pam_mapi(8) - Linux man page

Name

pam_mapi - Module for authentication via MAPI against a Zarafa server

Synopsis

pam_mapi.so [socket=http://localhost:236/zarafa] [try_first_pass] [use_first_pass] [quiet] [debug]

Description

The pam_mapi module is used to verify a username/password pair via MAPI in SOAP against a Zarafa server of the Zarafa Collaboration Platform.

Options

socket=http://localhost:236/zarafa

Use the socket http://localhost:236/zarafa for the Zarafa login. This also can be HTTPS if the Zarafa server is not running on the same machine. The default socket http://localhost:236/zarafa is used, if none has been set.

Be very careful when specifying the UNIX socket here, because the default Zarafa configuration option local_admin_users in /etc/zarafa/server.cfg contains the root user and saslauthd runs as root user by default, too. In this case, any authentication would succeed, even if wrong credentials are provided, which could make the SMTP service an open relay.

try_first_pass

Use the authentication token previously obtained by another module that did the conversation with the application. If this token can not be obtained then the module will try to converse. This option can be used for stacking different modules that need to deal with the authentication tokens.

use_first_pass

Use the authentication token previously obtained by another module that did the conversation with the application. If this token can not be obtained then the module will fail. This option can be used for stacking different modules that need to deal with the authentication tokens.

quiet

Do not treat MAPI_E_LOGON_FAILED authentication failures as errors that need to be logged to syslog(3). This option can be used for stacking different modules, because the existence of an account can be only assured after a succeeded authentication due to limited PAM account functionality.

debug

Turns on debugging via syslog(3).

Invalid arguments are logged with syslog(3).

Module Types Provided

The auth and account module types are provided.

Return Values

PAM_AUTHINFO_UNAVAIL

Authentication service cannot retrieve authentication info.

PAM_AUTHTOK_ERR

Authentication token manipulation error.

PAM_AUTHTOK_RECOVERY_ERR

Authentication information cannot be recovered.

PAM_AUTH_ERR

Authentication failure.

PAM_IGNORE

Ignore this module.

PAM_SERVICE_ERR

Error in service module.

PAM_SUCCESS

Success.

Examples

The most typical usage in /etc/pam.d/smtp when authenticating only against Zarafa users would be: 

#%PAM-1.0
auth       required     pam_mapi.so try_first_pass
account    required     pam_mapi.so

Another common usage in /etc/pam.d/smtp could be authenticating against Linux system and Zarafa users: 

#%PAM-1.0
auth       sufficient   pam_mapi.so try_first_pass quiet
auth       include      password-auth
account    sufficient   pam_mapi.so
account    include      password-auth

Keep in mind while editing, that /etc/pam.d/smtp could be a symbolic link at various Linux systems.

See Also

pam.conf(5), pam.d(5), pam(8), zarafa-server.cfg(5), zarafa-server(1), saslauthd(8)

Author

pam_mapi was written by Robert Scheck <zarafa@robert-scheck.de>.