[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Google
  Web www.spinics.net

Re: saslauthd and multiple mechs



John,

Very much appreciated but I think we're doing OK using PAM for now. What we did was just point saslauthd at pam, and have PAM perform auth against several backend systems. All of the auth in our case is coming through slapd, so the PAM service requested by saslauthd is always 'ldap'. This allowed us to configure PAM for saslauthd without otherwise messing with the rest of our PAM config. Our /etc/pam.d/ldap looks like this:

<snip>
# Note that we only set up 'auth' here, no password/session/etc.

# This tries KRB5 first, using the system-wide settings
auth    sufficient      pam_krb5.so ignore_root
# Next we try KRB5 again, but with a non-default realm because some of our users are not in OTHERREALM.COM auth sufficient pam_krb5.so ignore_root use_first_pass realm=OTHERREALM.COM
# lastly, try pam_ldap
auth    sufficient      pam_ldap.so use_first_pass
</snip>

I'd still prefer to have saslauthd handle this, but thankfully with the flexibility of pam_krb5 and pam_ldap, we're able to use PAM for slapd+saslauthd without interfering with anything else in the system, and it's actually working great so far. saslauthd+PAM may end up being an advantage for us rather than a workaround.

- Mike

On 06/17/2010 04:46 PM, John Newbigin wrote:
The the best of my knowledge it is not supported.  I wrote some patches
against cyrus-sasl-2.1.19 earlier in the year which I am using to allow
2 mechs. The patches are a bit messy because I did not want to change
too much core stuff.

It would not be too difficult to make the support a lot better.

My command line looks like this:
/usr/sbin/saslauthd -m /var/run/saslauthd -O /etc/saslauthd.conf -a ldap
-V -O /etc/saslauthd-httpform.conf -a httpform

The return value of the second mech is not currently used but that is
easy to change. I use the httpform as a way of synchronising passwords
to other systems. For a generic solution some syntax regarding what to
do on success or failure would need to be developed.

My patches also allow per realm configuration for the ldap mech and
fixes some bugs in the httpform mech.

If you want the patches, let me know.

John.




[Video For Linux]     [Photos]     [Yosemite News]    [Yosemite Photos]     [gtk]     [KDE]     [Info Cyrus]     [Gimp on Windows]     [Steve's Art]     [Script Fu]

Powered by Linux