annotation_definitions and other options in imapd.conf
Patrick Goetz
pgoetz at mail.utexas.edu
Wed Dec 3 13:45:11 EST 2014
On 12/03/2014 06:53 AM, Adam Tauno Williams wrote:
>> auth_mech:
>> - Isn't this handled by SASL?
>
> Partially, yes. Don't forget that identity management is AAA - three
> As, not one. Authorization, Authentication, Accounting.
>
So, for example:
Authorization would be
cm user.username in cyradm
Authentication would be
saslauthd -> PAM --> PAM modules
Accounting would be setting permissions and quotas
sam user.username write
sq user.username N
I'm still not seeing where auth_mech or ldap options fit into this,
although Sven seems to have offered an explanation: there is some
undocumented way of bypassing saslauthd. Which, if true, I suggest is a
terrible idea and should be stripped out of the code. Allowing for
direct PAM authentication might work somehow, assuming there is a way to
handle TLS authentication. Authentication architecture needs to be
less, not more complicated in general in the unix/linux world.
Anyway, thanks Adam and Sven for the replies -- that was extremely helpful.
More information about the Info-cyrus
mailing list