Jason Voorhees wrote: > Hi there: > > I'm planning to use Cyrus IMAP and OpenLDAP to authenticate users. > Long time ago I used to configure Cyrus IMAP + Cyrus SASL using > saslauthd with pam module. It was something simple. > > Then I used to configure Cyrus IMAP + Cyrus SASL using saslauthd with > ldap module and /etc/saslauthd.conf without problems. That's fine. > > > Now I would like to use Cyrus IMAP with OpenLDAP too, but I found that > there are at least 2 ways: > > 1. Use Cyrus SASL with auxprop to authenticate users trough LDAP using > auxprop_plugin: ldapdb, sasl_ldap_servers among other sasl_* directives. > Right? > > 2. The other way is to use ldap_* directives like ldap_uri, ldap_filter > among others. But I believe that I would need to use 'pts' module in > auth_mech directive, right? > > The question is: What are pts, unix, krb and krb5 modules used for? > What's the difference between them? Should I use pts module to make > Cyrus talk directly to OpenLDAP...? Or should I use Cyrus SASL with > auxprop plugin to make the authentication to OpenLDAP? > > Is there a place where I can get some clear information about these > items? Man pages are not too clear :S > > Thanks people :) > Jason, Available documentation that I'm aware of includes: /doc/options.html (within the cyrus-sasl source) which documents how to configure the ldapdb auxprop plugin /saslauthd/LDAP_SASLAUTHD (within the cyrus-sasl source) which discusses how to configure the ldap saslauthd backend /doc/overview.html (within the cyrus-imap source), in the 'Kerberos vs. Unix Authorization' section, which discusses authorization. As I understand it, the ldapdb auxprop plugin is entirely within the realm of cyrus sasl (authentication), and the auth_mech directive in imapd.conf is cyrus imapd specific, and only handles authorization. The auth_mech options (pts, unix, krb and krb5) direct how cyrus imapd authorizes users to access mailboxes/resources *after* they have been authenticated. The kerberos options direct imapd to perform some canonicalization of the authenticating user before opening their mailbox - so if a user connects as jsmith@xxxxxxxxxxx, the kerberos options could canonicalize that to 'jsmith', so that the server can open the 'jsmith' mailbox instead of searching for a 'jsmith@xxxxxxxxxxx' mailbox. The unix and pts options should only come in to play if you have specified a 'group:staff' style ACL for your mailboxes. It tells the imapd server how to resolve group membership to grant access to the mailbox. The 'unix' option will perform a unix getgrent call, or something like that, to determine if a user belongs to a group - using nss for instance, which in turn can use the nss-ldap or nss-mysql modules to lookup groups. However, that's pretty slow in my experience and you'd need to make sure you're properly optimizing your LDAP database. The pts route can be used to reference and LDAP server directly to resolve group membership within an LDAP database. - Dan ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
