Thank you very much, Nic!
I have not been aware of how easy it apparently is to
1. use an LDAP to store standard UNIX account authentication token
and group membership information
and then
2. use these standard UNIX accounts for _application_
authentication AND authorization purposes.
Also, SSSD, to me, looks like a (much more) solid solution (than saslauthd).
Assuming that PAM & NSS are already configured by the "sssd" package, as
this HOWTO implies, and "cyrus-imap" by default also comes configured to
work with PAM & NSS, as you are saying, setting this up looks really
simple. I.e. I will follow this HOWTO:
https://ubuntu.com/server/docs/service-sssd-ldap And most likely set my
VM up thusly, then.
Regrads, -Patrick
On 27.06.23 14:21, Nic Bernstein wrote:
Patrick,
The solution with PAM is not found in your search because it's not
really about PAM and Cyrus. It's about PAM and LDAP. Configuring
Cyrus to rely upon system authentication & authorization services is
rather easy, and the default for most Linux distros, for example.
Which raises an important point, what's your platform? You haven't
told us that -- which OS, which distro, etc.? You've only told us
that it's a small VM.
If you're using Linux then the most obvious choice for performing AAA
against LDAP is via the System Security Services Daemon -- sssd. Once
you've got sssd configured to work with your LDAP, then your Cyrus, in
a typical deployment, will Just Work. So try this search, instead:
https://duckduckgo.com/?q=linux+sssd+ldap
An alternative, if your system doesn't support sssd is to use the
older PAM/LDAP, described here for Debian:
https://wiki.debian.org/LDAP/PAM
Either PAM/LDAP or sssd will provide both user & group info, via LDAP,
which is then used by Cyrus.
For example, on a system using sssd, the 'id' command can be used
to get group memberships for a given userID:
$ id nbernstein
uid=10006(nbernstein) gid=10000(Administrators)
groups=10000(Administrators),6(disk),10030(SecOps),10020(pfsense-admin),10070(wheel),10073(libvirt),10072(lxd),10074(docker),20(dialout),10078(net-sim)
If you have specific requirements /not met/ by either of those two
options, then you should look into the ptloader with LDAP option,
which relies upon a separate component, PTS, to handle the LDAP
interactions. I've not used ptloader, myself, so cannot speak to that.
Cheers,
-nic
On 6/26/23 13:18, Patrick Pfeifer via Info wrote:
On 26.06.23 09:35, Niels Dettenbach via Info wrote:
Just a side note (simplified):
cyrus-imapd is not a SMTP MTA.
Noted. All right. Thank you for the info.
For User authentication in Cyrus, i would expect to use
Cyrus -> PAM -.> LDAP or ponetially
PAM ? All right. That sounds good actually! I remember fiddling with
those config files in /etc/pam.d (25ish years ago) and as I recall it
was working well. This sounds like a good option. But Google does
again not seem to have any interest in any kind friendship when I ask
it for cyrus-imap pam authentication
<https://www.google.com/search?hl=de&q=cyrus-imap pam
authentication>.There are two
<https://www.cyrusimap.org/imap/concepts/features.html#security-and-authentication>
links
<https://www.cyrusimap.org/imap/concepts/features.html#security-and-authentication>
to the cyrusimap.org Documentation, where there is basically no info
on it and the 3rd hit, a link to tldp.org, with a PDF HowTo, speaks
right from my heart when it says: "Chapter 4.3 - PAM: Not enough info
to document. Email me if you have some."
Cyrus -> SASL -> GSSAPI -> LDAP
as a typical solution (but never did it byself yet).
Ok, well. I'd rather not do Kerberos. That doesn't seem to make sense
for my tiny setup.
On 26.06.23 11:43, Howard Chu wrote:
A more typical example would be using SASL/DIGEST-MD5 or SASL/SCRAM
etc...
Thanks, but if my understanding is correct, these only work as long
as you store the plain text passwords on the server -- which I am not
doing.
--
Nic [email protected]
https://www.nicbernstein.com
*Cyrus <https://cyrus.topicbox.com/latest>* / Info / see discussions
<https://cyrus.topicbox.com/groups/info> + participants
<https://cyrus.topicbox.com/groups/info/members> + delivery options
<https://cyrus.topicbox.com/groups/info/subscription> Permalink
<https://cyrus.topicbox.com/groups/info/T48b6e9b6846822f7-M1047ff45e2d733acb62057bd>
------------------------------------------
Cyrus: Info
Permalink:
https://cyrus.topicbox.com/groups/info/T48b6e9b6846822f7-M037dae7e549a58dfd3e93dd0
Delivery options: https://cyrus.topicbox.com/groups/info/subscription
