[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: 2.2.11 and --enable-kpasswd

On Fri, 2004-05-28 at 10:34, Quanah Gibson-Mount wrote:
> As for the saslauthd must use LDAP, are you saying then that your KDC is in 

No. Its a slightly unusual configuration..

1. User logs into Cyrus IMAP (Sends user@domain.com, and plain text
2. Cyrus verifies this password with saslauthd.
3. saslauthd searches ldap to find a matching account
4. If found, saslauthd attempts a simple bind, using the supplied
5. The account objects all have {kerberos}user@REALM passwords like

This is all to allow virtual users to log into email using their email
address as their username. I prefer to use Kerberos for password storage
over LDAP, even though it requires more administration.



> If your KDC is a MIT KDC, then it isn't in your LDAP server, it is its own 
> DB...
> So the saslauthd forwards password requests made to the LDAP servers to the 
> KDC.
> --Quanah
> --
> Quanah Gibson-Mount
> Principal Software Developer
> ITSS/TSS/Computing Systems
> ITSS/TSS/Infrastructure Operations
> Stanford University
> GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html