Cyradm saslauthd issue

David Faller d.faller at live.de
Sun Apr 12 07:29:01 EDT 2020 

Dear all,

I have a question of my configuration,
we’re using multiple domains and the users are stored on our samba ad dc server.

In past I wanted to prevent the issue, that user can login with their username and not with a fqdn mail address.

I had solved this issue by editing the /etc/default/saslauthd service file and added ‚-r‘  at options in the end:

#
# Settings for saslauthd daemon
# Please read /usr/share/doc/sasl2-bin/README.Debian for details.
#

# Should saslauthd run automatically on startup? (default: no)
START=yes

# Description of this saslauthd instance. Recommended.
# (suggestion: SASL Authentication Daemon)
DESC="SASL Authentication Daemon"

# Short name of this saslauthd instance. Strongly recommended.
# (suggestion: saslauthd)
NAME="saslauthd"

# Which authentication mechanisms should saslauthd use? (default: pam)
#
# Available options in this Debian package:
# getpwent  -- use the getpwent() library function
# kerberos5 -- use Kerberos 5
# pam       -- use PAM
# rimap     -- use a remote IMAP server
# shadow    -- use the local shadow password file
# sasldb    -- use the local sasldb database file
# ldap      -- use LDAP (configuration is in /etc/saslauthd.conf)
#
# Only one option may be used at a time. See the saslauthd man page
# for more information.
#
# Example: MECHANISMS="pam"
MECHANISMS="ldap"

# Additional options for this mechanism. (default: none)
# See the saslauthd man page for information about mech-specific options.
MECH_OPTIONS=""

# How many saslauthd processes should we run? (default: 5)
# A value of 0 will fork a new process for each connection.
THREADS=5

# Other options (default: -c -m /var/run/saslauthd)
# Note: You MUST specify the -m option or saslauthd won't run!
#
# WARNING: DO NOT SPECIFY THE -d OPTION.
# The -d option will cause saslauthd to run in the foreground instead of as
# a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish
# to run saslauthd in debug mode, please run it by hand to be safe.
#
# See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.
# See the saslauthd man page and the output of 'saslauthd -h' for general
# information about these options.
#
# Example for chroot Postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
# Example for non-chroot Postfix users: "-c -m /var/run/saslauthd"
#
# To know if your Postfix is running chroot, check /etc/postfix/master.cf.
# If it has the line "smtp inet n - y - - smtpd" or "smtp inet n - - - - smtpd"
# then your Postfix is running in a chroot.
# If it has the line "smtp inet n - n - - smtpd" then your Postfix is NOT
# running in a chroot.
OPTIONS="-r -c -m /var/run/saslauthd"

My saslauthd.config file here use an other filter than default one:

ldap_servers: ldap://XXXXX
ldap_search_base: dc= XXX,dc=dir
#ldap_filter: sAMAccountName=%U
ldap_filter: userPrincipalName=%u

#ldap_version: 3
ldap_auth_method: bind
ldap_bind_dn: cn=Administrator,cn=Users,dc=XXX,dc=dir
ldap_bind_pw: XXX
#ldap_scope: sub
ldap_debug: -1


Here I have problem this config works fine all users can only sign in with their full e-mail address

So max.murry at web.de<mailto:max.murry at web.de> can login AND
Max.murry can’t login.

This is working fine,

but when I want to use cyradm I need to switch the filter on /etc/saslauthd.conf to sAMAccountName=%U
If I don’t do this I can’t access the cyradm tool, perhaps someone could help here?
I think the problem is here the same, authentication are only allowed with a fqdn but the linux user cyrus has no domain ending.

Best Regards,
David Faller


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20200412/db7829a3/attachment.html>

More information about the Cyrus-sasl mailing list