Authenticate to IMAP server via Active Directory

Nikola Milutinovic Nikola.Milutinovic at ev.co.yu
Fri Mar 19 01:49:51 EST 2004 

Wong, G. MR EECS wrote:

> We are trying to setup a Cyrus IMAP server(version 2.2.3) on a Redhat
> Enterprise LINUX AS 3.0 box. For ease of  management we would like to
> authenticate users against a Microsoft Active Directory Domain
> controller since
> all users who would use the IMAP server are already there.
> 
> We have attempted to use Cyrus saslauthd( version 2.1.17) with kerberos5
> to do this:
> 
> 1.  Cyrus sasl has been built with gssapi(kerberos5) support

OK.

> 2.  cyrus imap has been built --with-auth=krb5

This is for authorisation, not authentication, but it is OK.

> 3.  In /etc/imapd.conf sasl-pwcheck-method=saslauthd

Hmmm, relatively OK. One word of caution, though. This will relay all "SASL 
PLAIN" logins to Kerberos realm. If you do not use IMAP over SSL/TLS your user's 
username/password will travel unencrypted, thus defeating one of main Kerberos 
ideas. Use this for a fall-back situation only.

It should be possible to use "SASL GSSAPI" authentication method instead.

> 4.  We followed the instructions in
> http://www.microsoft.com/windows2000/techinfo/planning/security/kerbstep
> s.asp
>     to interoperate with the AD KDC:  We generated both the host and
> service-instance(imap) keytab files and
>     integrated them into the /etc/krb5.keytab file on the LINUX host.
> Finally, we modified /etc/krb5.conf
>     according to the instructions.  We tested kerberos with kinit and it
> seems to be working.
> 
> 5.  We started saslauthd with:  saslauthd -n0 -a kerberos5
> 6.  Finally, we started imap with master -d

Try testing from the server. Do a "kinit" to one of your ADS users and then try 
"imtest" using "GSSAPI" mechanism. Setup your e-mail clients to use GSSAPI, I 
think it is called "Secure Password Authentication" or something like that in MS 
Outlook and Outlook Express.

Nix.

---
Home Page: http://asg.web.cmu.edu/cyrus
Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

More information about the Info-cyrus mailing list