On 01/27/2013 09:03 PM, Andrew Morgan wrote:
On Sat, 5 Jan 2013, Patrick Lamaiziere wrote:
Helo,
We use cyrus-imapd on Centos 6 at work and I've got the following issue
on authentication:
Users can login via a mailer (imap/pop) or use a webmail (horde). The
webmail uses a SSO-CAS and horde uses a CAS token to log in
cyrus-imap). As the CAS tokens are one-time tokens they must been
cached by saslauthd.
For this we use PAM with saslauthd and 3 PAM modules. pam_cas checks if
the password is a valid CAS token, then we try ldap and then a local
account.
cyrus-imap -> saslauthd (cache) -> PAM (pam_cas, pam_ldap, pam_unix)
That works fine.
The problem is: when a user uses the webmail and uses also a mailer
(using imap), saslauthd will remove the CAS token previously cached when
the mailer connects. So the webmail is disconnected.
There is a patch to allow saslauthd to cache several passwords for one
login but I would like to avoid this.
As far I can see, the cache depends on the service used (ie if I
connect via pop, the imap password is not cleared from the
saslauthd cache).
So I'm asking if there is a way to introduce another "service" on
cyrus-imap that will be used by the webmail (on another port than 143).
I mean a service in the saslauthd / PAM way (the parameter '-s' in
testsaslauthd: imap, pop, sieve).
I don't know where to start. Is there a way to achieve this?
Thanks, best regards.
Sorry I have taken so long to respond. I saw this message a while ago but
I didn't have time to reply then. It doesn't look like anyone else has
responded according to the list archives.
You can easily run multiple Cyrus imapd processes with different service
names. In your cyrus.conf, make a copy of your "imap" service and name it
something like "imap_webmail", listening on a different port. Then make a
/etc/pam.d/imap_webmail file with your desired PAM config.
I just gave the above a try since I currently modify the source to force
which pam service the imapd binary calls but this entry still calls
/etc/pam.d/imap instead of /etc/pam.d/imaptest
imaptest cmd="imapd" listen="imaptest"
imaptest is in /etc/services on port 146
Another idea, which *might* work, is to run an imap proxy for your Horde
instance. We do that here. That way, from Cyrus' perspective, Horde only
logs in once so it shouldn't matter if the CAS token is single-use because
there is only one authentication attempt. I haven't tried this, so I'm
not sure if you would see odd behavior if the proxied connection times out
or something. Just a thought!
Good luck.
Andy
----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
begin:vcard
fn:Patrick Boutilier
n:Boutilier;Patrick
org:;Nova Scotia Department of Education
adr:;;2021 Brunswick Street;Halifax;NS;B3K 2Y5;Canada
email;internet:boutilpj@xxxxxxxxxxx
title:WAN Communications Specialist
tel;work:902-424-6800
tel;fax:902-424-0874
version:2.1
end:vcard
----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
