On Mon, 28 Jan 2013, Patrick Boutilier wrote: > On 01/27/2013 09:03 PM, Andrew Morgan wrote: >> On Sat, 5 Jan 2013, Patrick Lamaiziere wrote: >> >>> Helo, >>> >>> We use cyrus-imapd on Centos 6 at work and I've got the following issue >>> on authentication: >>> >>> Users can login via a mailer (imap/pop) or use a webmail (horde). The >>> webmail uses a SSO-CAS and horde uses a CAS token to log in >>> cyrus-imap). As the CAS tokens are one-time tokens they must been >>> cached by saslauthd. >>> >>> For this we use PAM with saslauthd and 3 PAM modules. pam_cas checks if >>> the password is a valid CAS token, then we try ldap and then a local >>> account. >>> >>> cyrus-imap -> saslauthd (cache) -> PAM (pam_cas, pam_ldap, pam_unix) >>> >>> That works fine. >>> >>> The problem is: when a user uses the webmail and uses also a mailer >>> (using imap), saslauthd will remove the CAS token previously cached when >>> the mailer connects. So the webmail is disconnected. >>> >>> There is a patch to allow saslauthd to cache several passwords for one >>> login but I would like to avoid this. >>> >>> As far I can see, the cache depends on the service used (ie if I >>> connect via pop, the imap password is not cleared from the >>> saslauthd cache). >>> >>> So I'm asking if there is a way to introduce another "service" on >>> cyrus-imap that will be used by the webmail (on another port than 143). >>> I mean a service in the saslauthd / PAM way (the parameter '-s' in >>> testsaslauthd: imap, pop, sieve). >>> >>> I don't know where to start. Is there a way to achieve this? >>> Thanks, best regards. >> >> Sorry I have taken so long to respond. I saw this message a while ago but >> I didn't have time to reply then. It doesn't look like anyone else has >> responded according to the list archives. >> >> You can easily run multiple Cyrus imapd processes with different service >> names. In your cyrus.conf, make a copy of your "imap" service and name it >> something like "imap_webmail", listening on a different port. Then make a >> /etc/pam.d/imap_webmail file with your desired PAM config. > > > I just gave the above a try since I currently modify the source to force > which pam service the imapd binary calls but this entry still calls > /etc/pam.d/imap instead of /etc/pam.d/imaptest > > > imaptest cmd="imapd" listen="imaptest" > > > imaptest is in /etc/services on port 146 Well shoot, it looks like the SASL service name is hard-coded in imapd.c: /* create the SASL connection */ if (sasl_server_new("imap", config_servername, NULL, NULL, NULL, NULL, 0, &imapd_saslconn) != SASL_OK) { fatal("SASL failed initializing: sasl_server_new()", EC_TEMPFAIL); } It would be nice if there was a way to override this somehow... Perhaps file a bug on the bugzilla! Andy ---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus