summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorCharl Botha <cpbotha@cpbotha.net>2003-01-17 14:10:48 +0000
committerCharl Botha <cpbotha@cpbotha.net>2003-01-17 14:10:48 +0000
commit102f385da827867fcfc5719977c4d47dad70daeb (patch)
tree8eae121c8b88e554fa6ec0a3b190d8f5df972a32
parent30e62a622151cef666f6ab80cf1fae0f058f0c96 (diff)
downloadlibpam-pwdfile-102f385da827867fcfc5719977c4d47dad70daeb.tar.gz
Added cyrus NO system passwords micro howto by Warwick Duncan.
-rw-r--r--changelog8
-rw-r--r--contrib/README.txt6
-rw-r--r--contrib/warwick_duncan-cyrus_without_system_accounts.txt49
3 files changed, 61 insertions, 2 deletions
diff --git a/changelog b/changelog
index 2372d6a..a7aff96 100644
--- a/changelog
+++ b/changelog
@@ -1,7 +1,13 @@
changelog for pam_pwdfile PAM module - Charl P. Botha <cpbotha@ieee.org>
-$Id: changelog,v 1.16 2002-06-10 21:50:32 cpbotha Exp $
+$Id: changelog,v 1.17 2003-01-17 14:10:46 cpbotha Exp $
---------------------------------------------------------------------------
+0.99 :
+
+* added micro howto by Warwick Duncan (in contrib/ dir) explaining how to
+ setup Cyrus IMAPD + pam_pwdfile so that one does not have to create system
+ accounts for imapd users
+
0.98 : Mon Jun 10 23:49:46 CEST 2002
* added contrib directory with spec file and Makefile by Jason F. McBrayer
diff --git a/contrib/README.txt b/contrib/README.txt
index 1ae686e..6d5203b 100644
--- a/contrib/README.txt
+++ b/contrib/README.txt
@@ -1,6 +1,10 @@
-$Id: README.txt,v 1.1 2002-05-14 15:58:53 cpbotha Exp $
+$Id: README.txt,v 1.2 2003-01-17 14:10:48 cpbotha Exp $
* Makefile.standalone and pam-pwdfile.spec were contributed by Jason F.
McBrayer <jason@xeran.com>. You can use these for building RPMs of
pam_pwdfile; you should also be able to use the Makefile to build
pam_pwdfile on other platforms _without_ the Linux-PAM hierarchy.
+
+* warwick_duncan-cyrus_without_system_accounts.txt is a short explanation by
+ Warwick Duncan on how to get Cyrus IMAPD + pam_pwdfile to work WITHOUT
+ having to create system accounts for IMAPD users.
diff --git a/contrib/warwick_duncan-cyrus_without_system_accounts.txt b/contrib/warwick_duncan-cyrus_without_system_accounts.txt
new file mode 100644
index 0000000..0144af1
--- /dev/null
+++ b/contrib/warwick_duncan-cyrus_without_system_accounts.txt
@@ -0,0 +1,49 @@
+On Tue, Jan 14, 2003 at 01:06:02AM +0100, Charl P. Botha wrote:
+[...]
+> ----- Forwarded message from Darren Gibbons -----
+[...]
+> It is however possible with certain applications patched for pam
+> (Cyrus IMAP server e.g.) that one does not need the users to
+> exist in the system database.
+[...]
+
+I've got it working with cyrus 2.0 and 2.1, so I'll give some pointers
+on both. When I say `cyrus x' I mean cyrus imapd version x and
+whichever version of sasl you need with it.
+
+Cyrus 2.0
+---------
+
+- sasl must be configured with `--with-pam --enable-plain'; it doesn't
+ hurt to add `--disable cram --disable-digest'
+- imapd must be configured with `--with-auth=unix' (sounds like you got
+ that right)
+- in imapd.conf you need the line
+ sasl_pwcheck_method: PAM
+- in /etc/pam.d/imap (on FreeBSD I believe you use /etc/pam.conf, but
+ the idea is similar) you need
+ auth required pam_pwdfile.so pwdfile /path/to/passwordfile
+ account required pam_permit.so
+- make sure your password file is readable by user cyrus
+
+The idea of all this is to use the SASL PLAIN mechanism to get the
+password in plaintext and then get SASL to leave the authentication to
+PAM, which will use pam_pwdfile.
+
+Cyrus 2.1
+---------
+
+- same as above, but different ;) in the details
+- sasl must be configured with `--with-pam --with-saslauthd
+ --enable-plain' and I disable the rest (checkapop, digest, otp, krb4,
+ etc.)
+- imapd should be configured with `--with-auth=unix'
+- in imapd.conf you need the line
+ sasl_pwcheck_method: saslauthd
+- start up saslauthd with `saslauthd -a pam'
+- you need the /etc/pam.d/imap as above, as well as (an identical)
+ /etc/pam.d/sieve if you use timsieved
+
+I think that about covers it. One tricky bit with SASL is to get the
+right mechanisms advertised; I do this by only compiling in support for
+PLAIN and LOGIN. If the rest don't exist they can't cause problems.