saslauthd cache / cyrus-imap and several passwords per login
Patrick Lamaiziere
patfbsd at davenulle.org
Sat Jan 5 09:19:26 EST 2013
Helo,
We use cyrus-imapd on Centos 6 at work and I've got the following issue
on authentication:
Users can login via a mailer (imap/pop) or use a webmail (horde). The
webmail uses a SSO-CAS and horde uses a CAS token to log in
cyrus-imap). As the CAS tokens are one-time tokens they must been
cached by saslauthd.
For this we use PAM with saslauthd and 3 PAM modules. pam_cas checks if
the password is a valid CAS token, then we try ldap and then a local
account.
cyrus-imap -> saslauthd (cache) -> PAM (pam_cas, pam_ldap, pam_unix)
That works fine.
The problem is: when a user uses the webmail and uses also a mailer
(using imap), saslauthd will remove the CAS token previously cached when
the mailer connects. So the webmail is disconnected.
There is a patch to allow saslauthd to cache several passwords for one
login but I would like to avoid this.
As far I can see, the cache depends on the service used (ie if I
connect via pop, the imap password is not cleared from the
saslauthd cache).
So I'm asking if there is a way to introduce another "service" on
cyrus-imap that will be used by the webmail (on another port than 143).
I mean a service in the saslauthd / PAM way (the parameter '-s' in
testsaslauthd: imap, pop, sieve).
I don't know where to start. Is there a way to achieve this?
Thanks, best regards.
More information about the Info-cyrus
mailing list