Igor Brezac wrote:
On Sun, 21 Nov 2004, Dick Davies wrote:
* Vernon A. Fort <[EMAIL PROTECTED]> [1136 15:36]:
I have squid and samba authenticating by active directory and was trying to figure out the best approach in getting the cyrus-imap accounts to auth via active directory as well.
Can someone point me in the right direction - I cannot find an configuration example for cyrus-imap or cyrus-sasl.
Best way is probably to have cyrus auth via saslauthd, then saslauthd in turn talk to PAM, and use pam_ldap.
You can also use saslauthd built-in ldap or kerberos5 authentication mechanisms.
You can use also GSSAPI SASL plugin. Let me clarify.
This is a story about authentication. There are two things to consider.
1. How are your IMAP clients going to authenticate to the server 2. How does your infrastructure provide authentication
IMAP protocol uses SASL, which in turn has several defined mechanisms:
1. PLAIN 2. CRAM-MD5, DIGEST-MD5 3. KERBEROS_IV, GSSAPI 4. EXTERNAL 5. OTP 6. NTLM ...
Of these, only PLAIN (and perhaps OTP) is relay-able, which means that authentication credentials provided by the client can be passed along to some other mechanism (relayed). *-MD5 require a local store of user/pass on the IMAP server, GSSAPI is Kerberos related and EXTERNAL uses digital certificates (think: SSL/TLS).
If you want to use ADS Kerberos as your authentication infrastructure, you are left with two choices.
1. PLAIN -> SASLAuthD -> [PAM (optional)] -> (LDAP or Kerberos5) 2. GSSAPI
Every IMAP client on the planet can use PLAIN, but it has two major drawbacks. Firstly, it is totally unsecure, since user/pass is only base64 encoded. That would force you to use PLAIN-over-TLS, which has it's problems (you need regular certificates or your clients will constantly complain on the identity of the certificate owner).
Secondly, using "saslauthd" as Kerberos5 client (relay) means that for every authentication attempt "saslauthd" would indulge itself in a full client session initialization, which is CPU consuming and burdens both IMAP server and ADS KDC.
GSSAPI is how Kerberos was intended to be used. In that setup IMAP client is authenticated with ADS KDC and has obtained a ticket for the IMAP service (IMAP/[EMAIL PROTECTED]). The IMAP server is supplied with it's Kerberos principal service key and they both use the underlying Kerberos infrastructure.
The only problem is that not many clients support this. Mozilla/Thunderbird certainly doesn't. MS IE does and I've only heard reports that Eudora and CyrusSoft Mullbery also have GSSAPI support.
Nix. --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
