On 12/03/14 12:45 -0600, Patrick Goetz wrote: > >On 12/03/2014 06:53 AM, Adam Tauno Williams wrote: >>> auth_mech: >>> - Isn't this handled by SASL? >> >> Partially, yes. Don't forget that identity management is AAA - three >> As, not one. Authorization, Authentication, Accounting. >> > >So, for example: > >Authorization would be > cm user.username in cyradm >Authentication would be > saslauthd -> PAM --> PAM modules >Accounting would be setting permissions and quotas > sam user.username write > sq user.username N
cyrus sasl performs authentication. This would be consistent across all servers which use libsasl, such as imapd or slapd. It's primary purpose is to resolve *who* the authentication identity is and to relieve the server daemon (imapd) of the burden of figuring out how to authenticate users. Authorization is handled primarily outside of libsasl, and is left up to the server which use libsasl (imapd). Authorization involves "who can access what", and is configured by way of ACL commands - e.g. john can access jane's mailbox. slapd performs this step via olcAccess configuration. Accounting is the ability to track who accessed what, and when - i.e. syslog output. >I'm still not seeing where auth_mech or ldap options fit into this, >although Sven seems to have offered an explanation: there is some >undocumented way of bypassing saslauthd. Which, if true, I suggest is a >terrible idea and should be stripped out of the code. Allowing for >direct PAM authentication might work somehow, assuming there is a way to >handle TLS authentication. Authentication architecture needs to be >less, not more complicated in general in the unix/linux world. auth_mech, as I've used it, figures out who exists in which groups. So if jane has given read permissions to group 'wheel', and john in a member of wheel in /etc/groups, *and* auth_mech is configured to be unix, then john would be granted access to jane's mailbox on request. A big problem with 'auth_mech: unix' is that it's *slow* on systems with lots of groups, due to the way unix searches for group membership (by iterating over all groups in the system). If that happens every time a user attempts to open a mailbox, your system will fall over. The other auth_mechs, such as ldap, can make that process efficient. -- Dan White ---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
