All, Here's another thought. I would like the simplicity of all cyrus imapd daemon authentication going through one file. This can't happen using PAM (sieve, pop, imap, etc. files are used).
Since I have NSS configured to use LDAP via pam, I already have the /etc/ldap.conf file. What if I were to start sasl using: saslauthd -O /etc/ldap.conf -a ldap That way I would only have one ldap configuration file to worry about. Do you think this would be a security issue even though everything is authenticating locally (ldap is on the same server)? I haven't tried this yet, just wondering if anyone sees something wrong with this idea. Thanks, Kevin Williams On Mon, 2004-08-09 at 10:33, Kevin Williams wrote: > Joshua and Tobias, > > Once again, thanks for the advice. One of my key misunderstandings was > that gentoo created a file called smtpd.conf under the sasl2 folder. In > the file was pwcheck_method=pam. I read up on this some, and I think > it's an error--it should of been saslauthd (might be a holdback to the > sasl v1 era). > > I got it working via pam, but have decided it's easier to maintain 1 > ldap config file than potentially multiple pam files (imap, pop, sieve, > etc). I'll try that out tonight using the config file you (Josh) sent > as a template! > > I *think* I understand how sasl works now:) Woo hoo! > > Thanks, > > Kevin Williams > > On Fri, 2004-08-06 at 20:01, Joshua Schmidlkofer wrote: > > Kevin Williams wrote: > > > All, > > > > > > I posted this to cyrus imap's list, but no response. The local list > > > seems to be much more helpful:) > > > > > > Anyway, I'm trying to understand the inner workings of cyrus sasl, in > > > order to authenticate against LDAP via pam (imap-->sasl-->pam-->ldap). > > > > > > I've got an error in my understanding since it won't work. Here's what > > > I THOUGHT my options were for configuring cyrus imap to authenticate > > > against LDAP: > > > > > > > > > 1. > > > --imapd.conf file has NO sasl parameters. > > > --imapd file in sasl2 folder has one paramter pwcheck_method:pam > > > > > > This option does NOT run against the saslauthd daemon. IMAP knows to > > > use SASL, and checks for the sasl config file which says don't use SASL, > > > forward to PAM directly. I have my PAM imap file configured to use LDAP > > > (/etc/ldap.conf). > > > > > > 2. > > > --imapd.conf file has sasl_pwcheck_method:pam > > > This is the same as #1 > > > > > > > > > 3. > > > --imapd.conf file has no sasl parameter. > > > --imapd file is sasl2 folder has one parameter pwcheck_method:saslauthd > > > > > > This option tells the imapd to forward the parameters to the saslauthd > > > daemon. When the sasl daemon is started, the desired login mechanism is > > > passed as a parameter (saslauthd -a pam). I have my PAM imap file > > > configured to use LDAP (/etc/ldap.conf) > > > > > > 4. > > > --imapd.conf file has sasl_pwcheck_method:saslauthd > > > > > > Same as #3. > > > > > > > > > 5. > > > --imapd.conf file has no sasl parameter. > > > --imapd file in sasl2 folder has one parameter pwcheck_method:ldap > > > > > > This is similar to PAM process (#1) imap looks up imapd file and > > > determines it's pam and uses sasl to configure against pam. The > > > saslauthd.conf file stores the ldap config information. > > > > > > 6. > > > --imapd.conf file has sasl_pwcheck_method:ldap > > > > > > Same as 5. The saslauthd.conf file stores the ldap config information. > > > > > > > > > 7. > > > --imapd.conf file has no sasl parameter. > > > --imapd file is sasl2 folder has one parameter pwcheck_method:saslauthd > > > > > > This option tells the imapd to forward the parameters to the saslauthd > > > daemon. When the sasl daemon is started, the desired login mechanism is > > > passed as a parameter (saslauthd -a ldap). The saslauthd daemon uses > > > the /saslauthd.conf file to store it's ldap config information. > > > > > > 8. > > > --imapd.conf file has sasl_pwcheck_method:saslauthd > > > > > > Same as #7. > > > > > > > > > > > > > > > Thanks in advance for clarifying this for me. > > > > > > Kevin Williams > > > _______________________________________________ > > > PDXLUG mailing list > > > [EMAIL PROTECTED] > > > http://pdxlug.org/mailman/listinfo/pdxlug > > > > > > > > > > > I want to disclose that I am really tired right now. The haze is > > killing my ability to read and follow your e-mail. > > > > What I can tell you is this: > > > > cyrus-sasl version 1 - this version has you set a million different > > pwcheck_methods, etc. In all apps using sasl v2, [anything recent] > > All apps are set to pwcheck_method of saslauthd. > > > > > > saslauthd must be running, and other appes must have access to it's read > > pipe. [housed in /var/run/saslauthd by default]/ > > > > Saslauthd, mostly configured on the command line, must have your > > appropriate authentication configuration. > > > > the Cyrus-SASL documentation sucks like something I can't say here > > > > > > Here is a sample saslauthd.conf: > > > > # (c) 2002 Tassilo Erlewein <[EMAIL PROTECTED]> > > # (c) 2002 Martin Konold <[EMAIL PROTECTED]> > > # (c) 2002 Achim Frank <[EMAIL PROTECTED]> > > > > # this file is automatically written by the Kolab config backend > > # manual additions are lost unless made to the template in the Kolab > > config directory > > > > ldap_servers: ldap://127.0.0.1:389 > > #ldap_servers: <ldap://localhost/> > > # Specify URI(s) refering to LDAP server(s), e.g. > > ldaps://10.1.1.2:999/. > > # You can specify multiple servers separated by a space. > > > > #ldap_bind_dn: <none> > > # Specify DN (distinguished name) to bind to the LDAP directory. > > Do not > > # specify this parameter for the anonymous bind. > > > > #ldap_bind_pw: <none> > > # Specify the password for ldap_bind_dn. Do not specify this > > parameter > > # for the anonymous bind. > > > > ldap_version: 3 > > #ldap_version: <3> <2|3> > > # Specify the LDAP protocol version to use. > > > > #ldap_timeout: <5> > > # Specify a number of seconds a search can take before timing out. > > > > #ldap_time_limit: <5> > > # Specify a number of seconds for a search request to complete. > > > > #ldap_deref: <none> <search|find|always|never> > > # Specify how aliases dereferencing is handled during a search. > > > > #ldap_referrals: <no> > > # Specify whether or not the client should follow referrals. > > > > #ldap_restart: <yes> > > # Specify whether or not LDAP I/O operations are automatically > > restarted > > # if they abort prematurely. > > > > #ldap_cache_ttl: <0> > > # Non zero enables client side caching. Cached results will > > expire after > > # specified number seconds, e.g. 30. Use this option with care. > > # OpenLDAP folks consider this feature experimental. > > > > #ldap_cache_mem: <0> > > # If client side caching is enabled, the value specifies the > > cache size > > # in bytes, e.g. 32768. > > > > #ldap_scope: <sub> <sub|one|base> > > # Search scope. > > > > ldap_search_base: dc=webmail,dc=valuecad,dc=com > > #ldap_search_base: <none> > > # Specify a starting point for the search. e.g. dc=foo,dc=com > > > > #ldap_auth_method: <bind> <bind|custom> > > # Specify an authentication method. The default 'bind' method > > uses the > > # LDAP simple bind facility to verify the password. The custom > > method > > # uses userPassword attribute to verify the password. Currently, > > {CRYPT} > > # hash is supported. > > > > ldap_filter: (|(uid=%u)(mail=%u)(alias=%u)) > > #ldap_filter: <uid=%u> > > # Specify a filter. Use the %u and %r tokens for the username > > and realm > > # substitution. The %u token has to be used at minimum for the > > filter to > > # be useful. If ldap_auth_method is 'bind', the filter will > > search for > > # the DN (distinguished name) attribute. Otherwise, the search > > will look > > # for the userPassword attribute. > > > > #ldap_debug: <0> > > # Specify a debugging level in the OpenLDAP libraries. See > > # ldap_set_option(3) for more (LDAP_OPT_DEBUG_LEVEL). > > > > #ldap_tls_check_peer: <no> <yes|no> > > # Require and verify server certificate. If this option is yes, > > # you must specify ldap_tls_cacert_file or ldap_tls_cacert_dir. > > > > #ldap_tls_cacert_file: <none> > > # File containing CA (Certificate Authority) certificate(s). > > > > #ldap_tls_cacert_dir: <none> > > # Path to directory with CA (Certificate Authority) certificates. > > > > #ldap_tls_ciphers: <DEFAULT> > > # List of SSL/TLS ciphers to allow. The format of the string is > > # described in ciphers(1). > > > > #ldap_tls_cert: <none> > > # File containing the client certificate. > > > > #ldap_tls_key: <none> > > # File containing the private client key. > > > > ______________________________________________________________________ > > _______________________________________________ > > PDXLUG mailing list > > [EMAIL PROTECTED] > > http://pdxlug.org/mailman/listinfo/pdxlug > _______________________________________________ > PDXLUG mailing list > [EMAIL PROTECTED] > http://pdxlug.org/mailman/listinfo/pdxlug _______________________________________________ PDXLUG mailing list [EMAIL PROTECTED] http://pdxlug.org/mailman/listinfo/pdxlug
