Authenticate Cyrus off active directory

Trey Tabner trey at
Thu Dec 4 16:08:25 EST 2003


There are Cyrus IMAP specific parts in this document that you can use
as a HOWTO.



Alain Williams <addw at> writes:

> On Thu, Dec 04, 2003 at 10:41:04AM -0600, Trey Tabner wrote:
>> Alain,
>> You can also set saslauthd.conf to authenticate against LDAP on the
>> AD server.  You can use the autocreate patch at
> Hmmm, I shall try that since I seem to be getting nowhere using kerberos.
> The trouble that I find is that the documentation seems to be aimed at developers
> & people that really understand the protocols and that there is very little
> in the way of diagnostics (or verbose mode) to trace what is happening.
> Very frustrating.
> kinit works when I type something like (for a user 'internet.test'):
> 	kinit internet.test at OURDOMAIN.AC.UK
> and then enter the password, I see the file /tmp/krbcc_500 being created
> with something that I can inspect with:
> 	klist -v
> (my user # is 500).
> If I change the server listed in /etc/krb5.conf ('kdc = server') it fails
> as expected. This all suggests that the basic kerberos config is OK.
> Running saslauthd in debug mode
> 	saslauthd -d -n0 -a kerberos5
> I see the request come in and it simply says 'no':
> saslauthd[9126] :main            : num_procs  : 0
> saslauthd[9126] :main            : mech_option: NULL
> saslauthd[9126] :main            : run_path   : /var/state/saslauthd
> saslauthd[9126] :main            : auth_mech  : kerberos5
> saslauthd[9126] :detach_tty      : master pid is: 0
> saslauthd[9126] :ipc_init        : listening on socket: /var/state/saslauthd/mux
> saslauthd[9126] :do_auth         : auth failure: [user=internet.test] [service=imap] [realm=] [mech=kerberos5] [reason=krb5_verify_user failed]
> saslauthd[9126] :server_exit     : pid file lock removed: /var/state/saslauthd/
> saslauthd[9126] :ipc_cleanup     : socket removed: /var/state/saslauthd/mux
> saslauthd[9126] :server_exit     : master exited: 0
> The above is in response to:
> 	telnet localhost imap
> 	. login internet.test foobar
> Quoting the username makes no difference:
> 	. login "internet.test" foobar
> I just get:
> 	. NO Login failed: authentication failure
> I have run saslauthd under strace, I can see it exchange a packet with the local domain controller,
> the packet is much longer (1430 bytes sent, 100 read) than the equivalent packet from
> kinit (404 bytes sent, 1380 read).
> I am running on SuSE Linux SLES 8, with the latest cyrus/sasl - this has heimdal gssapi.
> Where do I go from here ?
> * I can try ldap, but I can't see any documentation on how to configure sasl to do this.
>   I already use ldap in the MTA (exim) to validate that the user exists.
> * I can persist with kerberos5, but ... what ?
>> so the authenticated users will have mailboxes when logging in for
>> the first time.
> Autocreate seems to be the thing to do, thanks all -- first to get
> authentication going.
> Thanks for bearing with me.

More information about the Info-cyrus mailing list