Hello Jack I was in the same situation as you in the past two months. My goal was to authenticate between my FreeBSD mail servers (Cyrus imapd / sendmail) and Active Directory. I find that the best way was to authenticate by KerberosV (by saslauthd -a kerberos5 or -a pam). Now all is workig as expected (after really hard work...). After the work was done I've written a small tutorial (until now only in german...:-))). Do you are interessted? Regards, 2009/9/14 Jackie Hunt <jackie@xxxxxxxxxxxxxxxxxx>: > Hi all, > > I am trying to get authenticated SMTP running here on campus, and we are > wanting to authenticate against Active Directory. We are running sendmail, > and I've been able to get it to work using the UNIX password file. However, > I'm having trouble when I try to use ldap to authenticate. > > I'm working on RedHat ES rel4 with cyrus-sasl 2.1.19. My first question is > whether or not cyrus-sasl-lib is required for this to work? It's not > installed on my test box. However, I tried another Linux system we have > that does have cyrus-sasl-lib installed, and things still don't work. I > know I'm missing something crucial, so any help would be greatly > appreciated. > > When I run saslauthd -v I see: > > saslauthd 2.1.19 > authentication mechanisms: getpwent kerberos5 pam rimap shadow ldap > > So, I'm assuming it has everything it needs compiled in to do ldap > authentication. > > I then edited the /etc/sysconfig/saslauthd file, and changed the MECH=pam > line to MECH=ldap. > > Then I created a /etc/saslauthd.conf file with the contents: > > ldap_servers: ldap://129.82.xxx.xxx/ > ldap_bind_dn: cn=xxxxx,ou=xxxxxxxxxxx,dc=ColoState,dc=edu > ldap_password: xxxxxxxx > ldap_filter: (sAMAccountName=%u) > ldap_search_base: dc=colostate,dc=edu > ldap_auth_method: bind > > Then I start saslauthd the following command: > > /usr/sbin/saslauthd -a ldap -d -O /etc/saslauthd.conf > > Then I run a command to test it: > > /usr/sbin/testsaslauthd -u jackie -p xxxxx > > And the output I see is: > > saslauthd[8045] :main : num_procs : 5 > saslauthd[8045] :main : mech_option: /etc/saslauthd.conf > saslauthd[8045] :main : run_path : /var/run/saslauthd > saslauthd[8045] :main : auth_mech : ldap > saslauthd[8045] :ipc_init : using accept lock file: > /var/run/saslauthd/mux.accept > saslauthd[8045] :detach_tty : master pid is: 0 > saslauthd[8045] :ipc_init : listening on socket: > /var/run/saslauthd/mux > saslauthd[8045] :main : using process model > saslauthd[8046] :get_accept_lock : acquired accept lock > saslauthd[8045] :have_baby : forked child: 8046 > saslauthd[8045] :have_baby : forked child: 8047 > saslauthd[8045] :have_baby : forked child: 8048 > saslauthd[8045] :have_baby : forked child: 8049 > saslauthd[8046] :rel_accept_lock : released accept lock > saslauthd[8047] :get_accept_lock : acquired accept lock > saslauthd[8046] :do_auth : auth failure: [user=jackie] > [service=imap] [realm=] [mech=ldap] [reason=Unknown] > saslauthd[8046] :do_request : response: NO > saslauthd[8047] :rel_accept_lock : released accept lock > > I don't see where it is trying to authenticate as the ldap_bind I specified > in the configuration file. Should it do that first? > > I would really appreciate any help. I've been struggling with this for > several days. > > Thanks so much! > > Jackie Hunt > Colorado State University > -- Martin Schweizer schweizer.martin@xxxxxxxxx Tel.: +41 32 512 48 54 (VoIP) Fax: +1 619 3300587
