cyrus-imap authorization confusion
Dan White
dwhite at olp.net
Sat Mar 17 23:06:08 EDT 2012
On 03/15/12 12:10 -0700, Stephen Ingram wrote:
>I see in the documents mention of the four types of authorization
>supported by Cyrus-IMAP. I also see a --with-auth compile option in
>older versions that no longer appear in newer versions. I understand
>that authentication is handled by Cyrus-SASL. Is authorization now
>also handled also by Cyrus-SASL with userid and authid being equal?
I believe the compile time --with-auth option was replaced with the
'auth_mech' runtime (/etc/imapd.conf) option. Also see the
'unix_group_enable' option.
Cyrus SASL will be used to resolve and canonicalize both the userid and
authid, but it's left up to Cyrus IMAPD to:
* figure out who belongs to what group (for group:staff type ACLs), via
the auth_mech configuration
* apply ACLs to determine what rights a user has to access another's
mailbox
* who can act *as* another user, via the 'proxyservers' and 'loginuseacl'
config options.
--
Dan White
More information about the Info-cyrus
mailing list