annotation_definitions and other options in imapd.conf

Dan White dwhite at olp.net
Wed Dec 3 14:24:53 EST 2014


On 12/03/14 12:45 -0600, Patrick Goetz wrote:
>
>On 12/03/2014 06:53 AM, Adam Tauno Williams wrote:
>>>     auth_mech:
>>> - Isn't this handled by SASL?
>>
>> Partially, yes.  Don't forget that identity management is AAA - three
>> As, not one.  Authorization, Authentication, Accounting.
>>
>
>So, for example:
>
>Authorization would be
>    cm user.username in cyradm
>Authentication would be
>    saslauthd -> PAM --> PAM modules
>Accounting would be setting permissions and quotas
>    sam user.username write
>    sq user.username N

cyrus sasl performs authentication. This would be consistent across all
servers which use libsasl, such as imapd or slapd. It's primary purpose is
to resolve *who* the authentication identity is and to relieve the server
daemon (imapd) of the burden of figuring out how to authenticate users.

Authorization is handled primarily outside of libsasl, and is left up to
the server which use libsasl (imapd). Authorization involves "who can
access what", and is configured by way of ACL commands - e.g. john can
access jane's mailbox. slapd performs this step via olcAccess
configuration.

Accounting is the ability to track who accessed what, and when - i.e.
syslog output.

>I'm still not seeing where auth_mech or ldap options fit into this,
>although Sven seems to have offered an explanation:  there is some
>undocumented way of bypassing saslauthd. Which, if true, I suggest is a
>terrible idea and should be stripped out of the code.  Allowing for
>direct PAM authentication might work somehow, assuming there is a way to
>handle TLS authentication.  Authentication architecture needs to be
>less, not more complicated in general in the unix/linux world.

auth_mech, as I've used it, figures out who exists in which groups. So if
jane has given read permissions to group 'wheel', and john in a member of
wheel in /etc/groups, *and* auth_mech is configured to be unix, then john
would be granted access to jane's mailbox on request.

A big problem with 'auth_mech: unix' is that it's *slow* on systems with
lots of groups, due to the way unix searches for group membership (by
iterating over all groups in the system). If that happens every time a user
attempts to open a mailbox, your system will fall over. The other
auth_mechs, such as ldap, can make that process efficient.

-- 
Dan White


More information about the Info-cyrus mailing list