It seemed like it would be a good idea to use the existing Active Directory DC as the LDAP source for all mail users.
I got cyrus (3.2.6 from Buster backports) running using saslauthd for authentication against the directory, and test users could authenticate OK and see their mailbox in Thunderbird. relevant entires in imapd.conf:
allowplaintext: yes
sasl_mech_list: PLAIN
sasl_pwcheck_method: saslauthd
Because I want to use some groups for shared folders and distribution lists, I also want to authorize users and groups against the directory so enabled:
auth_mech: pts
pts_module: ldap
ptloader_sock: var/lib/cyrus/ptclient/ptsock
ldap_uri: ldaps:/companydomaincontroller:636
ldap_bind_dn: a cn that works in other binds
ldap_password: the password for above
ldap_sasl: 0
ldap_version: 3
ldap_ca_dir: /etc/ssl/certs (which is where the ca cert that works with saslauthd resides)
ldap_verify_peer: 1
ldap_base: base that other binds can successfully find users from
ldap_scope: sub
ldap_filter: (sAMAccountName=%u) (I have tried more complex filters and decided on this as one that should work)
ldap_user_attribute: mail
ldap_size_limit: 1024
I have commented out the group member stuff for now, need to walk before I can run!
With these options enabled, no one can authenticate, even though my understanding is that authentication is distinct from authorization. Thunderbird users can no longer login and imtest for user cyrus (which is in the directory) gives the same output up to a line :
C: A01 AUTHENTICATE PLAIN {a hash}
S: A01 NO authentication failure
Authentication failed. generic failure
Security strength factor: 256
(the SSF is reported the same, but I have for now only asked for level 0)
In /var/log/syslog I find the following lines:
cyrus/ptloader[8230]: ldap_initialize failed (ldaps:/DC:636)
cyrus/imap[8229]: timeout_select exiting. r = 1; errno = 0
cyrus/imap[8229]: timeout_select: sock = 11, rp = 0x7ffecbb6ad30, wp = 0x0, sec = 30
cyrus/imap[8229]: timeout_select exiting. r = 1; errno = 0
cyrus/imap[8229]: ptload read data back
cyrus/imap[8229]: ptload(): bad response from ptloader server: ptsmodule_connect() failed
cyrus/imap[8229]: No data available at all from ptload()
cyrus/imap[8229]: ptload completely failed: unable to canonify identifer: cyrus
cyrus/imap[8229]: SASL bad userid authenticated
cyrus/imap[8229]: badlogin: localhost [::1] PLAIN (-notset-) [SASL(-6): can't request information until later in exchange: Information that was requested is not yet available.]
I have been searching for answers for days and at one point found a reference that claimed ptsloader is not enabled by default in Debian, so I have downloaded the source package and compiled cyrus-imaps using a configure script based on the Debain default config options with some extra options: --with-auth=pts --with-pts=ldap and --with-ldap
This has made no difference.
I have also downlaoded the 3.4.1 source package from experimental and compiled with the same options ands still no difference to behaviour so suspect this is a red herring?
So why is ptloader not retrieving any data?
The ldap_bind credentials I have given it work fine with saslauthd or postfix or ldapsearch.
Presumably then my filter and user attributes are bad? But I can't see why.
What is the order of operations within cyrus?
I assume that it authenticates first using saslauthd, and then uses the same username to check authorization in pts, but enabling PTS seems to prevent authentication. Although in syslog it is suggesting that SASL has authenticated, but with a bad userid?
The windows DC uses a directory migrated from an older one on a small business server where microsoft recommended using an internal .local domain which has always been a bit of a headache for me. This means that our search base is a DC=local, as are the bind DN and userPrincipleName, but the mail and proxyAddresses email addresses are all .com
Is the problem related to this? do I need to enable virtual domains and/or cross realm authentication for ptloader to get a response from the server?
Is there any way to call ptloader outside of master to try to work out exactly what is being passed and what result it achieves?
Also, how does ptdump work? I get no indication that it has done anything, is this simply because ptloader has never yet obtained any data for it to dump?
As for checking the LDAP server logs, if anyone knows how I can do this on windows 2012 please advise! Looking at directory services in event viewer I see very few entries and nothing relating to communication from my mail server. I assume I need to enable a different log level but I can't find out how or what.
All the examples I can find are based on openldap installations, is what I am trying to do possible, or are the Active Directory schema completely incompatible with ptloader?
Jim Wallis
