Re: cyrus mailbox authentication changing from NIS to LDAP

[Shaheen Bakhtiar <shashaness@xxxxxxxxxxx>]

using linux you can run autconfig with the varying options to enable sssd with the appropriate settings 

THIS IS ONLY AN EXAMPLE YOU’LL WANT TO TAKE APPROPRIATE SECURITY MEASURES SUCH AS TLS ETC.. but you can test this way first. 

IE:

authconfig --enablesssd --enablesssdauth --enablelocauthorize --enableldap --enableldapauth --ldapserver=ldap://ldap.example.com:389 --disableldaptls --ldapbasedn=dc=example,dc=com --enablerfc2307bis --enablemkhomedir --enablecachecreds —update

Or you can directly adit your sssd config /etc/ssd/ssd.conf:

[sssd]
domains = default, LDAP
services = nss, pam, autofs
config_file_version = 2

[nss]
filter_groups = root
filter_users = root

[pam]

[domain/LDAP]
#debug_level = 9
ldap_tls_reqcert = never
auth_provider = ldap
id_provider = ldap
chpass_provider = ldap
ldap_schema = rfc2307bis
ldap_uri = ldap://ldap.example.com
ldap_search_base = dc=example,dc=com
cache_credentials = false
enumerate = False

Verify that PAM actually uses SSSD:

By enabling debug_level in the above file you can also look at /var/log/sssd files for more details on where (if any) auth is failing.

[root@postoffice ~]# more /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        [default=1 success=ok] pam_localuser.so
auth        [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so forward_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_oddjob_mkhomedir.so skel=/etc/skel/ umask=0022
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

You should be set.

On Sep 18, 2015, at 7:48 AM, Sunny <ssn@xxxxxxxxx> wrote:

Hi,

I've inherited a cyrus mail server and I'm currently learning how it's setup and would like some advice changing from a NIS to LDAP authentication.

At the moment, the imap server uses NIS to authenticate ssh connections and I believe to also authenticate users to their mailboxes

imapd.conf
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN

/etc/sysconfig/saslauthd
MECH=pam

From the above output I believe that cyrus will use the pam service to lookup authentication information to authenticate a users cyrus mailbox.

I want the imap server to use LDAP (via sssd) for ssh authentication and authenticating users to their mailboxes.

If I configure the mail server to use sssd (also stop NIS) and update /etc/pam.d/system-auth with the required pam_sss.so entries, does anyone know or have experience if this change will allow users to authenticate to their mailboxes using LDAP?

Regards

----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus