That was perfect, Thank you very much Dan! Now I know what configuration is appropiate for me. Bytes! Dan White escribió: > Jason Voorhees wrote: >> Hi there: >> >> I'm planning to use Cyrus IMAP and OpenLDAP to authenticate users. >> Long time ago I used to configure Cyrus IMAP + Cyrus SASL using >> saslauthd with pam module. It was something simple. >> >> Then I used to configure Cyrus IMAP + Cyrus SASL using saslauthd with >> ldap module and /etc/saslauthd.conf without problems. That's fine. >> >> >> Now I would like to use Cyrus IMAP with OpenLDAP too, but I found that >> there are at least 2 ways: >> >> 1. Use Cyrus SASL with auxprop to authenticate users trough LDAP using >> auxprop_plugin: ldapdb, sasl_ldap_servers among other sasl_* directives. >> Right? >> >> 2. The other way is to use ldap_* directives like ldap_uri, ldap_filter >> among others. But I believe that I would need to use 'pts' module in >> auth_mech directive, right? >> >> The question is: What are pts, unix, krb and krb5 modules used for? >> What's the difference between them? Should I use pts module to make >> Cyrus talk directly to OpenLDAP...? Or should I use Cyrus SASL with >> auxprop plugin to make the authentication to OpenLDAP? >> >> Is there a place where I can get some clear information about these >> items? Man pages are not too clear :S >> >> Thanks people :) >> > > Jason, > > Available documentation that I'm aware of includes: > > /doc/options.html (within the cyrus-sasl source) which documents how to > configure the ldapdb auxprop plugin > > /saslauthd/LDAP_SASLAUTHD (within the cyrus-sasl source) which discusses > how to configure the ldap saslauthd backend > > /doc/overview.html (within the cyrus-imap source), in the 'Kerberos vs. > Unix Authorization' section, which discusses authorization. > > As I understand it, the ldapdb auxprop plugin is entirely within the > realm of cyrus sasl (authentication), and the auth_mech directive in > imapd.conf is cyrus imapd specific, and only handles authorization. > > The auth_mech options (pts, unix, krb and krb5) direct how cyrus imapd > authorizes users to access mailboxes/resources *after* they have been > authenticated. The kerberos options direct imapd to perform some > canonicalization of the authenticating user before opening their mailbox > - so if a user connects as jsmith@xxxxxxxxxxx, the kerberos options > could canonicalize that to 'jsmith', so that the server can open the > 'jsmith' mailbox instead of searching for a 'jsmith@xxxxxxxxxxx' mailbox. > > The unix and pts options should only come in to play if you have > specified a 'group:staff' style ACL for your mailboxes. It tells the > imapd server how to resolve group membership to grant access to the > mailbox. The 'unix' option will perform a unix getgrent call, or > something like that, to determine if a user belongs to a group - using > nss for instance, which in turn can use the nss-ldap or nss-mysql > modules to lookup groups. However, that's pretty slow in my experience > and you'd need to make sure you're properly optimizing your LDAP database. > > The pts route can be used to reference and LDAP server directly to > resolve group membership within an LDAP database. > > - Dan ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
