Thank you very much, Nic!
I have not been aware of how easy it
apparently is to
1. use an LDAP to store standard
UNIX account authentication token and group membership information
and then
2. use these standard UNIX accounts
for _application_ authentication AND authorization purposes.
Also, SSSD, to me, looks like a (much
more) solid solution (than saslauthd).
Assuming that PAM & NSS are already
configured by the "sssd" package, as this HOWTO implies, and
"cyrus-imap" by default also comes configured to work with PAM
& NSS, as you are saying, setting this up looks really simple.
I.e. I will follow this HOWTO:
https://ubuntu.com/server/docs/service-sssd-ldap And most likely
set my VM up thusly, then.
Regrads, -Patrick
On 27.06.23 14:21, Nic Bernstein wrote:
Patrick,
The solution with PAM is not found in your search because it's not really about PAM and Cyrus. It's about PAM and LDAP. Configuring Cyrus to rely upon system authentication & authorization services is rather easy, and the default for most Linux distros, for example. Which raises an important point, what's your platform? You haven't told us that -- which OS, which distro, etc.? You've only told us that it's a small VM.
If you're using Linux then the most obvious choice for performing AAA against LDAP is via the System Security Services Daemon -- sssd. Once you've got sssd configured to work with your LDAP, then your Cyrus, in a typical deployment, will Just Work. So try this search, instead: https://duckduckgo.com/?q=linux+sssd+ldap
An alternative, if your system doesn't support sssd is to use the older PAM/LDAP, described here for Debian: https://wiki.debian.org/LDAP/PAM
Either PAM/LDAP or sssd will provide both user & group info, via LDAP, which is then used by Cyrus.For example, on a system using sssd, the 'id' command can be used to get group memberships for a given userID:If you have specific requirements not met by either of those two options, then you should look into the ptloader with LDAP option, which relies upon a separate component, PTS, to handle the LDAP interactions. I've not used ptloader, myself, so cannot speak to that.$ id nbernstein
uid=10006(nbernstein) gid=10000(Administrators) groups=10000(Administrators),6(disk),10030(SecOps),10020(pfsense-admin),10070(wheel),10073(libvirt),10072(lxd),10074(docker),20(dialout),10078(net-sim)
Cheers,
-nicOn 6/26/23 13:18, Patrick Pfeifer via Info wrote:On 26.06.23 09:35, Niels Dettenbach via Info wrote:Just a side note (simplified):Noted. All right. Thank you for the info.
cyrus-imapd is not a SMTP MTA.For User authentication in Cyrus, i would expect to usePAM ? All right. That sounds good actually! I remember fiddling with those config files in /etc/pam.d (25ish years ago) and as I recall it was working well. This sounds like a good option. But Google does again not seem to have any interest in any kind friendship when I ask it for cyrus-imap pam authentication <https://www.google.com/search?hl=de&q=cyrus-imap pam authentication>.There are two <https://www.cyrusimap.org/imap/concepts/features.html#security-and-authentication> links <https://www.cyrusimap.org/imap/concepts/features.html#security-and-authentication> to the cyrusimap.org Documentation, where there is basically no info on it and the 3rd hit, a link to tldp.org, with a PDF HowTo, speaks right from my heart when it says: "Chapter 4.3 - PAM: Not enough info to document. Email me if you have some."
Cyrus -> PAM -.> LDAP or ponetiallyCyrus -> SASL -> GSSAPI -> LDAPOk, well. I'd rather not do Kerberos. That doesn't seem to make sense for my tiny setup.
as a typical solution (but never did it byself yet).
On 26.06.23 11:43, Howard Chu wrote:A more typical example would be using SASL/DIGEST-MD5 or SASL/SCRAM etc...Thanks, but if my understanding is correct, these only work as long as you store the plain text passwords on the server -- which I am not doing.
------------------------------------------
Cyrus: Info
Permalink: https://cyrus.topicbox.com/groups/info/T48b6e9b6846822f7-M70db158bf484b34e65c7329a
Delivery options: https://cyrus.topicbox.com/groups/info/subscription-- Nic Bernstein nic@xxxxxxxxxxxxxxxx https://www.nicbernstein.com