On 12/03/2014 06:53 AM, Adam Tauno Williams wrote:
>> auth_mech:
>> - Isn't this handled by SASL?
>
> Partially, yes. Don't forget that identity management is AAA - three
> As, not one. Authorization, Authentication, Accounting.
>
So, for example:
Authorization would be
cm user.username in cyradm
Authentication would be
saslauthd -> PAM --> PAM modules
Accounting would be setting permissions and quotas
sam user.username write
sq user.username N
I'm still not seeing where auth_mech or ldap options fit into this,
although Sven seems to have offered an explanation: there is some
undocumented way of bypassing saslauthd. Which, if true, I suggest is a
terrible idea and should be stripped out of the code. Allowing for
direct PAM authentication might work somehow, assuming there is a way to
handle TLS authentication. Authentication architecture needs to be
less, not more complicated in general in the unix/linux world.
Anyway, thanks Adam and Sven for the replies -- that was extremely helpful.
----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
