I've noticed a fair few questions on the list since I've been subscribed that ask about authentication. I'd go so far as to say that it's the #1 or #2 topic (behind migration or mailbox recovery). Perhaps I can do something to help, as a non-coder.
I know that when setting up Cyrus I found it quite hard to wrap my head around the way the authentication worked, the first time around. Of course now it all makes sense, but I suspect I'm not the only one. I'm trying to jot down info for a sort of cyrus authentication FAQ, but also thought I'd try to map it out visually.
If you're interested, here are the beginnings of that effort:
http://www.postnewspapers.com.au/~craig/cyrus_authentication_map.pdf http://www.postnewspapers.com.au/~craig/cyrus_authentication_map.sxd
I'd really appreciate feedback on this - what have I missed, do I have anything just plain wrong, etc. I've left out some things - like the 'shadow' mechanism of saslauthd - that seem best solved using other methods (getpwent in that case). Also left out are the specific-vendor mechanisms like saslauthd's dce and sia methods.
I should probably also include rimap. Is this best done via saslauthd?
The diagram is also somewhat linux-specific I guess, at least in the use of PAM and nss. I don't know how widely - if at all - other UNIXes use NSS, though AFAIK PAM is available on at least Solaris. I don't think there's too much harm in that personally, as it'll be pretty obvoious if your platform doesn't support some of these mechanisms.
If someone can fill me in a bit on the auxprop-based mechanisms (at least those suitable for use in new deployments), that'd be really helpful.
I'm trying to only show the "current" mechanisms, ignoring depreciated ones (or those that appear depreciated) like pwcheckd and saslauthd->sasldb.
So ... does this look like any use? Suggestions appreciated.
Craig Ringer
