Re: Cyrus-SASL using LDAP

From: Morten Olsen (mso at medical-insight dot com)
Date: Tue Mar 23 2004 - 03:21:04 EST

  • Next message: Morten Olsen: "Re: Cyrus-SASL using LDAP"

    Citat "Wong, G. MR EECS" <Gaylen dot Wong at usma dot edu>:

    > We are trying to use "saslauthd -a ldap" to autheticate to a Microsoft
    > Active Directory Domain controller as
    > authentication piece for a Cyrus IMAP server. Our platform is Redhat
    > Enterprise AS 3.0.
    > We are just trying to get saslauthd -a ldap to work for right now.
    > We start saslauthd with: "saslauthd -a ldap -O
    > /usr/local/etc/saslauthd.conf"
    > Here is our saslauthd.conf:
    > ------------------------------------------------------------------------
    > --------------------------------
    > ldap_servers: ldap://
    > ldap_bind_dn:
    > cn=imapservice,ou=users,ou=eecs,ou=dean,dc=usma,dc=ds,dc=army,dc=edu
    > ldap_password: Jig0Haj|DY
    > ldap_version: 3
    > ldap_filter: %u
    > ldap_auth_method: fastbind
    > ------------------------------------------------------------------------
    > --------------------------------
    > Does the bind user have to be a special AD account? (Anonymous binding
    > is not allowed for our Microsoft AD domain
    > Controller)

    AD does not allow simple binds. You need to use Kerberos/GSSAPI (on the server
    side) to successfully authenticate against the AD. This means you need to
    create a user account and use the ktutil.exe program on the AD server to
    extract a key for your server to use.[1] You then need a cron-job which does
    regular kinit's in the IMAP server so that you always have a valid Kerberos key
    to use for authentication against the AD server.

    See for example:

    [1] In theory Samba 3 can be used to extract the key without direct access to
    the AD server, but I have not tried it, and it probably still need a bit of
    programming to work.

    Regards, Morten

  • Next message: Morten Olsen: "Re: Cyrus-SASL using LDAP"

    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs

    Powered By FreeBSD   Powered By FreeBSD