<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class=""><br class=""></div><div class="">using linux you can run autconfig with the varying options to enable sssd with the appropriate settings </div><div class=""><br class=""></div><div class="">THIS IS ONLY AN EXAMPLE YOU’LL WANT TO TAKE APPROPRIATE SECURITY MEASURES SUCH AS TLS ETC.. but you can test this way first. </div><div class=""><br class=""></div><div class="">IE:</div><div class="">authconfig --enablesssd --enablesssdauth --enablelocauthorize --enableldap --enableldapauth --ldapserver=<a href="ldap://ldap.example.com:389" class="">ldap://ldap.example.com:389</a> --disableldaptls --ldapbasedn=dc=example,dc=com --enablerfc2307bis --enablemkhomedir --enablecachecreds —update</div><div class=""><br class=""></div><div class="">Or you can directly adit your sssd config /etc/ssd/ssd.conf:</div><div class=""><br class=""></div><div class="">[sssd]<br class="">domains = default, LDAP<br class="">services = nss, pam, autofs<br class="">config_file_version = 2<br class=""><br class="">[nss]<br class="">filter_groups = root<br class="">filter_users = root<br class=""><br class="">[pam]<br class=""><br class="">[domain/LDAP]<br class="">#debug_level = 9<br class="">ldap_tls_reqcert = never<br class="">auth_provider = ldap<br class="">id_provider = ldap<br class="">chpass_provider = ldap<br class="">ldap_schema = rfc2307bis<br class="">ldap_uri = <a href="ldap://ldap.example.com" class="">ldap://ldap.example.com</a><br class="">ldap_search_base = dc=example,dc=com<br class="">cache_credentials = false<br class="">enumerate = False<br class=""><br class="">Verify that PAM actually uses SSSD:</div><div class=""><br class=""></div><div class="">By enabling debug_level in the above file you can also look at /var/log/sssd files for more details on where (if any) auth is failing.</div><div class=""><br class=""></div><div class="">[root@postoffice ~]# more /etc/pam.d/system-auth<br class="">#%PAM-1.0<br class=""># This file is auto-generated.<br class=""># User changes will be destroyed the next time authconfig is run.<br class="">auth required pam_env.so<br class="">auth sufficient pam_fprintd.so<br class="">auth [default=1 success=ok] pam_localuser.so<br class="">auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass<br class="">auth requisite pam_succeed_if.so uid >= 1000 quiet_success<br class="">auth sufficient pam_sss.so forward_pass<br class="">auth required pam_deny.so<br class=""><br class="">account required pam_unix.so broken_shadow<br class="">account sufficient pam_localuser.so<br class="">account sufficient pam_succeed_if.so uid < 1000 quiet<br class="">account [default=bad success=ok user_unknown=ignore] pam_sss.so<br class="">account required pam_permit.so<br class=""><br class="">password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=<br class="">password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok<br class="">password sufficient pam_sss.so use_authtok<br class="">password required pam_deny.so<br class=""><br class="">session optional pam_keyinit.so revoke<br class="">session required pam_limits.so<br class="">-session optional pam_systemd.so<br class="">session optional pam_oddjob_mkhomedir.so skel=/etc/skel/ umask=0022<br class="">session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid<br class="">session required pam_unix.so<br class="">session optional pam_sss.so<br class=""><br class=""></div><div class=""><br class=""></div><div class="">You should be set.</div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Sep 18, 2015, at 7:48 AM, Sunny <<a href="mailto:ssn@ebi.ac.uk" class="">ssn@ebi.ac.uk</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">
<meta http-equiv="content-type" content="text/html; charset=utf-8" class="">
<div text="#000000" bgcolor="#FFFFFF" class="">
Hi, <br class="">
<br class="">
I've inherited a cyrus mail server and I'm currently learning how
it's setup and would like some advice changing from a NIS to LDAP
authentication.<br class="">
<br class="">
At the moment, the imap server uses NIS to authenticate ssh
connections and I believe to also authenticate users to their
mailboxes <br class="">
<br class="">
imapd.conf<br class="">
sasl_pwcheck_method: <b class="">saslauthd</b><br class="">
sasl_mech_list: PLAIN<br class="">
<br class="">
/etc/sysconfig/saslauthd <br class="">
MECH=<b class="">pam</b><br class="">
<br class="">
From the above output I believe that cyrus will use the pam service
to lookup authentication information to authenticate a users cyrus
mailbox.<br class="">
<br class="">
I want the imap server to use LDAP (via sssd) for ssh authentication
and authenticating users to their mailboxes.<br class="">
<br class="">
If I configure the mail server to use sssd (also stop NIS) and
update /etc/pam.d/system-auth with the required pam_sss.so entries,
does anyone know or have experience if this change will allow users
to authenticate to their mailboxes using LDAP?<br class="">
<br class="">
Regards<br class="">
<br class="">
<br class="">
</div>
----<br class="">Cyrus Home Page: <a href="http://www.cyrusimap.org/" class="">http://www.cyrusimap.org/</a><br class="">List Archives/Info: <a href="http://lists.andrew.cmu.edu/pipermail/info-cyrus/" class="">http://lists.andrew.cmu.edu/pipermail/info-cyrus/</a><br class="">To Unsubscribe:<br class=""><a href="https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus" class="">https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus</a></div></blockquote></div><br class=""></div></body></html>