching for a 'jsmith at EXAMPLE.COM' mailbox.

The unix and pts options should only come in to play if you have 
specified a 'group:staff' style ACL for your mailboxes. It tells the 
imapd server how to resolve group membership to grant access to the 
mailbox. The 'unix' option will perform a unix getgrent call, or 
something like that, to determine if a user belongs to a group - using 
nss for instance, which in turn can use the nss-ldap or nss-mysql 
modules to lookup groups. However, that's pretty slow in my experience 
and you'd need to make sure you're properly optimizing your LDAP database.

The pts route can be used to reference and LDAP server directly to 
resolve group membership within an LDAP database.

- Dan

More information about the Info-cyrus mailing list