Re: Cyrus-SASL using LDAP

From: Jeremy Rumpf (jrumpf at heavyload dot net)
Date: Mon Mar 22 2004 - 20:10:58 EST

Next message: Morten Olsen: "Re: Cyrus-SASL using LDAP"

Previous message: Igor Brezac: "Re: Cyrus-SASL using LDAP"
In reply to: Wong, G. MR EECS: "Cyrus-SASL using LDAP"
Next in thread: Morten Olsen: "Re: Cyrus-SASL using LDAP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Monday 22 March 2004 16:33 pm, Wong, G. MR EECS wrote:
> We are trying to use "saslauthd -a ldap" to autheticate to a Microsoft
> Active Directory Domain controller as
> authentication piece for a Cyrus IMAP server. Our platform is Redhat
> Enterprise AS 3.0.
>
> We are just trying to get saslauthd -a ldap to work for right now.
>
> We start saslauthd with: "saslauthd -a ldap -O
> /usr/local/etc/saslauthd.conf"
>
> Here is our saslauthd.conf:
>
> ------------------------------------------------------------------------
> --------------------------------
> ldap_servers: ldap://129.29.72.130
> ldap_bind_dn:
> cn=imapservice,ou=users,ou=eecs,ou=dean,dc=usma,dc=ds,dc=army,dc=edu
> ldap_password: Jig0Haj|DY
> ldap_version: 3
> ldap_filter: %u
> ldap_auth_method: fastbind
> ------------------------------------------------------------------------
> --------------------------------
>
> Does the bind user have to be a special AD account? (Anonymous binding
> is not allowed for our Microsoft AD domain
> Controller)
>

Yes the bind user has to have read only access to the part of the AD tree that
holds your users. Can you also query your AD with ldapsearch using the
bind_dn and password above?

Your ldap filter also looks bad. You may try this (works on an AD setup I have
for limited testing):

(&(cn=%u)(objectclass=user))

You'll need to add a user, something like:

CN=LDAPro,CN=Users,ou=eecs,ou=dean,dc=usma,dc=ds,dc=army,dc=edu

Where LDAPro is a special read only user you've setup. I don't recall the
exact procedure for giving read only access to the tree. I'm not an AD person
so it seemed kind of obscure at the time IIRC.

Also, change ldap_auth_method from fastbind to bind. Get bind to work first
then shoot for fastbind if that's a requirement. I can't remember if the
default AD security policy allows for a fastbind type environment.

HTH,
Jeremy

Next message: Morten Olsen: "Re: Cyrus-SASL using LDAP"

Previous message: Igor Brezac: "Re: Cyrus-SASL using LDAP"
In reply to: Wong, G. MR EECS: "Cyrus-SASL using LDAP"
Next in thread: Morten Olsen: "Re: Cyrus-SASL using LDAP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Invaluement Anti-Spam DNSBLs