Am Mittwoch 12 November 2008 18:28:32 schrieb Dan White: > Veit Wahlich wrote: > > I authenticate a Cyrus imapd through saslauthd's PAM authmech. > > Now I'd like to define a secondary imap service in cyrus.conf not > > accessing /etc/pam.d/imap but another PAM config file such > > as /etc/pam.d/imap-external. > > The goal is to have two imapds running (bound to different IPs or TCP > > ports) with different PAM auth service configs for internal and external > > access. > > > > Is there a configuration option in imapd.conf or so to control which PAM > > file is being accessed by saslauthd for a service? > > Veit, > > This was just discussed on the cyrus-imapd list: > > http://www.mail-archive.com/info-cyrus@xxxxxxxxxxxxxxxxxxxx/msg36412.html > > To summarize, you could add a secondary entry in to /etc/cyrus.conf, e.g.: > > imap2 cmd="imapd -U 30 -D" listen="127.0.0.7:imap" > > In /etc/imapd.conf, you could add: > > # First imap instance > imap_sasl_pwcheck_method: saslauthd > > # Second imap instance > imap2_sasl_pwcheck_method: saslauthd > imap2_sasl_saslauthd_path: /path/to/second/saslauthd/mux > > and then run two instances of saslauthd, the second using a separate > socket. Unfortunately this will not help the OP. Yes, this would use separate saslauthd-Services for the two imap-Daemons, but unfortunately the Servicename which is used to connect to saslauthd is hardcoded in each Daemon. For imapd this is "imap". And this Servicename is interesting for the pam.d/file. Yes, this stuff is really complicated. The OP has to patch Cyrus-Imapd and use another imapd Binary for that. Relevant Sourcecode part is: ./imap/imapd.conf: ... /* * run for each accepted connection */ #ifdef ID_SAVE_CMDLINE int service_main(int argc, char **argv, char **envp __attribute__((unused))) #else int service_main(int argc __attribute__((unused)), char **argv __attribute__((unused)), char **envp __attribute__((unused))) #endif { ... /* create the SASL connection */ if (sasl_server_new("imap", config_servername, NULL, NULL, NULL, NULL, 0, &imapd_saslconn) != SASL_OK) { fatal("SASL failed initializing: sasl_server_new()", EC_TEMPFAIL); } ... The first Argument in sasl_server_new() decides about the pam.d-Configuration File. > I am not positive that 'imap2' would be passwd as the service name to > saslauthd however. -- Andreas
