I for one would vote for adding functionality into the SASL API.
When I took my users out of my system accounts database and moved them into
sasldb, all of a sudden I lost the ability to grant ACL's to groups -
because SASL doesn't have any notion of anything but password secrets (and
cyrus still defined a group in an ACL as a unix group).
As well, I would like to store other attributes about users in the
authentication database as well as being able to enable and disable accounts
easily.
Tim
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Amos Gouaux
Sent: Saturday, May 12, 2001 9:27 AM
To: [EMAIL PROTECTED]
Subject: Re: Where to do account management in SASL?
>>>>> On Sat, 12 May 2001 08:33:34 -0500 (CDT),
>>>>> mills <[EMAIL PROTECTED]> (m) writes:
m> It would thus be reasonable for Cyrus SASL to provide other facilities
m> related to authentication. This is possible now to a limited extent
m> if Cyrus SASL uses pwcheck and PAM for authentication, but not if it
m> uses sasldb. I was looking for a more general solution, and a place
m> in the Cyrus SASL to insert it.
Hmmm... I wonder if there could be a pam_sasldb.so PAM module. That
way you could just use the PAM infrastructure (specifically the
'account' service) for controlling access, but yet use this
pam_sasldb.so module for the 'auth' service. Maybe the calls to the
sasldb routines could just be placed into this pam_sasldb.so module?
Or is that just too weird....
--
Amos
