saslauthd cache / cyrus-imap and several passwords per login

Thu Jan 31 10:33:41 EST 2013

On 01/28/2013 09:46 PM, Patrick Boutilier wrote:
> On 01/28/2013 09:39 PM, Andrew Morgan wrote:
>> On Mon, 28 Jan 2013, Patrick Boutilier wrote:
>>
>>> On 01/27/2013 09:03 PM, Andrew Morgan wrote:
>>>> On Sat, 5 Jan 2013, Patrick Lamaiziere wrote:
>>>>
>>>>> Helo,
>>>>>
>>>>> We use cyrus-imapd on Centos 6 at work and I've got the following
>>>>> issue
>>>>> on authentication:
>>>>>
>>>>> Users can login via a mailer (imap/pop) or use a webmail (horde). The
>>>>> webmail uses a SSO-CAS and horde uses a CAS token to log in
>>>>> cyrus-imap). As the CAS tokens are one-time tokens they must been
>>>>> cached by saslauthd.
>>>>>
>>>>> For this we use PAM with saslauthd and 3 PAM modules. pam_cas
>>>>> checks if
>>>>> the password is a valid CAS token, then we try ldap and then a local
>>>>> account.
>>>>>
>>>>> cyrus-imap -> saslauthd (cache) -> PAM (pam_cas, pam_ldap, pam_unix)
>>>>>
>>>>> That works fine.
>>>>>
>>>>> The problem is: when a user uses the webmail and uses also a mailer
>>>>> (using imap), saslauthd will remove the CAS token previously cached
>>>>> when
>>>>> the mailer connects. So the webmail is disconnected.
>>>>>
>>>>> There is a patch to allow saslauthd to cache several passwords for one
>>>>> login but I would like to avoid this.
>>>>>
>>>>> As far I can see, the cache depends on the service used (ie if I
>>>>> connect via pop, the imap password is not cleared from the
>>>>> saslauthd cache).
>>>>>
>>>>> So I'm asking if there is a way to introduce another "service" on
>>>>> cyrus-imap that will be used by the webmail (on another port than
>>>>> 143).
>>>>> I mean a service in the saslauthd / PAM way (the parameter '-s' in
>>>>> testsaslauthd: imap, pop, sieve).
>>>>>
>>>>> I don't know where to start. Is there a way to achieve this?
>>>>> Thanks, best regards.
>>>>
>>>> Sorry I have taken so long to respond.  I saw this message a while
>>>> ago but
>>>> I didn't have time to reply then.  It doesn't look like anyone else has
>>>> responded according to the list archives.
>>>>
>>>> You can easily run multiple Cyrus imapd processes with different
>>>> service
>>>> names.  In your cyrus.conf, make a copy of your "imap" service and
>>>> name it
>>>> something like "imap_webmail", listening on a different port.  Then
>>>> make a
>>>> /etc/pam.d/imap_webmail file with your desired PAM config.
>>>
>>>
>>> I just gave the above a try since I currently modify the source to
>>> force which pam service the imapd binary calls but this entry still
>>> calls /etc/pam.d/imap instead of /etc/pam.d/imaptest
>>>
>>>
>>> imaptest    cmd="imapd" listen="imaptest"
>>>
>>>
>>> imaptest is in /etc/services on port 146
>>
>> Well shoot, it looks like the SASL service name is hard-coded in imapd.c:
>>
>>      /* create the SASL connection */
>>      if (sasl_server_new("imap", config_servername,
>>                          NULL, NULL, NULL, NULL, 0,
>>                          &imapd_saslconn) != SASL_OK) {
>>          fatal("SASL failed initializing: sasl_server_new()",
>> EC_TEMPFAIL);
>>      }
>>
>>
>> It would be nice if there was a way to override this somehow...  Perhaps
>> file a bug on the bugzilla!
>
>
> Yup, that is the code I modify. :-)
>
> I think I will file an enhancement bug.
>
>
>


https://bugzilla.cyrusimap.org/show_bug.cgi?id=3767


>
>
>
>>
>>      Andy
>
>
>
> ----
> Cyrus Home Page: http://www.cyrusimap.org/
> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
> To Unsubscribe:
> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: boutilpj.vcf
Type: text/x-vcard
Size: 286 bytes
Desc: not available
Url : http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20130131/348bd700/attachment-0001.vcf