Can you configure authentication to go through a database, like postgres or mysql? I've got this lanky process of cyrus-imap --> saslauth --> pam --> who knows where (/etc/passwd). But since I don't have $HOME for these imap accounts I would rather not mess with /etc/passwd if I can help it. Suggestions on what's an alternative that can be readily managed?
Am Mittwoch, 22. Oktober 2003 02:22 schrieb Tom Allison:
Can you configure authentication to go through a database, like postgres or mysql?
Yes of course. One thing is pam_mysql, another the auxprop-plugin "mysql" for sasl. But for the second one, you have to recompile Cyrus-SASL. For default it isn't shipped with suse's cyrus-sasl Package.
I've got this lanky process of cyrus-imap --> saslauth --> pam --> who knows where (/etc/passwd).
A way without recompile: cyrus-imap -> sasl -> saslauthd -> pam -> pam_mysql (But only with Plaintext-Mechs PLAIN, LOGIN) With recompile: cyrus-imap -> sasl -> mysql (With almost all Mechs)
But since I don't have $HOME for these imap accounts I would rather not mess with /etc/passwd if I can help it.
Suggestions on what's an alternative that can be readily managed?
Another "Databse" which works out-of-the-box is sasldb of couse. -- Andreas
Andreas Winkelmann wrote:
Am Mittwoch, 22. Oktober 2003 02:22 schrieb Tom Allison:
Can you configure authentication to go through a database, like postgres or mysql?
Yes of course. One thing is pam_mysql, another the auxprop-plugin "mysql" for sasl. But for the second one, you have to recompile Cyrus-SASL. For default it isn't shipped with suse's cyrus-sasl Package.
I've got this lanky process of cyrus-imap --> saslauth --> pam --> who knows where (/etc/passwd).
A way without recompile:
cyrus-imap -> sasl -> saslauthd -> pam -> pam_mysql
(But only with Plaintext-Mechs PLAIN, LOGIN)
With recompile:
cyrus-imap -> sasl -> mysql
(With almost all Mechs)
But since I don't have $HOME for these imap accounts I would rather not mess with /etc/passwd if I can help it.
Suggestions on what's an alternative that can be readily managed?
Another "Databse" which works out-of-the-box is sasldb of couse.
Yeah, I keep hearing about this sasldb thingy, but I keep reading in the docs under SuSE that the use of sasldb is not recommended. Why? There's supposed to be a /etc/sasldb file for configuration, but I can't seem to find anything there in SuSE8.2. In fact, there's precious little of anything related to sasldb on anything in SuSE8.2. What would work just find for me is something along the lines of a Berkely DB file with some MD5 related password. Not having any documentation available locally on this I assume that this is what sasldb actually does. Do you know where it might be under SuSE 8.2?
Am Mittwoch, 22. Oktober 2003 12:53 schrieb Tom Allison:
Can you configure authentication to go through a database, like postgres or mysql?
Yes of course. One thing is pam_mysql, another the auxprop-plugin "mysql" for sasl. But for the second one, you have to recompile Cyrus-SASL. For default it isn't shipped with suse's cyrus-sasl Package.
I've got this lanky process of cyrus-imap --> saslauth --> pam --> who knows where (/etc/passwd).
A way without recompile:
cyrus-imap -> sasl -> saslauthd -> pam -> pam_mysql
(But only with Plaintext-Mechs PLAIN, LOGIN)
With recompile:
cyrus-imap -> sasl -> mysql
(With almost all Mechs)
But since I don't have $HOME for these imap accounts I would rather not mess with /etc/passwd if I can help it.
Suggestions on what's an alternative that can be readily managed?
Another "Databse" which works out-of-the-box is sasldb of couse.
Yeah, I keep hearing about this sasldb thingy, but I keep reading in the docs under SuSE that the use of sasldb is not recommended. Why?
Maybe because this is a security problem. Normally sasldb contains the cleartext-passwords. But this is a deal. There are diffrent mechanisms with which the client can authenticate to the server. Maybe you have read something about PLAIN, LOGIN, CRAM-MD5 and DIGEST-MD5. plain and login have a crypt()ed password on server-side, but the client has to send the cleartext-password over the line/internet to the server. This is total diffrent to cram-md5 and digest-md5. There goes no usable password over the line but the server has to know the cleartext-password to compute these hashes. If you go the suse-prefered/default way, using saslauthd, you are bound to plain and login. saslauthd cannot handle carm-md5 or digest-md5. The normal way, if you want to use shared-secrets (cram-md5 or digest-md5) is sasldb. You have to protect your sasldb from foreign eyes. And of course, saslauthd is easier to handle, you have only one "database" with your user-accounts/passwords (passwd/shadow).
There's supposed to be a /etc/sasldb file for configuration, but I can't seem to find anything there in SuSE8.2. In fact, there's precious little of anything related to sasldb on anything in SuSE8.2.
It will be created when you create the first useraccount: # saslpasswd2 -c -u domain.tld user To show the contents: # sasldblistusers2
What would work just find for me is something along the lines of a Berkely DB file with some MD5 related password. Not having any documentation available locally on this I assume that this is what sasldb actually does.
Do you know where it might be under SuSE 8.2?
-- Andreas
Andreas Winkelmann wrote:
hashes. If you go the suse-prefered/default way, using saslauthd, you are bound to plain and login. saslauthd cannot handle carm-md5 or digest-md5. The normal way, if you want to use shared-secrets (cram-md5 or digest-md5) is sasldb. You have to protect your sasldb from foreign eyes.
And of course, saslauthd is easier to handle, you have only one "database" with your user-accounts/passwords (passwd/shadow).
There's supposed to be a /etc/sasldb file for configuration, but I can't seem to find anything there in SuSE8.2. In fact, there's precious little of anything related to sasldb on anything in SuSE8.2.
It will be created when you create the first useraccount:
# saslpasswd2 -c -u domain.tld user
So if I want to run a mail server which has no typical user access (only admin types would login) then using sasldb would be a reasonable selection. And it pulls CRAM/DIGEST natively? How do you set/config it?
Am Donnerstag, 23. Oktober 2003 03:32 schrieb Tom Allison:
And of course, saslauthd is easier to handle, you have only one "database" with your user-accounts/passwords (passwd/shadow).
There's supposed to be a /etc/sasldb file for configuration, but I can't seem to find anything there in SuSE8.2. In fact, there's precious little of anything related to sasldb on anything in SuSE8.2.
It will be created when you create the first useraccount:
# saslpasswd2 -c -u domain.tld user
So if I want to run a mail server which has no typical user access (only admin types would login) then using sasldb would be a reasonable selection. And it pulls CRAM/DIGEST natively?
Yes.
How do you set/config it?
Create the Users: # saslpasswd2 -c username Check it: # sasldblistusers2 username@domain: userPassword Say Cyrus to use the sasldb: /etc/imapd.conf: sasl_pwcheck_method: auxprop sasl_auxprop_plugin: sasldb And restart Cyrus: # rccyrus restart -- Andreas
Hi All Has anyone did any work on NIS+ to OpenLDAP migration ? Any help would be greatly appreciated Thanks -- Asif Iqbal http://pgpkeys.mit.edu:11371/pks/lookup?op=get&search=0x8B686E08 There's no place like 127.0.0.1
participants (3)
-
Andreas Winkelmann -
Asif Iqbal -
Tom Allison