Re: Cyrus IMAP + Client certificate authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Thanks for your thoughts about that. Just one stupid question: How do I tell cyrus-imap to accept TLS certificate at login? Should be possible with SASL/EXTERNAL, right? If I add EXTERNAL to sasl_mech_list that changes nothing. Trying to connect with Thunderbird (configured to authenticate with a TLS certificate) it tells me the authentication method isn't supported by the server. 

Johannes



I'm looking for some information to setup cyrus imap authentication with
client certificates. Anyone here to give me some advise? Tried to google
ist but without success. Any help would be appreciated!!

Strangely enough, this came up AGAIN for me so I decided to trace this
down.  I haven't tested it, but here's what I believe to be true:

1) When you submit a client certificate as part of the TLS exchange
    the "authenticated name" is set to value of the commonName portion
    of the client certificate's subject.
2) The "authorization id" can be optionally passed in as part of the
    SASL EXTERNAL authentication by the client.  If it isn't passed in
    then the authorization id defaults to the authenticated name.
3) Both of these identities are subject to routines that can "canonify"
    a name, and it's possible that could do a lookup via LDAP if it is
    configured correctly but I don't know the details there.
4) There are two ways to allow access to a Cyrus account: you can have the
    authenticated name match the account name, OR you can set "loginuseacl"
    to "1" and give the authenticated name "a" rights to the INBOX.

So, for example, if you have a client certificate with a common name of
"foo", and you want to login to the Cyrus "foo" account, then that's easy.
If you have a client certificate with a common name of "MISTER.FOO" and
you want to login to the Cyrus "foo" account, the simplest thing might be
set loginuseacl and give MISTER.FOO admin rights to the "foo" INBOX.

I suspect your pain points will be (a) configuring all of the certificate
stuff correctly and (b) figuring out the right magic on the clients to
make it send the client certificate _and_ the correct authorization id.

--Ken

------------------------------------------
Cyrus: SASL
Permalink: https://cyrus.topicbox.com/groups/sasl/Tc3867934b82f1aa6-M0aab7e4ee4f9374ab5168454
Delivery options: https://cyrus.topicbox.com/groups/sasl/subscription

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature


------------------------------------------
Cyrus: SASL
Permalink: https://cyrus.topicbox.com/groups/sasl/Tc3867934b82f1aa6-Med8b82c4563b3d8b865fab5e
Delivery options: https://cyrus.topicbox.com/groups/sasl/subscription
[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux