I use a web sso portal which provides cas tickets. I "cassify" my webmail and my imap server (cyrus-imapd).
When I fetch my emails from the Webmail (proxy CAS), it's ok. Except if I fetch my emails with a classic IMAP client and I try to fetch again from the Webmail, I have bad authentications.
It seems it's a known problem. Indeed (if I understand well) the sasl cache got at the begining a PT like password (from webmail), and after a password (from classic IMAP client). I don't found the good way to correct it. That's why I post my question here. I tried with pam_ccreds but I still have a lot of authentication errors into the mail.log.
So I try to use 2 instances of saslauthd and 2 imap services. Below the OS and Software configuration :
- OS : Debian 8
- sasl2-bin : 2.1.26.dfsg1-13
- cyrus-imapd : 2.4.17+caldav~beta10-18
Below my attempt configuration :
/etc/default/saslauthd
START=yes DESC="SASL Authentication Daemon" NAME="saslauthd" MECHANISMS="pam" THREADS=5 OPTIONS="-c -m /var/run/saslauthd/mux -r -n 0"
/etc/default/saslauthd-web
START=yes DESC="SASL Authentication Daemon" NAME="saslauthd" MECHANISMS="pam" THREADS=5 OPTIONS="-c -m /var/run/saslauthd/muxweb -r -n 0"
/etc/pam.d/imapweb
auth sufficient /lib/x86_64-linux-gnu/security/pam_cas.so -simap://mail.example.com -f/etc/pam_cas.conf auth sufficient /lib/x86_64-linux-gnu/security/pam_ldap.so config=/etc/pam_ldap_imap.conf auth sufficient /lib/x86_64-linux-gnu/security/pam_unix.so account sufficient /lib/x86_64-linux-gnu/security/pam_ldap.so config=/etc/pam_ldap_imap.conf
/etc/pam.d/imap
auth sufficient /lib/x86_64-linux-gnu/security/pam_ldap.so config=/etc/pam_ldap_imap.conf auth sufficient /lib/x86_64-linux-gnu/security/pam_unix.so account sufficient /lib/x86_64-linux-gnu/security/pam_ldap.so config=/etc/pam_ldap_imap.conf
/etc/cyrus.conf
imap cmd="imapd -U 30" listen="X.X.X.X:imap" prefork=0 maxchild=100 imapweb cmd="imapd -U 30 -C /etc/imapdweb.conf" listen="X.X.X.X:IMAPWEBPORT" prefork=0 maxchild=100
/etc/imapd.conf
... sasl_pwcheck_method: auxprop saslauthd imap_sasl_saslauthd_path: /var/run/saslauthd/mux imapweb_sasl_saslauthd_path: /var/run/saslauthd/muxweb sasl_auxprop_plugin: sasldb ...
I restart saslauthd and cyrus-imapd services.
When I run a testsaslauthd command with the each saslauthd socket it runs very well :
testsaslauthd -u USER -p PASSWORD -f /var/run/saslauthd/mux/mux -s imap
0: OK "Success."
testsaslauthd -u USER -p PASSWORD -f /var/run/saslauthd/muxweb/mux -s imapweb
0: OK "Success."
But when I run a telnet on the imap port on my imap-server from my webmail host, the authentication failed. On the imapweb port it is the same. However into the imap log, I see the stacktrace which show I use the good imap service (imap for imap port and imapweb for "IMAPPORTWEB")
Do you have an idea, which explains why my authentication doesn't work ? Is the right method to accept both CAS and classic IMAP access ?