Just a final follow up in case anyone finds this thread useful in future.
I have had no joy getting ptloader to use TLS connection to my LDAP server even though saslauthd, openldap tools, postfix and even Symantec Messaging Gateway are all able to connect to it by TLS.
Having established that ptloader only searches the directory to identify user names and group membership and does not pass any user passwords, only its own bind password, and because it is on the same physical LAN as the directory server (Windows PDC) I have just given it a restricted bind id and password which will be sent in the clear over the LAN. It is not perfect, but if an attacker is already on our LAN they probably have wide open access to everything already. I just hope the account is restricted enough not to be able to do any damage.
Once ptloader works out the authorization for the ID, it passes control back to cyrus which uses saslauthd (in my setup) to check the password (authenticate) over a TLS encrypted connection so the user password is always hidden (client connections to cyrus are also TLS encrypted)
I did have a little trouble getting groups to work properly for shared folder ACLs, until I realised that my LDAP group filter line in imapd.conf didn't actually have anything to return, it should of course return the group name, and in my setup the 'cn', 'name' and 'sAMAccountName' attributes all have the value I need, I chose to match 'cn' to avoid confusion with users.
ldap_group_filter: (&(objectClass=group)(!(groupType=2147483656))(!(groupType=2147483652))(cn=%u))
I had some more trouble with old group ACLs where the groups were known with mixed case names, I had to temporarily disable usernames_tolower: 0 (defaults to 1) in order to delete the old ACLs (not strictly necessarily but untidy to just leave them) and create new ones for the all lowercase group names.
Thanks again everyone.
