saslauthd cache / cyrus-imap and several passwords per login
Patrick Boutilier
boutilpj at ednet.ns.ca
Mon Jan 28 13:32:32 EST 2013
On 01/27/2013 09:03 PM, Andrew Morgan wrote:
> On Sat, 5 Jan 2013, Patrick Lamaiziere wrote:
>
>> Helo,
>>
>> We use cyrus-imapd on Centos 6 at work and I've got the following issue
>> on authentication:
>>
>> Users can login via a mailer (imap/pop) or use a webmail (horde). The
>> webmail uses a SSO-CAS and horde uses a CAS token to log in
>> cyrus-imap). As the CAS tokens are one-time tokens they must been
>> cached by saslauthd.
>>
>> For this we use PAM with saslauthd and 3 PAM modules. pam_cas checks if
>> the password is a valid CAS token, then we try ldap and then a local
>> account.
>>
>> cyrus-imap -> saslauthd (cache) -> PAM (pam_cas, pam_ldap, pam_unix)
>>
>> That works fine.
>>
>> The problem is: when a user uses the webmail and uses also a mailer
>> (using imap), saslauthd will remove the CAS token previously cached when
>> the mailer connects. So the webmail is disconnected.
>>
>> There is a patch to allow saslauthd to cache several passwords for one
>> login but I would like to avoid this.
>>
>> As far I can see, the cache depends on the service used (ie if I
>> connect via pop, the imap password is not cleared from the
>> saslauthd cache).
>>
>> So I'm asking if there is a way to introduce another "service" on
>> cyrus-imap that will be used by the webmail (on another port than 143).
>> I mean a service in the saslauthd / PAM way (the parameter '-s' in
>> testsaslauthd: imap, pop, sieve).
>>
>> I don't know where to start. Is there a way to achieve this?
>> Thanks, best regards.
>
> Sorry I have taken so long to respond. I saw this message a while ago but
> I didn't have time to reply then. It doesn't look like anyone else has
> responded according to the list archives.
>
> You can easily run multiple Cyrus imapd processes with different service
> names. In your cyrus.conf, make a copy of your "imap" service and name it
> something like "imap_webmail", listening on a different port. Then make a
> /etc/pam.d/imap_webmail file with your desired PAM config.
I just gave the above a try since I currently modify the source to force
which pam service the imapd binary calls but this entry still calls
/etc/pam.d/imap instead of /etc/pam.d/imaptest
imaptest cmd="imapd" listen="imaptest"
imaptest is in /etc/services on port 146
>
> Another idea, which *might* work, is to run an imap proxy for your Horde
> instance. We do that here. That way, from Cyrus' perspective, Horde only
> logs in once so it shouldn't matter if the CAS token is single-use because
> there is only one authentication attempt. I haven't tried this, so I'm
> not sure if you would see odd behavior if the proxied connection times out
> or something. Just a thought!
>
> Good luck.
>
> Andy
> ----
> Cyrus Home Page: http://www.cyrusimap.org/
> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
> To Unsubscribe:
> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: boutilpj.vcf
Type: text/x-vcard
Size: 286 bytes
Desc: not available
Url : http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20130128/aaedc198/attachment.vcf
More information about the Info-cyrus
mailing list