saslauthd cache / cyrus-imap and several passwords per login

Andrew Morgan morgan at orst.edu
Sun Jan 27 20:03:48 EST 2013


On Sat, 5 Jan 2013, Patrick Lamaiziere wrote:

> Helo,
>
> We use cyrus-imapd on Centos 6 at work and I've got the following issue
> on authentication:
>
> Users can login via a mailer (imap/pop) or use a webmail (horde). The
> webmail uses a SSO-CAS and horde uses a CAS token to log in
> cyrus-imap). As the CAS tokens are one-time tokens they must been
> cached by saslauthd.
>
> For this we use PAM with saslauthd and 3 PAM modules. pam_cas checks if
> the password is a valid CAS token, then we try ldap and then a local
> account.
>
> cyrus-imap -> saslauthd (cache) -> PAM (pam_cas, pam_ldap, pam_unix)
>
> That works fine.
>
> The problem is: when a user uses the webmail and uses also a mailer
> (using imap), saslauthd will remove the CAS token previously cached when
> the mailer connects. So the webmail is disconnected.
>
> There is a patch to allow saslauthd to cache several passwords for one
> login but I would like to avoid this.
>
> As far I can see, the cache depends on the service used (ie if I
> connect via pop, the imap password is not cleared from the
> saslauthd cache).
>
> So I'm asking if there is a way to introduce another "service" on
> cyrus-imap that will be used by the webmail (on another port than 143).
> I mean a service in the saslauthd / PAM way (the parameter '-s' in
> testsaslauthd: imap, pop, sieve).
>
> I don't know where to start. Is there a way to achieve this?
> Thanks, best regards.

Sorry I have taken so long to respond.  I saw this message a while ago but 
I didn't have time to reply then.  It doesn't look like anyone else has 
responded according to the list archives.

You can easily run multiple Cyrus imapd processes with different service 
names.  In your cyrus.conf, make a copy of your "imap" service and name it 
something like "imap_webmail", listening on a different port.  Then make a 
/etc/pam.d/imap_webmail file with your desired PAM config.

Another idea, which *might* work, is to run an imap proxy for your Horde 
instance.  We do that here.  That way, from Cyrus' perspective, Horde only 
logs in once so it shouldn't matter if the CAS token is single-use because 
there is only one authentication attempt.  I haven't tried this, so I'm 
not sure if you would see odd behavior if the proxied connection times out 
or something.  Just a thought!

Good luck.

 	Andy


More information about the Info-cyrus mailing list