Re: [Marketing Mail] Re: LDAP authentication and authorization using Debian and Active Directory

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi there
I've been copying users' mailboxes via IMAP from Office365 using Azure AD (now Microsoft Entra) , and needed imapsync's XOAUTH2 code for that in order to obtain a Bearer token with the admin's cooperation.
In order to run your own cyrus imap repo and authenticate against AD I think you're going to need something like https://github.com/moriyoshi/cyrus-sasl-xoauth2, didn't tried yet though. Maybe a self-hosted AD doesn't require OAUTH2 as opposite to Azure.
Best regards
Carlos


On Thu, Mar 14, 2024 at 10:12 AM Stéphane Gaubert <s.gaubert@xxxxxxxx> wrote:
Hi Denis,

I have a working configuration of Cyrus IMAP 3.4.6 that is relying on saslauthd in order to authenticate our users with our LDAP directory.

Our servers' OS is RHEL 8 but this should work with other Linux flavors. I do not use the pam mechanism with saslauthd but the ldap mechanism.

My saslauthd.cong file contains those four directives :
  - ldap_servers: ldaps://ldap.server.fqdn
  - ldap_search_base : the root DN of our LDAP directory ; you may restrict your searches to the branch that contains your users' entries,
  - ldap_filter : the search filter that is used in order to find an user'sentry. A simple example could be (uid=%U) where %U is replaced by the user portion of the login by saslauthd. You adapt your filter to your directory's schema and may need to use other tokens than %U. The tokens are documented in the file named LDAP_SASLAUTHD that comes with cyrus-sasl. For instance I am also using the %r token in order to also use the realm in my LDAP filter.
  - ldap_tls_cert_file : the path to a file that contains a bundle of CA certificates that can be used to check the LDAP server's certificate signature.

On our servers, saslauthd is run with those options :

-m /run/saslauthd - a ldap -c -t 300 -O /etc/saslauthd.conf

On RHEL, this is configured in /etc/sysconfic/saslauthd where I have set those 2 variables :

MECH=ldap
FLAGS="-c -t 300 -O /etc/saslauthd.conf"

You may have to adapt this configuratoin for you OS.

As for Cyrus IMAP I have set these 3 directives in order to authenticate from our LDAP directory with the PLAIN mechanism on a TLS encrypted connection :

sasl_pwcheck_method : saslauthd
sasl_mech_list: PLAIN
allowplaintext: no

I hope that this will help you.

Regards
[Index of Archives]     [Cyrus SASL]     [Squirrel Mail]     [Asterisk PBX]     [Video For Linux]     [Photo]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]
  Powered by Linux