1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
|
<!DOCTYPE html>
<html class="writer-html5" lang="en" >
<head>
<meta charset="utf-8" /><meta name="generator" content="Docutils 0.19: https://docutils.sourceforge.io/" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>Authentication and Authorization — Cyrus IMAP 3.10.2 documentation</title>
<link rel="stylesheet" href="../../../_static/pygments.css" type="text/css" />
<link rel="stylesheet" href="../../../_static/css/theme.css" type="text/css" />
<link rel="stylesheet" href="../../../_static/graphviz.css" type="text/css" />
<link rel="stylesheet" href="../../../_static/cyrus.css" type="text/css" />
<script data-url_root="../../../" id="documentation_options" src="../../../_static/documentation_options.js"></script>
<script src="../../../_static/jquery.js"></script>
<script src="../../../_static/underscore.js"></script>
<script src="../../../_static/_sphinx_javascript_frameworks_compat.js"></script>
<script src="../../../_static/doctools.js"></script>
<script src="../../../_static/sphinx_highlight.js"></script>
<script src="../../../_static/js/theme.js"></script>
<link rel="index" title="Index" href="../../../genindex.html" />
<link rel="search" title="Search" href="../../../search.html" />
<link rel="next" title="Performance Recommendations" href="performance_recommendations.html" />
<link rel="prev" title="Known Protocol Limitations" href="known_protocol_limitations.html" />
</head>
<body class="wy-body-for-nav">
<div class="wy-grid-for-nav">
<nav data-toggle="wy-nav-shift" class="wy-nav-side">
<div class="wy-side-scroll">
<div class="wy-side-nav-search" >
<a href="../../../index.html" class="icon icon-home">
Cyrus IMAP
</a>
<div class="version">
3.10.2
</div>
<div role="search">
<form id="rtd-search-form" class="wy-form" action="../../../search.html" method="get">
<input type="text" name="q" placeholder="Search docs" aria-label="Search docs" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
</div><div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="Navigation menu">
<p class="caption" role="heading"><span class="caption-text">Cyrus IMAP</span></p>
<ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../../../download.html">Download</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../quickstart.html">Quickstart Guide</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../overview.html">Overview</a></li>
<li class="toctree-l1 current"><a class="reference internal" href="../../../setup.html">Setup</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="../../developer/compiling.html">Compiling</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../installing.html">Installing Cyrus</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../download/upgrade.html">Upgrading to 3.10</a></li>
<li class="toctree-l2 current"><a class="reference internal" href="../deployment.html">Configuration Guide</a><ul class="current">
<li class="toctree-l3"><a class="reference internal" href="deployment_scenarios.html">Deployment Scenarios</a></li>
<li class="toctree-l3"><a class="reference internal" href="deployment_scenarios.html#cyrus-murder-server-aggregation">Cyrus Murder: Server aggregation</a></li>
<li class="toctree-l3"><a class="reference internal" href="deployment_scenarios.html#cyrus-replication">Cyrus Replication</a></li>
<li class="toctree-l3"><a class="reference internal" href="deployment_scenarios.html#hosted-environments">Hosted Environments</a></li>
<li class="toctree-l3"><a class="reference internal" href="databases.html">Databases</a></li>
<li class="toctree-l3"><a class="reference internal" href="mailbox_creation_distribution.html">Mailbox Creation Distribution</a></li>
<li class="toctree-l3"><a class="reference internal" href="known_protocol_limitations.html">Known Protocol Limitations</a></li>
<li class="toctree-l3 current"><a class="current reference internal" href="#">Authentication and Authorization</a><ul>
<li class="toctree-l4"><a class="reference internal" href="#client-authentication">Client Authentication</a></li>
<li class="toctree-l4"><a class="reference internal" href="#users-and-mailboxes">Users and Mailboxes</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="performance_recommendations.html">Performance Recommendations</a></li>
<li class="toctree-l3"><a class="reference internal" href="storage.html">Storage Considerations</a></li>
<li class="toctree-l3"><a class="reference internal" href="supported-platforms.html">Supported Platforms and System Requirements</a></li>
</ul>
</li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../../../operations.html">Operations</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../developers.html">Developers</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../support.html">Support/Community</a></li>
</ul>
<p class="caption" role="heading"><span class="caption-text">Cyrus SASL</span></p>
<ul>
<li class="toctree-l1"><a class="reference external" href="http://www.cyrusimap.org/sasl">Cyrus SASL</a></li>
</ul>
</div>
</div>
</nav>
<section data-toggle="wy-nav-shift" class="wy-nav-content-wrap"><nav class="wy-nav-top" aria-label="Mobile navigation menu" >
<i data-toggle="wy-nav-top" class="fa fa-bars"></i>
<a href="../../../index.html">Cyrus IMAP</a>
</nav>
<div class="wy-nav-content">
<div class="rst-content">
<div role="navigation" aria-label="Page navigation">
<ul class="wy-breadcrumbs">
<li><a href="../../../index.html" class="icon icon-home" aria-label="Home"></a></li>
<li class="breadcrumb-item"><a href="../../../setup.html">Setup</a></li>
<li class="breadcrumb-item"><a href="../deployment.html">Configuration Guide</a></li>
<li class="breadcrumb-item active">Authentication and Authorization</li>
<li class="wy-breadcrumbs-aside">
<a href="https://github.com/cyrusimap/cyrus-imapd/blob/master/docsrc/imap/concepts/deployment/authentication_and_authorization.rst" class="fa fa-github"> Edit on GitHub</a>
</li>
</ul>
<hr/>
</div>
<div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
<div itemprop="articleBody">
<section id="authentication-and-authorization">
<h1>Authentication and Authorization<a class="headerlink" href="#authentication-and-authorization" title="Permalink to this heading"></a></h1>
<p>The use of Cyrus IMAP may have a significant impact on the design, use and load of the current authentication and authorization infrastructure. In addition, authentication and authorization relates to both to security, and also, in the particular case of Cyrus IMAP, personal privacy.</p>
<p>Typically, an authentication and authorization database, such as for example LDAP, is already available and in use within an infrastructure. Cyrus IMAP would integrate with a variety of technologies, but a few considerations deserve outlining.</p>
<p>For example, when a user wants to set group permissions on an IMAP folder, the most intuitive attribute in LDAP to refer to the group is the Common Name (CN). This attribute however is not guaranteed to be unique. Uniqueness can be enforced within LDAP, although that may be too restrictive, and so the groups available in Cyrus IMAP can be limited to scope one, while the cn is used in the rdn (the cn is the naming attribute to compose the dn with); effectively enforcing uniqueness for those groups available to Cyrus IMAP.</p>
<p>Similarly, many deployments choose to use the mail LDAP attribute value as the mailbox name, while mail is a multi-valued attribute and is not configured to be enforced globally unique in the LDAP information tree under the root dn. In addition, attributes such as <code class="docutils literal notranslate"><span class="pre">mailAlternativeAddress</span></code> and/or alias could potentially hold the same value as anyone's mail attribute. These limitations or such implications become very clear when canonification of the authentication ID to the desired authorization ID is attempted.</p>
<p>For example, if <code class="docutils literal notranslate"><span class="pre">jdoe</span></code> is the login username, and Cyrus IMAP has a default realm configured <code class="docutils literal notranslate"><span class="pre">example.org</span></code>, the authentication ID becomes <code class="docutils literal notranslate"><span class="pre">jdoe@example.org</span></code>. It is this authentication ID, and not the supplied login username, that Cyrus IMAP uses to verify the credentials.</p>
<p>Cyrus IMAP thereafter allows authorization mechanisms, such as <em>ptclient</em> modules, to canonify the authentication ID to then ultimately return the authorization ID.</p>
<p>Suppose in the case of <code class="docutils literal notranslate"><span class="pre">jdoe@example.org</span></code>, where the authentication ID had been set, an LDAP module for ptloader could search LDAP for a <code class="docutils literal notranslate"><span class="pre">uid=%U</span></code> (where <code class="docutils literal notranslate"><span class="pre">%U</span></code> is the local part of the authentication ID), find the mail attribute value is <code class="docutils literal notranslate"><span class="pre">john.doe@example.org</span></code>, and authorize the user as such. Effectively, this enables Cyrus IMAP users to log in both with their username (uid) as well as their email address (or any of the aliases).</p>
<p>The process of client authentication and authorization</p>
<section id="client-authentication">
<h2>Client Authentication<a class="headerlink" href="#client-authentication" title="Permalink to this heading"></a></h2>
<p>The exchange and verification of identity information provided by a client, otherwise known as <em>the process of authentication</em>, provides a set of credentials that allow the server to verify that the user is in fact the user, and not an imposter.</p>
<div class="admonition important">
<p class="admonition-title">Important</p>
<p><strong>Authentication != Authorization</strong></p>
<p>Authentication and authorization are two separate processes. Authentication is about verifying the credentials supplied by the client, while authorization is the process of determining what rights the client has. Authentication, logically, preseeds authorization.</p>
</div>
<p>The most common set of credentials is a <em>username</em> and <em>password</em>, but other forms exist like Kerberos v5 ticket exchange (for which, to obtain such, most often a password is supplied), or certificate based authentication (the secret keys for which are most often locked with a passphrase). In any case, authentication works based on a shared secret, and/or a trusted source for verification. Kerberos v5 works based on shared secrets (keytab), and certificate based authentication works based on shared, trusted sources for verification.</p>
<p>In the case of usernames and passwords though, the exchange and verification of the credentials is at the basis of its security. Sending plain text usernames and passwords over the wire would not allow any application to verify the source of the credentials is actually the user --- who is supposed to be the only party to know the unique combination of username and password.</p>
<p>To obfuscate the login credentials, authentication can be encrypted with CRAM-MD5 or DIGEST-MD5, but this requires the server to have a copy of the original, plain text password. The password in this case becomes the shared secret.</p>
<p>Another method is to allow the plain text username and password to be transmitted over the wire, but ensure Transport Layer Security (TLS) or the more implicit Secure Socket Layer (SSL). The plain text password can now be used to compare it against a SQL database, bind to an LDAP database, attempt PAM authentication with, etc.</p>
</section>
<section id="users-and-mailboxes">
<h2>Users and Mailboxes<a class="headerlink" href="#users-and-mailboxes" title="Permalink to this heading"></a></h2>
<p>User mailboxes have a globally unique identifier which is not necessarily the same as the login name used. There are three distinguishable aspects to a user's entity and the mailbox associated with it;</p>
<p>The <strong>user login credentials</strong> that are associated with the user authentication entity and verify the user is who the user claims to be.</p>
<p>For example, the user logs in with username <code class="docutils literal notranslate"><span class="pre">john.doe@example.org</span></code> and password <code class="docutils literal notranslate"><span class="pre">verysecret</span></code>.</p>
<p>The <strong>user's authentication entity</strong> --- with all attributes associated with it --- can have one of those attributes be used to create the relationship between the user authentication entity on the one side, and the mailbox entity on the other side.</p>
<p>For example, the user that authenticated as <code class="docutils literal notranslate"><span class="pre">john.doe@example.org</span></code> may have a mailbox named <code class="docutils literal notranslate"><span class="pre">jdoe</span></code>.</p>
<p>The <strong>authorization entity</strong>, used to assign certain permissions to the user, uses the same attribute used to determine the mailbox name.</p>
<p>For example, the user that authenticated as <code class="docutils literal notranslate"><span class="pre">john.doe@example.com</span></code> and has mailbox <code class="docutils literal notranslate"><span class="pre">jdoe</span></code> needs an access control list entry on that mailbox that assigns <code class="docutils literal notranslate"><span class="pre">jdoe</span></code> certain rights on said mailbox.</p>
</section>
</section>
</div>
</div>
<footer><div class="rst-footer-buttons" role="navigation" aria-label="Footer">
<a href="known_protocol_limitations.html" class="btn btn-neutral float-left" title="Known Protocol Limitations" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left" aria-hidden="true"></span> Previous</a>
<a href="performance_recommendations.html" class="btn btn-neutral float-right" title="Performance Recommendations" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right" aria-hidden="true"></span></a>
</div>
<hr/>
<div role="contentinfo">
<p>© Copyright 1993–2025, The Cyrus Team.</p>
</div>
Built with <a href="https://www.sphinx-doc.org/">Sphinx</a> using a
<a href="https://github.com/readthedocs/sphinx_rtd_theme">theme</a>
provided by <a href="https://readthedocs.org">Read the Docs</a>.
</footer>
</div>
</div>
</section>
</div>
<script>
jQuery(function () {
SphinxRtdTheme.Navigation.enable(true);
});
</script>
</body>
</html>
|
