Use pam_ldap in conjunction with the pam_check_service_attr option in
its config file. Then add authorizedService attributes for every PAM
service you want. Cyrus can get especially fine-grained, because it has
four separate PAM services (one each for POP3, IMAP, NNTP, and Sieve).
See below for a section of my account LDIF. Note that SASL does not
append "d" to its service entries, like you think it would. That screwed
me over the first time I tried to get this setup going.
authorizedService: sshd
authorizedService: ftpd
authorizedService: imap
authorizedService: pop
authorizedService: nntp
authorizedService: smtp
authorizedService: sieve
--Scott
Ezsra McDonald wrote:
My current system is SuSe 8.1. This version of saslauthd was not
compiled with LDAP support. It currently hands off authentication to
pam_ldap. I have looked for the cyrus_sasl src RPM for the version I am
running. I would rebuild it but apparently it is not available. It looks
like I will have to hack a later RPM and see if I can get it to work on
SuSe 8.1.
Does anyone know how to give pam_ldap a filter to use? That would be my
quickest fix. I will be investigating that now.
--Ez
On Sun, 2005-04-03 at 14:07, OndÃâej SurÃÂ wrote:
It's not task for IMAP server, but for SASL auth daemon. You have to
construct LDAP query in sasl so it allow only users which have mail to
login. Either create some special flag in LDAP.
F.E.: "ldap_filter: (&(uid=%u)(allowCyrusLogin=true))" or something
similar.
Ondrej
On Fri, 2005-04-01 at 13:02 -0800, Ezsra McDonald wrote:
Is there a setting to tell IMAP not to allow
authenticated users who don't have cyrus accounts?
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
