cyrus-imap authorization confusion

Dan White dwhite at olp.net
Sat Mar 17 23:06:08 EDT 2012


On 03/15/12 12:10 -0700, Stephen Ingram wrote:
>I see in the documents mention of the four types of authorization
>supported by Cyrus-IMAP. I also see a --with-auth compile option in
>older versions that no longer appear in newer versions. I understand
>that authentication is handled by Cyrus-SASL. Is authorization now
>also handled also by Cyrus-SASL with userid and authid being equal?

I believe the compile time --with-auth option was replaced with the
'auth_mech' runtime (/etc/imapd.conf) option. Also see the
'unix_group_enable' option.

Cyrus SASL will be used to resolve and canonicalize both the userid and
authid, but it's left up to Cyrus IMAPD to:

* figure out who belongs to what group (for group:staff type ACLs), via
   the auth_mech configuration
* apply ACLs to determine what rights a user has to access another's
   mailbox
* who can act *as* another user, via the 'proxyservers' and 'loginuseacl'
   config options. 

-- 
Dan White


More information about the Info-cyrus mailing list