Greetings, I'm having problems getting Cyrus IMAP to authenticate users within the domain specified by defaultdomain when using "virtdomains: userid".
Background: For authentication, I'm going from saslauthd to PAM to pam_pgsql, which is a PAM module to authenticate against tables in the PostgreSQL RDBMS. pam_pgsql is looking at a table of user names in the format "[EMAIL PROTECTED]". I'm running saslauthd with -r so the realm gets appended to the user name, and thus PAM should see "[EMAIL PROTECTED]" for the user name. With "virtdomains: userid" and "defaultdomain: foo.com", if I try to login as "[EMAIL PROTECTED]" to the IMAP server saslauthd sends "[EMAIL PROTECTED]" to PAM. This behavior is what I expect and want. However, if I try to login as "[EMAIL PROTECTED]" (i.e., a user within defaultdomain) the IMAP server strips off "@foo.com" and then sends just "user" as the user name to saslauthd with no realm, causing PAM to only get "user" instead of "[EMAIL PROTECTED]", and thus the lookup fails. This stripping of the defaultdomain is my problem. I believe I've tracked this down to Cyrus IMAP's imap/global.c:canonify_userid function. What's the correct way to get the IMAP server to always send "[EMAIL PROTECTED]" to SASL regardless of the defaultdomain setting? I could remove the defaultdomain setting, but from reading docs and mailing lists, I gather that would break global admin functionality. Additionally I may have some misconfigured clients that are using their unqualified user name to log in, so keeping defaultdomain would be nice, though not strictly necessary. Alternatively, I could remove the section in canonify_userid that remove the domain from the end of the user name if it matches defaultdomain, but I'm worried that, too, might break global admins. If SASL is going to treat "[EMAIL PROTECTED]" as a user="user" and realm="fqdn", perhaps the IMAP server shouldn't discard the "@fqdn" part of the user name? I think Cyrus (or at least the saslauthd pwcheck method) is calling sasl_checkpass which doesn't have a realm parameter. Maybe Cyrus should append "@defaultdomain" to the user name before passing it to saslauthd? Should saslauthd have a default realm setting? If not globally within saslauthd, then for PAM at least? Given PAM's lack of a concept of "realms" this doesn't seem like the right thing to do. I could hack up pam_pgsql to include a "default domain" kind of setting and then have it append that to the user name if it doesn't contain '@' but that seems ugly too. I believe I cannot use auxprop because I have encrypted passwords that I'm authenticating against -- unless I patch auxprop with the "encrypted password" patches, which sounds generally frowned upon. Even then, though, would I just code an SQL statement that tries to "SELECT ... WHERE (username = '[EMAIL PROTECTED]') OR (username = '[EMAIL PROTECTED]')"? This still seems ugly. Any and all comments, help, advice, etc. appreciated. I'm fine hacking on the code, I'm just unfamiliar with the APIs and code bases involved, and so I'm not sure what is the right (or least wrong) way to do what I want. I've been reading archives for a day or two and can't find anyone who seems to have this problem. I'm running Linux, Fedora Core 2, cyrus-imapd 2.2.8 RPMs from http://www.invoca.ch/pub/packages/cyrus-imapd/, cyrus-sasl 2.1.19 from Fedora development, pam_pgsql 0.5.2. saslauthd gets run like "saslauthd -m /var/run/saslauthd -a pam -r -c". My imapd.conf file contains: configdirectory: /var/lib/imap partition-default: /srv/imap admins: cyrus sievedir: /var/lib/imap/sieve sendmail: /usr/sbin/sendmail hashimapspool: true sasl_pwcheck_method: saslauthd sasl_mech_list: PLAIN tls_cert_file: /usr/share/ssl/certs/cyrus-imapd.pem tls_key_file: /usr/share/ssl/certs/cyrus-imapd.pem tls_ca_file: /usr/share/ssl/certs/ca-bundle.crt virtdomains: userid defaultdomain: foo.com unixhierarchysep: yes I'll be glad to share any other configuration information. Thanks, darkness --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
