disabling usage of realms

Stefan Palme palme at kapott.org
Thu Jan 6 08:22:14 EST 2011

Hi all,

I use cyrus-imapd-2.3.x. User authentication happens via saslauthd,
which in turn uses PAM. The PAM configuration includes a complicated
stack of modules including LDAP, UNIX password files, access control
lists etc. In general this setups works fine.

Up to now all user-ids have the form "username". Now there are some new
user accounts with user-ids like "username at project1".

These user accounts are stored in the LDAP backend (which is transparent
to the IMAP server). Authenticating these users by using PAM-test-tools
works fine.

Cyrus IMAP Server uses saslauthd. With the default configuration,
saslauthd splits the given user-id into "username" and realm "project1".
To disable this, I run saslauthd with "-r", so the username which is
sent to PAM is really "username at project1", which in turn causes user
authentication to work again.

But when I try to login to Cyrus IMAP Server using "username at project1",
I get error messages like "authentication failure: cross-realm login
username at project1 denied".

I think I understand the problem - I should configure "project1" as a
valid "loginrealm" in /etc/imapd.conf. But I don't want this, because I
don't want to modify the IMAP server configuration for each new "project

Is there a way to tell Cyrus IMAP Server to completely skip its "realm
logic", and to treat usernames containing an "@" just like any other
normal username, which includes assuming the "default realm"?

Thanks in advance!

More information about the Info-cyrus mailing list