All, I'm installing my first cyrus imap server that uses LDAP for authentication. I understand the sasldb2/auxprop mechanism all right, but am confused when it comes to saslauthd/PAM/LDAP. I'm want to use PLAIN over TLS against an LDAP server. Seems like there's a LOT of ways to do that (auxprop, sasl-ldap, and sasl-pam-ldap).
All the different ways confuse me, and I want to clarify my options. Would someone please verify what I THINK is supposed to happen? 1. --imapd.conf file has NO sasl parameters. --imapd file in sasl2 folder has one paramter pwcheck_method:pam This option does NOT run against the saslauthd daemon. IMAP knows to use SASL, and checks for the sasl config file which says don't use SASL, forward to PAM directly. I have my PAM imap file configured to use LDAP (/etc/ldap.conf). 2. --imapd.conf file has sasl_pwcheck_method:pam This is the same as #1 3. --imapd.conf file has no sasl parameter. --imapd file is sasl2 folder has one parameter pwcheck_method:saslauthd This option tells the imapd to forward the parameters to the saslauthd daemon. When the sasl daemon is started, the desired login mechanism is passed as a parameter (saslauthd -a pam). I have my PAM imap file configured to use LDAP (/etc/ldap.conf) 4. --imapd.conf file has sasl_pwcheck_method:saslauthd Same as #3. 5. --imapd.conf file has no sasl parameter. --imapd file in sasl2 folder has one parameter pwcheck_method:ldap This is similar to PAM process (#1) imap looks up imapd file and determines it's pam and uses sasl to configure against pam. The saslauthd.conf file stores the ldap config information. 6. --imapd.conf file has sasl_pwcheck_method:ldap Same as 5. The saslauthd.conf file stores the ldap config information. 7. --imapd.conf file has no sasl parameter. --imapd file is sasl2 folder has one parameter pwcheck_method:saslauthd This option tells the imapd to forward the parameters to the saslauthd daemon. When the sasl daemon is started, the desired login mechanism is passed as a parameter (saslauthd -a ldap). The saslauthd daemon uses the /saslauthd.conf file to store it's ldap config information. 8. --imapd.conf file has sasl_pwcheck_method:saslauthd Same as #7. Another question: 1. Does cyradm authenticate against the imapd.conf authentication process, or do I have to use the sasldb2 database regardless? I'd like to keep all authentication in LDAP, but one user in the sasldb2 database wouldn't be too bad... Thanks in advance for clarifying this for me. Hopefully this can help others down the road as well! Kevin Williams --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html