On Wed, 1 Dec 2004, Nikola Milutinovic wrote:
Can Cyrus IMAPD (and how) support multiple Kerberos realms via SASL/GSSAPI?
Depending on context, yes, let's see what you want:
It will be neccessary for us to have at least one Cyrus IMAPD that will serve users from two or more dirs/domains/realms. Since Cyrus 2.2.x supports virtual domains, delivery is no problem - although I will have some address rewriting issues to solve, but that is for the MTA to handle.
My idea was to use GSSAPI and GSSAPI capable mail readers (Outlook Express) in conjunction with MS ADS. I've seen posts of people who did it and it sounded like a relatively easy thing to do. I understand that I must have a complete match between Cyrus VDomain and ADS domain for a particular user.
My question is, will authentication work for multiple domains? Can Cyrus IMAP be supplied with more than one principal? Will it choose appropriate server principal for a particular user principal?
Exchange keys between realms and install only the correct service key on the imap server? I'm not sure why you'd want to use more than one service key for the server. If you did, well, perhaps the right answer is 2 IP addresses, one master running on each, with different config files, but using the same mail backend (or a murder setup with multiple frontends); But all of these are really far more complicated than just doing key exchange between realms and putting all the mailboxes in one realm; more recent cyrus' murder features are actually being used by cmu to have 2 realms (actually 3, but the 3rd is a test realm) with a common mailbox namespace behind it. but, even that may be more complex than you need or want. I'm not sure.
--- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
