blob: 0144af163471f018e9e652848d907a05d063d531 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
|
On Tue, Jan 14, 2003 at 01:06:02AM +0100, Charl P. Botha wrote:
[...]
> ----- Forwarded message from Darren Gibbons -----
[...]
> It is however possible with certain applications patched for pam
> (Cyrus IMAP server e.g.) that one does not need the users to
> exist in the system database.
[...]
I've got it working with cyrus 2.0 and 2.1, so I'll give some pointers
on both. When I say `cyrus x' I mean cyrus imapd version x and
whichever version of sasl you need with it.
Cyrus 2.0
---------
- sasl must be configured with `--with-pam --enable-plain'; it doesn't
hurt to add `--disable cram --disable-digest'
- imapd must be configured with `--with-auth=unix' (sounds like you got
that right)
- in imapd.conf you need the line
sasl_pwcheck_method: PAM
- in /etc/pam.d/imap (on FreeBSD I believe you use /etc/pam.conf, but
the idea is similar) you need
auth required pam_pwdfile.so pwdfile /path/to/passwordfile
account required pam_permit.so
- make sure your password file is readable by user cyrus
The idea of all this is to use the SASL PLAIN mechanism to get the
password in plaintext and then get SASL to leave the authentication to
PAM, which will use pam_pwdfile.
Cyrus 2.1
---------
- same as above, but different ;) in the details
- sasl must be configured with `--with-pam --with-saslauthd
--enable-plain' and I disable the rest (checkapop, digest, otp, krb4,
etc.)
- imapd should be configured with `--with-auth=unix'
- in imapd.conf you need the line
sasl_pwcheck_method: saslauthd
- start up saslauthd with `saslauthd -a pam'
- you need the /etc/pam.d/imap as above, as well as (an identical)
/etc/pam.d/sieve if you use timsieved
I think that about covers it. One tricky bit with SASL is to get the
right mechanisms advertised; I do this by only compiling in support for
PLAIN and LOGIN. If the rest don't exist they can't cause problems.
|
