Bug 11573
Summary: | Authentication Fails when logging into cyrus-imapd | ||
---|---|---|---|
Product: | [Retired] Red Hat Powertools | Reporter: | Oliver Jones <oliver> |
Component: | cyrus-sasl | Assignee: | Nalin Dahyabhai <nalin> |
Status: | CLOSED RAWHIDE | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | medium | ||
Version: | 6.1 | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2000-05-29 21:53:18 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Oliver Jones
2000-05-22 10:43:39 UTC
This is an unfortunate interaction of PAM and the Cyrus SASL library. The pam_unix and pam_pwdb modules use setuid-root helpers to check passwords, but due to security concerns, a program executing as any user other than root can only authenticate for the user it is running as (in this case, "cyrus", the user the imap server is executing as). Changing this behavior in PAM would weaken the security of the pam_unix and pam_pwdb modules, so I'm reluctant to make such a change. It may very well work properly using pam_radius, pam_krb5, or pam_userdb. Well this leads me in the right direction I guess. I'm intending on playing with pam_ldap. Would this be a suitable variant to try? It doesn't require on setuid programs does it? No, not that I'm aware of. Please follow up if this does in fact work for you. With more experience using it, I can now verify that pam_ldap should work in this situation. Closing this bug report. Indeed it does. I've been using pam_ldap with cyrus for some time now. Performance is much much much better than wu-imapd. I personally believe RedHat should package cyrus with RedHat Linux rather than wu-imapd. I notice that the imap daemon has changed in the latest (7.x) releases but I do not have experience with it. The benefits cyrus provides include superior performance, more security with TLS/SSL support, non shell login mail accounts, ldap integration, integrated email filtering with SIEVE and more. |