Patrick,
The solution with PAM is not found in your search because it's not
really about PAM and Cyrus. It's about PAM and LDAP. Configuring Cyrus
to rely upon system authentication & authorization services is rather
easy, and the default for most Linux distros, for example. Which raises
an important point, what's your platform? You haven't told us that --
which OS, which distro, etc.? You've only told us that it's a small VM.
If you're using Linux then the most obvious choice for performing AAA
against LDAP is via the System Security Services Daemon -- sssd. Once
you've got sssd configured to work with your LDAP, then your Cyrus, in a
typical deployment, will Just Work. So try this search, instead:
https://duckduckgo.com/?q=linux+sssd+ldap
An alternative, if your system doesn't support sssd is to use the older
PAM/LDAP, described here for Debian: https://wiki.debian.org/LDAP/PAM
Either PAM/LDAP or sssd will provide both user & group info, via LDAP,
which is then used by Cyrus.
For example, on a system using sssd, the 'id' command can be used to
get group memberships for a given userID:
$ id nbernstein
uid=10006(nbernstein) gid=10000(Administrators)
groups=10000(Administrators),6(disk),10030(SecOps),10020(pfsense-admin),10070(wheel),10073(libvirt),10072(lxd),10074(docker),20(dialout),10078(net-sim)
If you have specific requirements /not met/ by either of those two
options, then you should look into the ptloader with LDAP option, which
relies upon a separate component, PTS, to handle the LDAP interactions.
I've not used ptloader, myself, so cannot speak to that.
Cheers,
-nic
On 6/26/23 13:18, Patrick Pfeifer via Info wrote:
On 26.06.23 09:35, Niels Dettenbach via Info wrote:
Just a side note (simplified):
cyrus-imapd is not a SMTP MTA.
Noted. All right. Thank you for the info.
For User authentication in Cyrus, i would expect to use
Cyrus -> PAM -.> LDAP or ponetially
PAM ? All right. That sounds good actually! I remember fiddling with
those config files in /etc/pam.d (25ish years ago) and as I recall it
was working well. This sounds like a good option. But Google does
again not seem to have any interest in any kind friendship when I ask
it for cyrus-imap pam authentication
<https://www.google.com/search?hl=de&q=cyrus-imap pam
authentication>.There are two
<https://www.cyrusimap.org/imap/concepts/features.html#security-and-authentication>
links
<https://www.cyrusimap.org/imap/concepts/features.html#security-and-authentication>
to the cyrusimap.org Documentation, where there is basically no info
on it and the 3rd hit, a link to tldp.org, with a PDF HowTo, speaks
right from my heart when it says: "Chapter 4.3 - PAM: Not enough info
to document. Email me if you have some."
Cyrus -> SASL -> GSSAPI -> LDAP
as a typical solution (but never did it byself yet).
Ok, well. I'd rather not do Kerberos. That doesn't seem to make sense
for my tiny setup.
On 26.06.23 11:43, Howard Chu wrote:
A more typical example would be using SASL/DIGEST-MD5 or SASL/SCRAM
etc...
Thanks, but if my understanding is correct, these only work as long as
you store the plain text passwords on the server -- which I am not doing.
--
Nic [email protected]
https://www.nicbernstein.com
------------------------------------------
Cyrus: Info
Permalink:
https://cyrus.topicbox.com/groups/info/T48b6e9b6846822f7-M1047ff45e2d733acb62057bd
Delivery options: https://cyrus.topicbox.com/groups/info/subscription
