[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: 2.2.11 and --enable-kpasswd
On Fri, 2004-05-28 at 10:34, Quanah Gibson-Mount wrote:
> As for the saslauthd must use LDAP, are you saying then that your KDC is in
> LDAP?
No. Its a slightly unusual configuration..
1. User logs into Cyrus IMAP (Sends user@domain.com, and plain text
password)
2. Cyrus verifies this password with saslauthd.
3. saslauthd searches ldap to find a matching account
(uid=user@domain.com)
4. If found, saslauthd attempts a simple bind, using the supplied
password.
5. The account objects all have {kerberos}user@REALM passwords like
{kerberos}mail.domain.com/username@REALM.
This is all to allow virtual users to log into email using their email
address as their username. I prefer to use Kerberos for password storage
over LDAP, even though it requires more administration.
Cheers,
Dan.
>
> If your KDC is a MIT KDC, then it isn't in your LDAP server, it is its own
> DB...
>
> So the saslauthd forwards password requests made to the LDAP servers to the
> KDC.
>
> --Quanah
>
> --
> Quanah Gibson-Mount
> Principal Software Developer
> ITSS/TSS/Computing Systems
> ITSS/TSS/Infrastructure Operations
> Stanford University
> GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html