The solution with PAM is not found in your search because it's not really about PAM and Cyrus. It's about PAM and LDAP. Configuring Cyrus to rely upon system authentication & authorization services is rather easy, and the default for most Linux distros, for example. Which raises an important point, what's your platform? You haven't told us that -- which OS, which distro, etc.? You've only told us that it's a small VM.
If you're using Linux then the most obvious choice for performing AAA against LDAP is via the System Security Services Daemon -- sssd. Once you've got sssd configured to work with your LDAP, then your Cyrus, in a typical deployment, will Just Work. So try this search, instead: https://duckduckgo.com/?q=linux+sssd+ldap
An alternative, if your system doesn't support sssd is to use the older PAM/LDAP, described here for Debian: https://wiki.debian.org/LDAP/PAM
Either PAM/LDAP or sssd will provide both user & group info, via LDAP, which is then used by Cyrus.
For example, on a system using sssd, the 'id' command can be used to get group memberships for a given userID:If you have specific requirements not met by either of those two options, then you should look into the ptloader with LDAP option, which relies upon a separate component, PTS, to handle the LDAP interactions. I've not used ptloader, myself, so cannot speak to that.$ id nbernstein
uid=10006(nbernstein) gid=10000(Administrators) groups=10000(Administrators),6(disk),10030(SecOps),10020(pfsense-admin),10070(wheel),10073(libvirt),10072(lxd),10074(docker),20(dialout),10078(net-sim)
Cheers,
-nic
On 6/26/23 13:18, Patrick Pfeifer via
Info wrote:
On 26.06.23 09:35, Niels Dettenbach via Info wrote:Just a side note (simplified):Noted. All right. Thank you for the info.
cyrus-imapd is not a SMTP MTA.For User authentication in Cyrus, i would expect to usePAM ? All right. That sounds good actually! I remember fiddling with those config files in /etc/pam.d (25ish years ago) and as I recall it was working well. This sounds like a good option. But Google does again not seem to have any interest in any kind friendship when I ask it for cyrus-imap pam authentication <https://www.google.com/search?hl=de&q=cyrus-imap pam authentication>.There are two <https://www.cyrusimap.org/imap/concepts/features.html#security-and-authentication> links <https://www.cyrusimap.org/imap/concepts/features.html#security-and-authentication> to the cyrusimap.org Documentation, where there is basically no info on it and the 3rd hit, a link to tldp.org, with a PDF HowTo, speaks right from my heart when it says: "Chapter 4.3 - PAM: Not enough info to document. Email me if you have some."
Cyrus -> PAM -.> LDAP or ponetiallyCyrus -> SASL -> GSSAPI -> LDAPOk, well. I'd rather not do Kerberos. That doesn't seem to make sense for my tiny setup.
as a typical solution (but never did it byself yet).
On 26.06.23 11:43, Howard Chu wrote:A more typical example would be using SASL/DIGEST-MD5 or SASL/SCRAM etc...Thanks, but if my understanding is correct, these only work as long as you store the plain text passwords on the server -- which I am not doing.
------------------------------------------
Cyrus: Info
Permalink: https://cyrus.topicbox.com/groups/info/T48b6e9b6846822f7-M70db158bf484b34e65c7329a
Delivery options: https://cyrus.topicbox.com/groups/info/subscription
-- Nic Bernstein nic@xxxxxxxxxxxxxxxx https://www.nicbernstein.com
