diff options
author | Charl Botha <cpbotha@cpbotha.net> | 2003-01-17 14:10:48 +0000 |
---|---|---|
committer | Charl Botha <cpbotha@cpbotha.net> | 2003-01-17 14:10:48 +0000 |
commit | 102f385da827867fcfc5719977c4d47dad70daeb (patch) | |
tree | 8eae121c8b88e554fa6ec0a3b190d8f5df972a32 | |
parent | 30e62a622151cef666f6ab80cf1fae0f058f0c96 (diff) | |
download | libpam-pwdfile-102f385da827867fcfc5719977c4d47dad70daeb.tar.gz |
Added cyrus NO system passwords micro howto by Warwick Duncan.
-rw-r--r-- | changelog | 8 | ||||
-rw-r--r-- | contrib/README.txt | 6 | ||||
-rw-r--r-- | contrib/warwick_duncan-cyrus_without_system_accounts.txt | 49 |
3 files changed, 61 insertions, 2 deletions
@@ -1,7 +1,13 @@ changelog for pam_pwdfile PAM module - Charl P. Botha <cpbotha@ieee.org> -$Id: changelog,v 1.16 2002-06-10 21:50:32 cpbotha Exp $ +$Id: changelog,v 1.17 2003-01-17 14:10:46 cpbotha Exp $ --------------------------------------------------------------------------- +0.99 : + +* added micro howto by Warwick Duncan (in contrib/ dir) explaining how to + setup Cyrus IMAPD + pam_pwdfile so that one does not have to create system + accounts for imapd users + 0.98 : Mon Jun 10 23:49:46 CEST 2002 * added contrib directory with spec file and Makefile by Jason F. McBrayer diff --git a/contrib/README.txt b/contrib/README.txt index 1ae686e..6d5203b 100644 --- a/contrib/README.txt +++ b/contrib/README.txt @@ -1,6 +1,10 @@ -$Id: README.txt,v 1.1 2002-05-14 15:58:53 cpbotha Exp $ +$Id: README.txt,v 1.2 2003-01-17 14:10:48 cpbotha Exp $ * Makefile.standalone and pam-pwdfile.spec were contributed by Jason F. McBrayer <jason@xeran.com>. You can use these for building RPMs of pam_pwdfile; you should also be able to use the Makefile to build pam_pwdfile on other platforms _without_ the Linux-PAM hierarchy. + +* warwick_duncan-cyrus_without_system_accounts.txt is a short explanation by + Warwick Duncan on how to get Cyrus IMAPD + pam_pwdfile to work WITHOUT + having to create system accounts for IMAPD users. diff --git a/contrib/warwick_duncan-cyrus_without_system_accounts.txt b/contrib/warwick_duncan-cyrus_without_system_accounts.txt new file mode 100644 index 0000000..0144af1 --- /dev/null +++ b/contrib/warwick_duncan-cyrus_without_system_accounts.txt @@ -0,0 +1,49 @@ +On Tue, Jan 14, 2003 at 01:06:02AM +0100, Charl P. Botha wrote: +[...] +> ----- Forwarded message from Darren Gibbons ----- +[...] +> It is however possible with certain applications patched for pam +> (Cyrus IMAP server e.g.) that one does not need the users to +> exist in the system database. +[...] + +I've got it working with cyrus 2.0 and 2.1, so I'll give some pointers +on both. When I say `cyrus x' I mean cyrus imapd version x and +whichever version of sasl you need with it. + +Cyrus 2.0 +--------- + +- sasl must be configured with `--with-pam --enable-plain'; it doesn't + hurt to add `--disable cram --disable-digest' +- imapd must be configured with `--with-auth=unix' (sounds like you got + that right) +- in imapd.conf you need the line + sasl_pwcheck_method: PAM +- in /etc/pam.d/imap (on FreeBSD I believe you use /etc/pam.conf, but + the idea is similar) you need + auth required pam_pwdfile.so pwdfile /path/to/passwordfile + account required pam_permit.so +- make sure your password file is readable by user cyrus + +The idea of all this is to use the SASL PLAIN mechanism to get the +password in plaintext and then get SASL to leave the authentication to +PAM, which will use pam_pwdfile. + +Cyrus 2.1 +--------- + +- same as above, but different ;) in the details +- sasl must be configured with `--with-pam --with-saslauthd + --enable-plain' and I disable the rest (checkapop, digest, otp, krb4, + etc.) +- imapd should be configured with `--with-auth=unix' +- in imapd.conf you need the line + sasl_pwcheck_method: saslauthd +- start up saslauthd with `saslauthd -a pam' +- you need the /etc/pam.d/imap as above, as well as (an identical) + /etc/pam.d/sieve if you use timsieved + +I think that about covers it. One tricky bit with SASL is to get the +right mechanisms advertised; I do this by only compiling in support for +PLAIN and LOGIN. If the rest don't exist they can't cause problems. |