Basic question

Jason Voorhees jvoorhees1 at gmail.com
Mon Jan 5 09:13:09 EST 2009


That was perfect, Thank you very much Dan!

Now I know what configuration is appropiate for me. Bytes!

Dan White escribió:
> Jason Voorhees wrote:
>> Hi there:
>>
>> I'm planning to use Cyrus IMAP and OpenLDAP to authenticate users.
>> Long time ago I used to configure Cyrus IMAP + Cyrus SASL using
>> saslauthd with pam module. It was something simple.
>>
>> Then I used to configure Cyrus IMAP + Cyrus SASL using saslauthd with
>> ldap module and /etc/saslauthd.conf without problems. That's fine.
>>
>>
>> Now I would like to use Cyrus IMAP with OpenLDAP too, but I found that
>> there are at least 2 ways:
>>
>> 1. Use Cyrus SASL with auxprop to authenticate users trough LDAP using
>> auxprop_plugin: ldapdb, sasl_ldap_servers among other sasl_* directives.
>> Right?
>>
>> 2. The other way is to use ldap_* directives like ldap_uri, ldap_filter
>> among others. But I believe that I would need to use 'pts' module in
>> auth_mech directive, right?
>>
>> The question is: What are pts, unix, krb and krb5 modules used for?
>> What's the difference between them? Should I use pts module to make
>> Cyrus talk directly to OpenLDAP...? Or should I use Cyrus SASL with
>> auxprop plugin to make the authentication to OpenLDAP?
>>
>> Is there a place where I can get some clear information about these
>> items? Man pages are not too clear :S
>>
>> Thanks people :)
>>   
> 
> Jason,
> 
> Available documentation that I'm aware of includes:
> 
> /doc/options.html (within the cyrus-sasl source) which documents how to
> configure the ldapdb auxprop plugin
> 
> /saslauthd/LDAP_SASLAUTHD (within the cyrus-sasl source) which discusses
> how to configure the ldap saslauthd backend
> 
> /doc/overview.html (within the cyrus-imap source), in the 'Kerberos vs.
> Unix Authorization' section, which discusses authorization.
> 
> As I understand it, the ldapdb auxprop plugin is entirely within the
> realm of cyrus sasl (authentication), and the auth_mech directive in
> imapd.conf is cyrus imapd specific, and only handles authorization.
> 
> The auth_mech options (pts, unix, krb and krb5) direct how cyrus imapd
> authorizes users to access mailboxes/resources *after* they have been
> authenticated. The kerberos options direct imapd to perform some
> canonicalization of the authenticating user before opening their mailbox
> - so if a user connects as jsmith at EXAMPLE.COM, the kerberos options
> could canonicalize that to 'jsmith', so that the server can open the
> 'jsmith' mailbox instead of searching for a 'jsmith at EXAMPLE.COM' mailbox.
> 
> The unix and pts options should only come in to play if you have
> specified a 'group:staff' style ACL for your mailboxes. It tells the
> imapd server how to resolve group membership to grant access to the
> mailbox. The 'unix' option will perform a unix getgrent call, or
> something like that, to determine if a user belongs to a group - using
> nss for instance, which in turn can use the nss-ldap or nss-mysql
> modules to lookup groups. However, that's pretty slow in my experience
> and you'd need to make sure you're properly optimizing your LDAP database.
> 
> The pts route can be used to reference and LDAP server directly to
> resolve group membership within an LDAP database.
> 
> - Dan


More information about the Info-cyrus mailing list