Hello,
when I was setting up authentication against AD (on-premise), I found
out that it is much easier to use PAM & Kerberos for authentication.
cyrus -> saslauthd -> pam
/etc/pam.d/imap|pop|sieve|smtp|lmtp contains:
account required pam_krb5.so
auth required pam_krb5.so
And /etc/krb5.conf contains just:
[libdefaults]
default_realm = REALM
[realms]
REALM = {
kdc = 192.168.x.y # IP address of domain controller
}
Check with kinit if you can log in, and that's it.
Of course this may be not enough if you want to allow only some groups
to log in or check some LDAP attributes. I did it separately, so that
login works for anyone who can log in, but mailboxes are created by
script that does ldapsearch with whatever complex condition may be
desired. (no autocreate of mailboxes).
Or use pam_ldap for "account" and pam_krb5 for "auth"
Or if groups are required for some reason, setup samba as a domain
member, and use libnss_winbind to propagate them to system.
--
Best regards
Vladislav Kurz
Dne 13. 03. 24 v 15:07 denis via Info napsal(a):
Hi Jwallis
I am facing the same issues as yours although not exactly. I also belief
that in the near future Microsoft will force us to use ldaps so I am
trying to get Cyrus-imap authentication with windows 2022 AD over ldaps.
The only difference from you is that I don’t need ptloader I don’t need
groups information. I only need user authentication.
Currently I managed to setup in the Lab a working cyrus-imap which
authenticate through Windows 2022 AD over ldap (not secured and I could
see the password in plain text)
I imported CA certificate and updated the local thrusted stores.
Executed the following command:
ldapwhoami -ZZ -H ldap://dnsservername -D
"CN=xxxxx,CN=Users,DC=xxxxxxx,DC=xxx" -W
and I got the proper reply. Which indicate that the AD is accepting
connections on LDAPS port and CA was properly imported.
I belief something is related to configurations in /etc/saslauthd.conf file
Do you have a typical /etc/saslauthd.conf file which permits
authentication over LDAPS please?
Thanks
Denis
*Cyrus <https://cyrus.topicbox.com/latest>* / Info / see discussions
<https://cyrus.topicbox.com/groups/info> + participants
<https://cyrus.topicbox.com/groups/info/members> + delivery options
<https://cyrus.topicbox.com/groups/info/subscription> Permalink
<https://cyrus.topicbox.com/groups/info/T1c604a219c5fa805-M0b608813b78a6446c700ec36>
------------------------------------------
Cyrus: Info
Permalink: https://cyrus.topicbox.com/groups/info/T9855023db56cbe6b-M09a6dbdcbe05b579fb65182f
Delivery options: https://cyrus.topicbox.com/groups/info/subscription
