Stepan Kadlec wrote:
greetings,
I have seen some similar questions on the net but without any satisfying
solution.
whenever cyrus passes the credentials to sasl, it is in lowercase (no matter
what this options are set to: lmtp_downcase_rcpt, username_tolower,
normalizeuid). the huge problem appears in case of using virtual domains and
kerberos authentication - the domain part of the email address is used as
kerberos realm, which is strictly case sensitive (usually uppercase). since
sasl always receives the realm lowercased, the authentication never passes.
e.g.:
username (email): t...@domain.tld
krb principal: t...@domain.tld
imaptest:~ # imtest -a t...@domain.tld -m login -p imap localhost -v
saslauthd[19448] :do_auth : auth failure: [user=test] [service=imap]
[realm=domain.tld] [mech=kerberos5] [reason=saslauthd internal error]
how can this be solved?
btw. there is imho one more problem and it is how the realm is concluded (as
the email domain part). some more generic option of mapping email to realms
would be nice. is it possible?
thanks for any clue, steve.
Stepan,
There is a Cyrus IMAP specific solution for this using the
/etc/krb.equiv file. See the 'Kerberos vs. Unix Authorization' section
within the /doc/overview.html file. However, the documentation would
suggest that that would require you to use direct kerberos
authentication, rather than indirect saslauthd/kerberos authentication.
You could also use a sasl canonicalization plugin to accomplish this
(via ldapdb), but that would require an LDAP server. See the
/doc/options.html file within the SASL CVS tree.
