On Thu, 6 Nov 2003, Craig Ringer wrote: > I'm about as far from an expert on Cyrus as there is, so apologies if > I'm dead wrong about something. I do think that a document like this > will be useful in showing people how things fit together, and the > various different "paths" through which Cyrus can handle > authentication/authorization . There are enough of them, after all ;-)
This is much better. I'd probably put the mechanisms outside of the libsasl box, since they are (almost always) loaded dynamicly. NTLM can use either Windows NT networking or the auxprop plugins. GSSAPI/KERBEROS_V4 rely on the Kerberos Domain Controllers (KDC). You should probably add these links to the wiki. Directly attaching the files would be even better. > Later I'd like to collect and document some common working > configurations for the wiki, if folks are OK with that. I suspect that There is already a section for this, so it is definately encouraged: http://asg.web.cmu.edu/twiki/bin/view/Cyrus/SampleCyrusConfigurations > the majority of users, at least Linux/BSD users, will probably want to > either hook Cyrus up to their existing PAM setup or plug it directly > into an LDAP directory. (If LDAP can be used for authentication against > MS Active Directory, that's cool ... otherwise NTLM will probably be > another common config). A few starting-point configs might be very > useful here, including an end-to-end explanation of how things fit > together. I plan to write up my config here > (cyrus->sasl->saslauthd->pam->ldap) as an example to start things off. I'd discourage people from using pam if they can at all avoid it. Certainly going saslauthd->pam->ldap is pretty questionable given that saslauthd has an internal LDAP module. -Rob > > Anyway, the updated diagram is at: > > http://www.postnewspapers.com.au/~craig/cyrus_authentication_map.pdf > http://www.postnewspapers.com.au/~craig/cyrus_authentication_map.sxd > > It's not an explanation of Cyrus's authentication on it's own, but > should be informative in combination with the existing docs. As I > personally found the hardest part about Cyrus to be figuring out how all > the various bits of the auth scheme fit together, perhaps this can help > others with that. > > Craig Ringer > > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 Research Systems Programmer * /usr/contributed Gatekeeper