On Mon, 28 Jan 2013, Patrick Boutilier wrote:
> On 01/27/2013 09:03 PM, Andrew Morgan wrote:
>> On Sat, 5 Jan 2013, Patrick Lamaiziere wrote:
>>
>>> Helo,
>>>
>>> We use cyrus-imapd on Centos 6 at work and I've got the following issue
>>> on authentication:
>>>
>>> Users can login via a mailer (imap/pop) or use a webmail (horde). The
>>> webmail uses a SSO-CAS and horde uses a CAS token to log in
>>> cyrus-imap). As the CAS tokens are one-time tokens they must been
>>> cached by saslauthd.
>>>
>>> For this we use PAM with saslauthd and 3 PAM modules. pam_cas checks if
>>> the password is a valid CAS token, then we try ldap and then a local
>>> account.
>>>
>>> cyrus-imap -> saslauthd (cache) -> PAM (pam_cas, pam_ldap, pam_unix)
>>>
>>> That works fine.
>>>
>>> The problem is: when a user uses the webmail and uses also a mailer
>>> (using imap), saslauthd will remove the CAS token previously cached when
>>> the mailer connects. So the webmail is disconnected.
>>>
>>> There is a patch to allow saslauthd to cache several passwords for one
>>> login but I would like to avoid this.
>>>
>>> As far I can see, the cache depends on the service used (ie if I
>>> connect via pop, the imap password is not cleared from the
>>> saslauthd cache).
>>>
>>> So I'm asking if there is a way to introduce another "service" on
>>> cyrus-imap that will be used by the webmail (on another port than 143).
>>> I mean a service in the saslauthd / PAM way (the parameter '-s' in
>>> testsaslauthd: imap, pop, sieve).
>>>
>>> I don't know where to start. Is there a way to achieve this?
>>> Thanks, best regards.
>>
>> Sorry I have taken so long to respond. I saw this message a while ago but
>> I didn't have time to reply then. It doesn't look like anyone else has
>> responded according to the list archives.
>>
>> You can easily run multiple Cyrus imapd processes with different service
>> names. In your cyrus.conf, make a copy of your "imap" service and name it
>> something like "imap_webmail", listening on a different port. Then make a
>> /etc/pam.d/imap_webmail file with your desired PAM config.
>
>
> I just gave the above a try since I currently modify the source to force
> which pam service the imapd binary calls but this entry still calls
> /etc/pam.d/imap instead of /etc/pam.d/imaptest
>
>
> imaptest cmd="imapd" listen="imaptest"
>
>
> imaptest is in /etc/services on port 146
Well shoot, it looks like the SASL service name is hard-coded in imapd.c:
/* create the SASL connection */
if (sasl_server_new("imap", config_servername,
NULL, NULL, NULL, NULL, 0,
&imapd_saslconn) != SASL_OK) {
fatal("SASL failed initializing: sasl_server_new()", EC_TEMPFAIL);
}
It would be nice if there was a way to override this somehow... Perhaps
file a bug on the bugzilla!
Andy
----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
