Am Mittwoch, 22. Oktober 2003 12:53 schrieb Tom Allison:
Can you configure authentication to go through a database, like postgres or mysql?
Yes of course. One thing is pam_mysql, another the auxprop-plugin "mysql" for sasl. But for the second one, you have to recompile Cyrus-SASL. For default it isn't shipped with suse's cyrus-sasl Package.
I've got this lanky process of cyrus-imap --> saslauth --> pam --> who knows where (/etc/passwd).
A way without recompile:
cyrus-imap -> sasl -> saslauthd -> pam -> pam_mysql
(But only with Plaintext-Mechs PLAIN, LOGIN)
With recompile:
cyrus-imap -> sasl -> mysql
(With almost all Mechs)
But since I don't have $HOME for these imap accounts I would rather not mess with /etc/passwd if I can help it.
Suggestions on what's an alternative that can be readily managed?
Another "Databse" which works out-of-the-box is sasldb of couse.
Yeah, I keep hearing about this sasldb thingy, but I keep reading in the docs under SuSE that the use of sasldb is not recommended. Why?
Maybe because this is a security problem. Normally sasldb contains the cleartext-passwords. But this is a deal. There are diffrent mechanisms with which the client can authenticate to the server. Maybe you have read something about PLAIN, LOGIN, CRAM-MD5 and DIGEST-MD5. plain and login have a crypt()ed password on server-side, but the client has to send the cleartext-password over the line/internet to the server. This is total diffrent to cram-md5 and digest-md5. There goes no usable password over the line but the server has to know the cleartext-password to compute these hashes. If you go the suse-prefered/default way, using saslauthd, you are bound to plain and login. saslauthd cannot handle carm-md5 or digest-md5. The normal way, if you want to use shared-secrets (cram-md5 or digest-md5) is sasldb. You have to protect your sasldb from foreign eyes. And of course, saslauthd is easier to handle, you have only one "database" with your user-accounts/passwords (passwd/shadow).
There's supposed to be a /etc/sasldb file for configuration, but I can't seem to find anything there in SuSE8.2. In fact, there's precious little of anything related to sasldb on anything in SuSE8.2.
It will be created when you create the first useraccount: # saslpasswd2 -c -u domain.tld user To show the contents: # sasldblistusers2
What would work just find for me is something along the lines of a Berkely DB file with some MD5 related password. Not having any documentation available locally on this I assume that this is what sasldb actually does.
Do you know where it might be under SuSE 8.2?
-- Andreas