Cyradm Tool Authentication Question (PAM vs. Sasldb2)

Andrew Morgan morgan at orst.edu
Wed Feb 6 13:13:09 EST 2008


On Wed, 6 Feb 2008, Walton, Bryan wrote:

> I'm running Cyrus IMAP 2.2.13.  In my imapd.conf, I've set the line:
> sasl_pwcheck_method: saslauthd
>
> I've configured saslauthd with:
> MECHANISMS="pam"
>
> And I've configured pam to work with my LDAP servers.  This all seems to 
> work great for user authentication to IMAP accounts, and I'm happy with 
> that.
>
> I've read in other places online that when using the cyradm tool (as 
> user cyrus), that when prompted for the IMAP password, this will only 
> authenticate against the SASL database, in spite of my configuration 
> settings above.  Is this correct?  I ask because it doesn't seem so in 
> practice. I've created a password entry in sasldb2 for the the user 
> cyrus, using saslpasswd2.  However, if I become the cyrus user and then 
> issue the following command:
>
> cyradm --user cyrus localhost
>
> my authentication fails.  My logs report that my LDAP directory didn't 
> find a cyrus user (which is true of course, because I haven't yet 
> created one in LDAP).
>
> So, in sum, is it possible to configure my IMAP server as I have done, 
> yet still have cyradm only authenticate via a local password stored in 
> sasldb2?  If I have to create a cyrus user in my LDAP directory, I can. 
> But I would prefer not.

cyradm still connects to the same IMAP server, so the IMAP server is still 
going to authenticate against saslauthd.

I use a similar setup here with saslauthd and pam_ldap.  However, I 
modified my /etc/pam.d/imap file to include pam_unix as well.  This allows 
me to authenticate as the cyrus user (a local system user in /etc/passwd). 
It also allows me to create various service accounts for Cyrus (for use in 
LMTP auth and Murder) without polluting the LDAP namespace.

 	Andy


More information about the Info-cyrus mailing list