Issues while integrating with Microsoft Active Directory

Dan White dwhite at
Sun May 2 14:12:55 EDT 2010

On 02/05/10 14:34 +0200, Michael Ströder wrote:
>Dan White wrote:
>> ldap_servers: ldap://
>> ldap_use_sasl: yes
>> ldap_mech: DIGEST-MD5
>> Assuming you can figure out how to do an LDAP sasl bind against Active
>> Directory, which I haven't been able to do with a non GSSAPI sasl mech.
>It's definitely possible to do LDAP SASL bind with DIGEST-MD5 with MS AD. But
>my own tests showed that for some reason you have to
>1. use the host name instead of an IP address and
>2. make sure that there are correct PTR RRs in DNS for your MS AD DC.

Yes, that works for me. If I use our internal DNS server, which resides on
the Active Directory host, then I can bind and authenticate.

Using either the hostname or the IP in the ldap_servers line works for me,
probably because we have both A and PTR records configured.

Dan White

More information about the Cyrus-sasl mailing list