[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: 2.2.11 and --enable-kpasswd



On Fri, 2004-05-28 at 10:34, Quanah Gibson-Mount wrote:
> As for the saslauthd must use LDAP, are you saying then that your KDC is in 
> LDAP?

No. Its a slightly unusual configuration..

1. User logs into Cyrus IMAP (Sends user@domain.com, and plain text
password)
2. Cyrus verifies this password with saslauthd.
3. saslauthd searches ldap to find a matching account
(uid=user@domain.com)
4. If found, saslauthd attempts a simple bind, using the supplied
password.
5. The account objects all have {kerberos}user@REALM passwords like
{kerberos}mail.domain.com/username@REALM.

This is all to allow virtual users to log into email using their email
address as their username. I prefer to use Kerberos for password storage
over LDAP, even though it requires more administration.

Cheers,

Dan.

> 
> If your KDC is a MIT KDC, then it isn't in your LDAP server, it is its own 
> DB...
> 
> So the saslauthd forwards password requests made to the LDAP servers to the 
> KDC.
> 
> --Quanah
> 
> --
> Quanah Gibson-Mount
> Principal Software Developer
> ITSS/TSS/Computing Systems
> ITSS/TSS/Infrastructure Operations
> Stanford University
> GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html