Authenticate Cyrus off active directory

Alain Williams addw at
Thu Dec 4 12:34:42 EST 2003

On Thu, Dec 04, 2003 at 10:41:04AM -0600, Trey Tabner wrote:
> Alain,
> You can also set saslauthd.conf to authenticate against LDAP on the
> AD server.  You can use the autocreate patch at
Hmmm, I shall try that since I seem to be getting nowhere using kerberos.

The trouble that I find is that the documentation seems to be aimed at developers
& people that really understand the protocols and that there is very little
in the way of diagnostics (or verbose mode) to trace what is happening.
Very frustrating.

kinit works when I type something like (for a user 'internet.test'):
	kinit internet.test at OURDOMAIN.AC.UK
and then enter the password, I see the file /tmp/krbcc_500 being created
with something that I can inspect with:
	klist -v
(my user # is 500).

If I change the server listed in /etc/krb5.conf ('kdc = server') it fails
as expected. This all suggests that the basic kerberos config is OK.

Running saslauthd in debug mode
	saslauthd -d -n0 -a kerberos5
I see the request come in and it simply says 'no':

saslauthd[9126] :main            : num_procs  : 0
saslauthd[9126] :main            : mech_option: NULL
saslauthd[9126] :main            : run_path   : /var/state/saslauthd
saslauthd[9126] :main            : auth_mech  : kerberos5
saslauthd[9126] :detach_tty      : master pid is: 0
saslauthd[9126] :ipc_init        : listening on socket: /var/state/saslauthd/mux
saslauthd[9126] :do_auth         : auth failure: [user=internet.test] [service=imap] [realm=] [mech=kerberos5] [reason=krb5_verify_user failed]
saslauthd[9126] :server_exit     : pid file lock removed: /var/state/saslauthd/
saslauthd[9126] :ipc_cleanup     : socket removed: /var/state/saslauthd/mux
saslauthd[9126] :server_exit     : master exited: 0

The above is in response to:
	telnet localhost imap
	. login internet.test foobar
Quoting the username makes no difference:
	. login "internet.test" foobar

I just get:
	. NO Login failed: authentication failure

I have run saslauthd under strace, I can see it exchange a packet with the local domain controller,
the packet is much longer (1430 bytes sent, 100 read) than the equivalent packet from
kinit (404 bytes sent, 1380 read).

I am running on SuSE Linux SLES 8, with the latest cyrus/sasl - this has heimdal gssapi.

Where do I go from here ?

* I can try ldap, but I can't see any documentation on how to configure sasl to do this.
  I already use ldap in the MTA (exim) to validate that the user exists.
* I can persist with kerberos5, but ... what ?

> so the authenticated users will have mailboxes when logging in for
> the first time.
Autocreate seems to be the thing to do, thanks all -- first to get
authentication going.

Thanks for bearing with me.

Alain Williams

#include <std_disclaimer.h>

FATHERS-4-JUSTICE - Campaigning for equal rights for parents and the
best interests of our children. See

More information about the Info-cyrus mailing list