saslauthd cache / cyrus-imap and several passwords per login

Mon Jan 28 20:46:16 EST 2013

On 01/28/2013 09:39 PM, Andrew Morgan wrote:
> On Mon, 28 Jan 2013, Patrick Boutilier wrote:
>
>> On 01/27/2013 09:03 PM, Andrew Morgan wrote:
>>> On Sat, 5 Jan 2013, Patrick Lamaiziere wrote:
>>>
>>>> Helo,
>>>>
>>>> We use cyrus-imapd on Centos 6 at work and I've got the following issue
>>>> on authentication:
>>>>
>>>> Users can login via a mailer (imap/pop) or use a webmail (horde). The
>>>> webmail uses a SSO-CAS and horde uses a CAS token to log in
>>>> cyrus-imap). As the CAS tokens are one-time tokens they must been
>>>> cached by saslauthd.
>>>>
>>>> For this we use PAM with saslauthd and 3 PAM modules. pam_cas checks if
>>>> the password is a valid CAS token, then we try ldap and then a local
>>>> account.
>>>>
>>>> cyrus-imap -> saslauthd (cache) -> PAM (pam_cas, pam_ldap, pam_unix)
>>>>
>>>> That works fine.
>>>>
>>>> The problem is: when a user uses the webmail and uses also a mailer
>>>> (using imap), saslauthd will remove the CAS token previously cached
>>>> when
>>>> the mailer connects. So the webmail is disconnected.
>>>>
>>>> There is a patch to allow saslauthd to cache several passwords for one
>>>> login but I would like to avoid this.
>>>>
>>>> As far I can see, the cache depends on the service used (ie if I
>>>> connect via pop, the imap password is not cleared from the
>>>> saslauthd cache).
>>>>
>>>> So I'm asking if there is a way to introduce another "service" on
>>>> cyrus-imap that will be used by the webmail (on another port than 143).
>>>> I mean a service in the saslauthd / PAM way (the parameter '-s' in
>>>> testsaslauthd: imap, pop, sieve).
>>>>
>>>> I don't know where to start. Is there a way to achieve this?
>>>> Thanks, best regards.
>>>
>>> Sorry I have taken so long to respond.  I saw this message a while
>>> ago but
>>> I didn't have time to reply then.  It doesn't look like anyone else has
>>> responded according to the list archives.
>>>
>>> You can easily run multiple Cyrus imapd processes with different service
>>> names.  In your cyrus.conf, make a copy of your "imap" service and
>>> name it
>>> something like "imap_webmail", listening on a different port.  Then
>>> make a
>>> /etc/pam.d/imap_webmail file with your desired PAM config.
>>
>>
>> I just gave the above a try since I currently modify the source to
>> force which pam service the imapd binary calls but this entry still
>> calls /etc/pam.d/imap instead of /etc/pam.d/imaptest
>>
>>
>> imaptest    cmd="imapd" listen="imaptest"
>>
>>
>> imaptest is in /etc/services on port 146
>
> Well shoot, it looks like the SASL service name is hard-coded in imapd.c:
>
>      /* create the SASL connection */
>      if (sasl_server_new("imap", config_servername,
>                          NULL, NULL, NULL, NULL, 0,
>                          &imapd_saslconn) != SASL_OK) {
>          fatal("SASL failed initializing: sasl_server_new()", EC_TEMPFAIL);
>      }
>
>
> It would be nice if there was a way to override this somehow...  Perhaps
> file a bug on the bugzilla!

Yup, that is the code I modify. :-)

I think I will file an enhancement bug.

>
>      Andy

-------------- next part --------------
A non-text attachment was scrubbed...
Name: boutilpj.vcf
Type: text/x-vcard
Size: 286 bytes
Desc: not available
Url : http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20130128/74a87685/attachment.vcf 