From: Morten Olsen (mso at medical-insight dot com)
Date: Tue Mar 23 2004 - 03:21:04 EST
Citat "Wong, G. MR EECS" <Gaylen dot Wong at usma dot edu>:
>
> We are trying to use "saslauthd -a ldap" to autheticate to a Microsoft
> Active Directory Domain controller as
> authentication piece for a Cyrus IMAP server. Our platform is Redhat
> Enterprise AS 3.0.
>
> We are just trying to get saslauthd -a ldap to work for right now.
>
> We start saslauthd with: "saslauthd -a ldap -O
> /usr/local/etc/saslauthd.conf"
>
> Here is our saslauthd.conf:
>
> ------------------------------------------------------------------------
> --------------------------------
> ldap_servers: ldap://129.29.72.130
> ldap_bind_dn:
> cn=imapservice,ou=users,ou=eecs,ou=dean,dc=usma,dc=ds,dc=army,dc=edu
> ldap_password: Jig0Haj|DY
> ldap_version: 3
> ldap_filter: %u
> ldap_auth_method: fastbind
> ------------------------------------------------------------------------
> --------------------------------
>
> Does the bind user have to be a special AD account? (Anonymous binding
> is not allowed for our Microsoft AD domain
> Controller)
AD does not allow simple binds. You need to use Kerberos/GSSAPI (on the server
side) to successfully authenticate against the AD. This means you need to
create a user account and use the ktutil.exe program on the AD server to
extract a key for your server to use.[1] You then need a cron-job which does
regular kinit's in the IMAP server so that you always have a valid Kerberos key
to use for authentication against the AD server.
See for example:
http://www.hut.fi/cc/docs/kerberos/nss_ldap.html
[1] In theory Samba 3 can be used to extract the key without direct access to
the AD server, but I have not tried it, and it probably still need a bit of
programming to work.
Regards, Morten
|
|
|