Re: saslauthd cache / cyrus-imap and several passwords per login

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 01/28/2013 09:39 PM, Andrew Morgan wrote:
On Mon, 28 Jan 2013, Patrick Boutilier wrote:

On 01/27/2013 09:03 PM, Andrew Morgan wrote:
On Sat, 5 Jan 2013, Patrick Lamaiziere wrote:

Helo,

We use cyrus-imapd on Centos 6 at work and I've got the following issue
on authentication:

Users can login via a mailer (imap/pop) or use a webmail (horde). The
webmail uses a SSO-CAS and horde uses a CAS token to log in
cyrus-imap). As the CAS tokens are one-time tokens they must been
cached by saslauthd.

For this we use PAM with saslauthd and 3 PAM modules. pam_cas checks if
the password is a valid CAS token, then we try ldap and then a local
account.

cyrus-imap -> saslauthd (cache) -> PAM (pam_cas, pam_ldap, pam_unix)

That works fine.

The problem is: when a user uses the webmail and uses also a mailer
(using imap), saslauthd will remove the CAS token previously cached
when
the mailer connects. So the webmail is disconnected.

There is a patch to allow saslauthd to cache several passwords for one
login but I would like to avoid this.

As far I can see, the cache depends on the service used (ie if I
connect via pop, the imap password is not cleared from the
saslauthd cache).

So I'm asking if there is a way to introduce another "service" on
cyrus-imap that will be used by the webmail (on another port than 143).
I mean a service in the saslauthd / PAM way (the parameter '-s' in
testsaslauthd: imap, pop, sieve).

I don't know where to start. Is there a way to achieve this?
Thanks, best regards.

Sorry I have taken so long to respond.  I saw this message a while
ago but
I didn't have time to reply then.  It doesn't look like anyone else has
responded according to the list archives.

You can easily run multiple Cyrus imapd processes with different service
names.  In your cyrus.conf, make a copy of your "imap" service and
name it
something like "imap_webmail", listening on a different port.  Then
make a
/etc/pam.d/imap_webmail file with your desired PAM config.


I just gave the above a try since I currently modify the source to
force which pam service the imapd binary calls but this entry still
calls /etc/pam.d/imap instead of /etc/pam.d/imaptest


imaptest    cmd="imapd" listen="imaptest"


imaptest is in /etc/services on port 146

Well shoot, it looks like the SASL service name is hard-coded in imapd.c:

     /* create the SASL connection */
     if (sasl_server_new("imap", config_servername,
                         NULL, NULL, NULL, NULL, 0,
                         &imapd_saslconn) != SASL_OK) {
         fatal("SASL failed initializing: sasl_server_new()", EC_TEMPFAIL);
     }


It would be nice if there was a way to override this somehow...  Perhaps
file a bug on the bugzilla!


Yup, that is the code I modify. :-)

I think I will file an enhancement bug.







     Andy

begin:vcard
fn:Patrick Boutilier
n:Boutilier;Patrick
org:;Nova Scotia Department of Education
adr:;;2021 Brunswick Street;Halifax;NS;B3K 2Y5;Canada
email;internet:boutilpj@xxxxxxxxxxx
title:WAN Communications Specialist
tel;work:902-424-6800
tel;fax:902-424-0874
version:2.1
end:vcard

----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

[Index of Archives]     [Cyrus SASL]     [Squirrel Mail]     [Asterisk PBX]     [Video For Linux]     [Photo]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux