Hi Denis,
I have a working configuration of Cyrus IMAP 3.4.6 that is relying on saslauthd in order to authenticate our users with our LDAP directory.
Our servers' OS is RHEL 8 but this should work with other Linux flavors. I do not use the pam mechanism with saslauthd but the ldap mechanism.
My saslauthd.cong file contains those four directives :
- ldap_servers: ldaps://ldap.server.fqdn
- ldap_search_base : the root DN of our LDAP directory ; you may restrict your searches to the branch that contains your users' entries,
- ldap_filter : the search filter that is used in order to find an user'sentry. A simple example could be (uid=%U) where %U is replaced by the user portion of the login by saslauthd. You adapt your filter to your directory's schema and may need to use other tokens than %U. The tokens are documented in the file named LDAP_SASLAUTHD that comes with cyrus-sasl. For instance I am also using the %r token in order to also use the realm in my LDAP filter.
- ldap_tls_cert_file : the path to a file that contains a bundle of CA certificates that can be used to check the LDAP server's certificate signature.
On our servers, saslauthd is run with those options :
-m /run/saslauthd - a ldap -c -t 300 -O /etc/saslauthd.conf
On RHEL, this is configured in /etc/sysconfic/saslauthd where I have set those 2 variables :
MECH=ldapFLAGS="-c -t 300 -O /etc/saslauthd.conf"
You may have to adapt this configuratoin for you OS.
As for Cyrus IMAP I have set these 3 directives in order to authenticate from our LDAP directory with the PLAIN mechanism on a TLS encrypted connection :
sasl_pwcheck_method : saslauthdsasl_mech_list: PLAINallowplaintext: no
I hope that this will help you.
Regards
