Cyradm saslauthd issue

Dan White dwhite at olp.net
Mon Apr 13 09:38:07 EDT 2020


On 04/12/20 11:29 +0000, David Faller wrote:
>I have a question of my configuration,
>we’re using multiple domains and the users are stored on our samba ad dc server.
>
>In past I wanted to prevent the issue, that user can login with their username and not with a fqdn mail address.
>
>I had solved this issue by editing the /etc/default/saslauthd service file and added ‚-r‘  at options in the end:
>
># Settings for saslauthd daemon
>START=yes
>DESC="SASL Authentication Daemon"
>NAME="saslauthd"
>MECHANISMS="ldap"
>MECH_OPTIONS=""
>THREADS=5
>OPTIONS="-r -c -m /var/run/saslauthd"
>
>My saslauthd.config file here use an other filter than default one:
>
>ldap_servers: ldap://XXXXX
>ldap_search_base: dc= XXX,dc=dir
>#ldap_filter: sAMAccountName=%U
>ldap_filter: userPrincipalName=%u
>
>#ldap_version: 3
>ldap_auth_method: bind
>ldap_bind_dn: cn=Administrator,cn=Users,dc=XXX,dc=dir
>ldap_bind_pw: XXX
>#ldap_scope: sub
>ldap_debug: -1
>
>Here I have problem this config works fine all users can only sign in with their full e-mail address
>
>So max.murry at web.de can login AND Max.murry can’t login.
>
>This is working fine,
>
>but when I want to use cyradm I need to switch the filter on /etc/saslauthd.conf to sAMAccountName=%U
>If I don’t do this I can’t access the cyradm tool, perhaps someone could help here?
>I think the problem is here the same, authentication are only allowed with a fqdn but the linux user cyrus has no domain ending.

Hi David,

What error do you get when you attempt to login as the cyrus user? Try
adding 'cyrus@<domain>' to your admins entry in impad.conf. Depending on
your deployment, that may not be sufficient for administering all of your
domains. You may need a unique cyrus@<domain> account for each domain, with
each entry listed within an admins config line.

Since your problem is only with cyradm, consider running a second imapd
instance, using local sasldb authentication to, support cyradm, i.e.:

Within /etc/cyrus.conf:
   imap          cmd="imapd" listen="192.168.0.1:imap" prefork=0
   imaplocal     cmd="imapd" listen="127.0.0.1:imap" prefork=0

Then within /etc/imapd.conf, carve out a unique sasl pwcheck method for
imaplocal:

imaplocal_sasl_pwcheck_method: auxprop
imaplocal_sasl_auxprop_plugin: sasldb
#imaplocal_sasl_mech_list: PLAIN

Then you would maintain the cyrus user's password with saslpasswd2.

-- 
Dan White
Network Admin Lead


More information about the Cyrus-sasl mailing list