Hi all.
The question may seam complex, but here goes:
QUESTION --------
Can Cyrus IMAPD (and how) support multiple Kerberos realms via SASL/GSSAPI?
CLARIFICATION/RATIONALE -----------------------
This question arises from our planned move to MS Active Directory Service. Since we are a large company, we will have several sub-directories or sub-domains. This will result in having multiple Kerberos "sub-realms". I do know that Kerberos has no concept of hierarchy, that's why I'm using quatation marks.
It will be neccessary for us to have at least one Cyrus IMAPD that will serve users from two or more dirs/domains/realms. Since Cyrus 2.2.x supports virtual domains, delivery is no problem - although I will have some address rewriting issues to solve, but that is for the MTA to handle.
My idea was to use GSSAPI and GSSAPI capable mail readers (Outlook Express) in conjunction with MS ADS. I've seen posts of people who did it and it sounded like a relatively easy thing to do. I understand that I must have a complete match between Cyrus VDomain and ADS domain for a particular user.
My question is, will authentication work for multiple domains? Can Cyrus IMAP be supplied with more than one principal? Will it choose appropriate server principal for a particular user principal?
EXAMPLE -------
Let's say I have two ADS domains (Kerberos realms), with the following principals:
Domain: up.ev.co.yu Realm: UP.EV.CO.YU Service: IMAP/[EMAIL PROTECTED] user: [EMAIL PROTECTED]
Domain: pb.ev.co.yu Realm: PB.EV.CO.YU Service: IMAP/[EMAIL PROTECTED] user: [EMAIL PROTECTED]
Now suppose I have 2 client machines and users from those machines want to access their mailboxes, which are regularly created. How will IMAPD handle this situation? What service key will be used? Will it choose one key for "UP.EV.CO.YU" and the other for "PB.EV.CO.YU", depending on what realm the client uses?
Any hints for the config?
Nix.
--- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
