>>>I've rebuilt and installed Simon Matter's Cyrus RPMs on RH9 without any >>>difficulty. I don't want to create user accounts on the system, just in >>>Cyrus. However, I'm completely lost trying to figure out the best way to >>> do >>>this. Should I use PAM, Kerberos, SASL? None of which mean very much to >> >> It's really difficult to tell you what's the best method here. There are >> so many way to do it. >> I'm using saslauthd->PAM->shadow or saslauthd->shadow on small workgroup >> servers where every user has a unix account anyway. On dedicated >> mailservers, I'm usually using saslauthd->PAM->LDAP or saslauthd->LDAP. > > I personally get great results with saslauthd->PAM->LDAP and like that > setup a lot. I would consider saslauthd->LDAP but found it much easier > to get going via PAM. I've had no problems and have found some of the > other capabilities provided by PAM very handy, so I think this is a good > choice.
I want to back this. I have several servers running against PAM->LDAP with great success. The nice thing is that you can mix several authentication methods via PAM. Having local unix user and additional LDAP users or mysql users or whatever. > > One thing that I didn't see mentioned in the docs: when using PAM, you > need to make sure the PAM service name is the cyrus service name, ie > "imap" or "pop", _not_ "saslauthd". So create a file, /etc/pam.d/imap, My rpms include all the required files, so there is nothing to do in the default config. > containing (basic redhat-ish config:) > > auth required /lib/security/pam_stack.so service=system-auth > account required /lib/security/pam_stack.so service=system-auth > password required /lib/security/pam_stack.so service=system-auth > session required /lib/security/pam_stack.so service=system-auth As an example, I'm doing the following in a simple setup: [EMAIL PROTECTED] pam.d]# cat [imap|pop|sieve] #%PAM-1.0 auth required /lib/security/pam_stack.so service=ldap-auth account required /lib/security/pam_stack.so service=ldap-auth [EMAIL PROTECTED] pam.d]# cat ldap-auth #%PAM-1.0 # Authenticate against LDAP but only if username is lowercase auth requisite /lib/security/pam_deny_uc.so auth required /lib/security/pam_ldap.so account required /lib/security/pam_ldap.so This way you can configure all cyrus-imapd related configuration in one place. Simon > > and run saslauthd as 'saslauthd -a pam' - it should work then. Assuming > I'm not forgetting something. > > Craig Ringer > > >
