Authenticate Cyrus off active directory
addw at phcomp.co.uk
Thu Dec 4 12:34:42 EST 2003
On Thu, Dec 04, 2003 at 10:41:04AM -0600, Trey Tabner wrote:
> You can also set saslauthd.conf to authenticate against LDAP on the
> AD server. You can use the autocreate patch at http://email.uoa.gr/
Hmmm, I shall try that since I seem to be getting nowhere using kerberos.
The trouble that I find is that the documentation seems to be aimed at developers
& people that really understand the protocols and that there is very little
in the way of diagnostics (or verbose mode) to trace what is happening.
kinit works when I type something like (for a user 'internet.test'):
kinit internet.test at OURDOMAIN.AC.UK
and then enter the password, I see the file /tmp/krbcc_500 being created
with something that I can inspect with:
(my user # is 500).
If I change the server listed in /etc/krb5.conf ('kdc = server') it fails
as expected. This all suggests that the basic kerberos config is OK.
Running saslauthd in debug mode
saslauthd -d -n0 -a kerberos5
I see the request come in and it simply says 'no':
saslauthd :main : num_procs : 0
saslauthd :main : mech_option: NULL
saslauthd :main : run_path : /var/state/saslauthd
saslauthd :main : auth_mech : kerberos5
saslauthd :detach_tty : master pid is: 0
saslauthd :ipc_init : listening on socket: /var/state/saslauthd/mux
saslauthd :do_auth : auth failure: [user=internet.test] [service=imap] [realm=] [mech=kerberos5] [reason=krb5_verify_user failed]
saslauthd :server_exit : pid file lock removed: /var/state/saslauthd/saslauthd.pid.lock
saslauthd :ipc_cleanup : socket removed: /var/state/saslauthd/mux
saslauthd :server_exit : master exited: 0
The above is in response to:
telnet localhost imap
. login internet.test foobar
Quoting the username makes no difference:
. login "internet.test" foobar
I just get:
. NO Login failed: authentication failure
I have run saslauthd under strace, I can see it exchange a packet with the local domain controller,
the packet is much longer (1430 bytes sent, 100 read) than the equivalent packet from
kinit (404 bytes sent, 1380 read).
I am running on SuSE Linux SLES 8, with the latest cyrus/sasl - this has heimdal gssapi.
Where do I go from here ?
* I can try ldap, but I can't see any documentation on how to configure sasl to do this.
I already use ldap in the MTA (exim) to validate that the user exists.
* I can persist with kerberos5, but ... what ?
> so the authenticated users will have mailboxes when logging in for
> the first time.
Autocreate seems to be the thing to do, thanks all -- first to get
Thanks for bearing with me.
FATHERS-4-JUSTICE - Campaigning for equal rights for parents and the
best interests of our children. See http://www.fathers-4-justice.org
More information about the Info-cyrus