Re: Cyrus-SASL using LDAP

From: Jeremy Rumpf (jrumpf at heavyload dot net)
Date: Mon Mar 22 2004 - 20:10:58 EST

  • Next message: Morten Olsen: "Re: Cyrus-SASL using LDAP"

    On Monday 22 March 2004 16:33 pm, Wong, G. MR EECS wrote:
    > We are trying to use "saslauthd -a ldap" to autheticate to a Microsoft
    > Active Directory Domain controller as
    > authentication piece for a Cyrus IMAP server. Our platform is Redhat
    > Enterprise AS 3.0.
    >
    > We are just trying to get saslauthd -a ldap to work for right now.
    >
    > We start saslauthd with: "saslauthd -a ldap -O
    > /usr/local/etc/saslauthd.conf"
    >
    > Here is our saslauthd.conf:
    >
    > ------------------------------------------------------------------------
    > --------------------------------
    > ldap_servers: ldap://129.29.72.130
    > ldap_bind_dn:
    > cn=imapservice,ou=users,ou=eecs,ou=dean,dc=usma,dc=ds,dc=army,dc=edu
    > ldap_password: Jig0Haj|DY
    > ldap_version: 3
    > ldap_filter: %u
    > ldap_auth_method: fastbind
    > ------------------------------------------------------------------------
    > --------------------------------
    >
    > Does the bind user have to be a special AD account? (Anonymous binding
    > is not allowed for our Microsoft AD domain
    > Controller)
    >

    Yes the bind user has to have read only access to the part of the AD tree that
    holds your users. Can you also query your AD with ldapsearch using the
    bind_dn and password above?

    Your ldap filter also looks bad. You may try this (works on an AD setup I have
    for limited testing):

    (&(cn=%u)(objectclass=user))

    You'll need to add a user, something like:

    CN=LDAPro,CN=Users,ou=eecs,ou=dean,dc=usma,dc=ds,dc=army,dc=edu

    Where LDAPro is a special read only user you've setup. I don't recall the
    exact procedure for giving read only access to the tree. I'm not an AD person
    so it seemed kind of obscure at the time IIRC.

    Also, change ldap_auth_method from fastbind to bind. Get bind to work first
    then shoot for fastbind if that's a requirement. I can't remember if the
    default AD security policy allows for a fastbind type environment.
     
    HTH,
    Jeremy


  • Next message: Morten Olsen: "Re: Cyrus-SASL using LDAP"





    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs



    Powered By FreeBSD   Powered By FreeBSD