Enabling cyrus-sasl for gssapi
Quanah Gibson-Mount
quanah at symas.com
Mon Dec 11 17:02:49 EST 2017
--On Monday, December 11, 2017 3:48 PM -0600 Dan White <dwhite at olp.net>
wrote:
> On 12/11/17 15:46 -0500, Mark Foley wrote:
>> I would like to enable saslauthd for GSSAPI for sendmail authentication.
>> I am running Samba4 4.4.16 on Slackware64 14.2. Samaba4 includes
>> Heimdal kerberos. The Dovecot mail server authenticates domain users
>> using the Thunderbird email client via GSSAPI, so that indicates to me
>> that it is doable. My current saslauthd has:
>
> Note that this does not enable SASL GSSAPI authentication, but rather
> Kerberos authentication underneath SASL PLAIN or LOGIN.
>
> Consult Sendmail documentation for enabling GSSAPI directly:
I would also note that if using a distribution provided SASL build, all
that may be necessary to allow SASL/GSSAPI to function is to install the
appropriate module. For example, on Debian/Ubuntu, you have a choice of
MIT backed Kerberos or Heimdal backed Kerberos:
libsasl2-modules-gssapi-heimdal
libsasl2-modules-gssapi-mit
I believe RedHat has something similar. I personally always chose Heimdal
as the Kerberos library on the client side to back SASL/GSSAPI due to
benchmarks I did, but that was 3 jobs and over a decade ago. ;)
Regards,
Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
More information about the Cyrus-sasl
mailing list