All,
I posted this to cyrus imap's list, but no response. The local list seems to be much more helpful:)
Anyway, I'm trying to understand the inner workings of cyrus sasl, in order to authenticate against LDAP via pam (imap-->sasl-->pam-->ldap).
I've got an error in my understanding since it won't work. Here's what I THOUGHT my options were for configuring cyrus imap to authenticate against LDAP:
1. --imapd.conf file has NO sasl parameters.
--imapd file in sasl2 folder has one paramter pwcheck_method:pam
This option does NOT run against the saslauthd daemon. IMAP knows to use SASL, and checks for the sasl config file which says don't use SASL, forward to PAM directly. I have my PAM imap file configured to use LDAP (/etc/ldap.conf).
2. --imapd.conf file has sasl_pwcheck_method:pam
This is the same as #1
3. --imapd.conf file has no sasl parameter. --imapd file is sasl2 folder has one parameter pwcheck_method:saslauthd
This option tells the imapd to forward the parameters to the saslauthd daemon. When the sasl daemon is started, the desired login mechanism is passed as a parameter (saslauthd -a pam). I have my PAM imap file configured to use LDAP (/etc/ldap.conf)
4. --imapd.conf file has sasl_pwcheck_method:saslauthd
Same as #3.
5. --imapd.conf file has no sasl parameter. --imapd file in sasl2 folder has one parameter pwcheck_method:ldap
This is similar to PAM process (#1) imap looks up imapd file and determines it's pam and uses sasl to configure against pam. The saslauthd.conf file stores the ldap config information.
6. --imapd.conf file has sasl_pwcheck_method:ldap
Same as 5. The saslauthd.conf file stores the ldap config information.
7. --imapd.conf file has no sasl parameter. --imapd file is sasl2 folder has one parameter pwcheck_method:saslauthd
This option tells the imapd to forward the parameters to the saslauthd daemon. When the sasl daemon is started, the desired login mechanism is passed as a parameter (saslauthd -a ldap). The saslauthd daemon uses the /saslauthd.conf file to store it's ldap config information.
8. --imapd.conf file has sasl_pwcheck_method:saslauthd
Same as #7.
Thanks in advance for clarifying this for me.
Kevin Williams _______________________________________________ PDXLUG mailing list [EMAIL PROTECTED] http://pdxlug.org/mailman/listinfo/pdxlug
I want to disclose that I am really tired right now. The haze is killing my ability to read and follow your e-mail.
What I can tell you is this:
cyrus-sasl version 1 - this version has you set a million different pwcheck_methods, etc. In all apps using sasl v2, [anything recent] All apps are set to pwcheck_method of saslauthd.
saslauthd must be running, and other appes must have access to it's read pipe. [housed in /var/run/saslauthd by default]/
Saslauthd, mostly configured on the command line, must have your appropriate authentication configuration.
the Cyrus-SASL documentation sucks like something I can't say here
Here is a sample saslauthd.conf:
# (c) 2002 Tassilo Erlewein <[EMAIL PROTECTED]> # (c) 2002 Martin Konold <[EMAIL PROTECTED]> # (c) 2002 Achim Frank <[EMAIL PROTECTED]>
# this file is automatically written by the Kolab config backend
# manual additions are lost unless made to the template in the Kolab config directory
ldap_servers: ldap://127.0.0.1:389
#ldap_servers: <ldap://localhost/>
# Specify URI(s) refering to LDAP server(s), e.g. ldaps://10.1.1.2:999/.
# You can specify multiple servers separated by a space.
#ldap_bind_dn: <none>
# Specify DN (distinguished name) to bind to the LDAP directory. Do not
# specify this parameter for the anonymous bind.
#ldap_bind_pw: <none>
# Specify the password for ldap_bind_dn. Do not specify this parameter
# for the anonymous bind.
ldap_version: 3 #ldap_version: <3> <2|3> # Specify the LDAP protocol version to use.
#ldap_timeout: <5> # Specify a number of seconds a search can take before timing out.
#ldap_time_limit: <5> # Specify a number of seconds for a search request to complete.
#ldap_deref: <none> <search|find|always|never> # Specify how aliases dereferencing is handled during a search.
#ldap_referrals: <no> # Specify whether or not the client should follow referrals.
#ldap_restart: <yes>
# Specify whether or not LDAP I/O operations are automatically restarted
# if they abort prematurely.
#ldap_cache_ttl: <0>
# Non zero enables client side caching. Cached results will expire after
# specified number seconds, e.g. 30. Use this option with care.
# OpenLDAP folks consider this feature experimental.
#ldap_cache_mem: <0>
# If client side caching is enabled, the value specifies the cache size
# in bytes, e.g. 32768.
#ldap_scope: <sub> <sub|one|base> # Search scope.
ldap_search_base: dc=webmail,dc=valuecad,dc=com #ldap_search_base: <none> # Specify a starting point for the search. e.g. dc=foo,dc=com
#ldap_auth_method: <bind> <bind|custom>
# Specify an authentication method. The default 'bind' method uses the
# LDAP simple bind facility to verify the password. The custom method
# uses userPassword attribute to verify the password. Currently, {CRYPT}
# hash is supported.
ldap_filter: (|(uid=%u)(mail=%u)(alias=%u))
#ldap_filter: <uid=%u>
# Specify a filter. Use the %u and %r tokens for the username and realm
# substitution. The %u token has to be used at minimum for the filter to
# be useful. If ldap_auth_method is 'bind', the filter will search for
# the DN (distinguished name) attribute. Otherwise, the search will look
# for the userPassword attribute.
#ldap_debug: <0> # Specify a debugging level in the OpenLDAP libraries. See # ldap_set_option(3) for more (LDAP_OPT_DEBUG_LEVEL).
#ldap_tls_check_peer: <no> <yes|no> # Require and verify server certificate. If this option is yes, # you must specify ldap_tls_cacert_file or ldap_tls_cacert_dir.
#ldap_tls_cacert_file: <none> # File containing CA (Certificate Authority) certificate(s).
#ldap_tls_cacert_dir: <none> # Path to directory with CA (Certificate Authority) certificates.
#ldap_tls_ciphers: <DEFAULT> # List of SSL/TLS ciphers to allow. The format of the string is # described in ciphers(1).
#ldap_tls_cert: <none> # File containing the client certificate.
#ldap_tls_key: <none> # File containing the private client key.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ PDXLUG mailing list [EMAIL PROTECTED] http://pdxlug.org/mailman/listinfo/pdxlug
