Cyradm Tool Authentication Question (PAM vs. Sasldb2)
Andrew Morgan
morgan at orst.edu
Wed Feb 6 13:13:09 EST 2008
On Wed, 6 Feb 2008, Walton, Bryan wrote:
> I'm running Cyrus IMAP 2.2.13. In my imapd.conf, I've set the line:
> sasl_pwcheck_method: saslauthd
>
> I've configured saslauthd with:
> MECHANISMS="pam"
>
> And I've configured pam to work with my LDAP servers. This all seems to
> work great for user authentication to IMAP accounts, and I'm happy with
> that.
>
> I've read in other places online that when using the cyradm tool (as
> user cyrus), that when prompted for the IMAP password, this will only
> authenticate against the SASL database, in spite of my configuration
> settings above. Is this correct? I ask because it doesn't seem so in
> practice. I've created a password entry in sasldb2 for the the user
> cyrus, using saslpasswd2. However, if I become the cyrus user and then
> issue the following command:
>
> cyradm --user cyrus localhost
>
> my authentication fails. My logs report that my LDAP directory didn't
> find a cyrus user (which is true of course, because I haven't yet
> created one in LDAP).
>
> So, in sum, is it possible to configure my IMAP server as I have done,
> yet still have cyradm only authenticate via a local password stored in
> sasldb2? If I have to create a cyrus user in my LDAP directory, I can.
> But I would prefer not.
cyradm still connects to the same IMAP server, so the IMAP server is still
going to authenticate against saslauthd.
I use a similar setup here with saslauthd and pam_ldap. However, I
modified my /etc/pam.d/imap file to include pam_unix as well. This allows
me to authenticate as the cyrus user (a local system user in /etc/passwd).
It also allows me to create various service accounts for Cyrus (for use in
LMTP auth and Murder) without polluting the LDAP namespace.
Andy
More information about the Info-cyrus
mailing list