>I'm looking for some information to setup cyrus imap authentication with >client certificates. Anyone here to give me some advise? Tried to google >ist but without success. Any help would be appreciated!! Strangely enough, this came up AGAIN for me so I decided to trace this down. I haven't tested it, but here's what I believe to be true: 1) When you submit a client certificate as part of the TLS exchange the "authenticated name" is set to value of the commonName portion of the client certificate's subject. 2) The "authorization id" can be optionally passed in as part of the SASL EXTERNAL authentication by the client. If it isn't passed in then the authorization id defaults to the authenticated name. 3) Both of these identities are subject to routines that can "canonify" a name, and it's possible that could do a lookup via LDAP if it is configured correctly but I don't know the details there. 4) There are two ways to allow access to a Cyrus account: you can have the authenticated name match the account name, OR you can set "loginuseacl" to "1" and give the authenticated name "a" rights to the INBOX. So, for example, if you have a client certificate with a common name of "foo", and you want to login to the Cyrus "foo" account, then that's easy. If you have a client certificate with a common name of "MISTER.FOO" and you want to login to the Cyrus "foo" account, the simplest thing might be set loginuseacl and give MISTER.FOO admin rights to the "foo" INBOX. I suspect your pain points will be (a) configuring all of the certificate stuff correctly and (b) figuring out the right magic on the clients to make it send the client certificate _and_ the correct authorization id. --Ken ------------------------------------------ Cyrus: SASL Permalink: https://cyrus.topicbox.com/groups/sasl/Tc3867934b82f1aa6-M0aab7e4ee4f9374ab5168454 Delivery options: https://cyrus.topicbox.com/groups/sasl/subscription
