auth against LDAP

bnies at bluewin.ch bnies at bluewin.ch
Fri Oct 29 04:59:37 EDT 2004 

>I think there are other ways of doing it (eg. not using pam as an extra
>mechanism) but its working good!

We had once running saslauthd 2.1.18 on Solaris 8 authenticating using PAM
against NIS+ which worked fine. When we moved the system to use LDAP saslauthd
crashed every few minutes. We now have running saslauthd to authenticate
directly wit LDAP.

Compile options:

CPPFLAGS="-I/opt/adnmail/db/include -I/opt/adnmail/openssl/include -I/opt/adnmail/cyrus/include"
LDFLAGS="-R/opt/adnmail/db/lib -R/opt/adnmail/openssl/lib -R/opt/adnmail/cyrus/lib"
LDFLAGS="-L/opt/adnmail/db/lib -L/opt/adnmail/openssl/lib -L/opt/adnmail/cyrus/lib
$LDFLAGS"


gtar -xvpzf cyrus-sasl-2.1.19.tar.gz
cd cyrus-sasl-2.1.19
./configure --prefix=/opt/adnmail/cyrus \
            --with-dbpath=/var/spool/adnmail/cyrus/etc/sasldb2 \
            --sysconfdir=/var/spool/adnmail/cyrus/etc \
            --with-dblib=berkeley \
            --with-bdb-libdir=/opt/adnmail/db/lib \
            --with-bdb-incdir=/opt/adnmail/db/include \
            --with-openssl=/opt/adnmail/openssl \
            --with-ldap=/opt/adnmail/openldap \
            --with-plugindir=/opt/adnmail/cyrus/lib/sasl2 \
            --with-saslauthd=/var/spool/adnmail/cyrus/imap/socket \
            --with-des=/opt/adnmail/openssl \
            --with-ldap=/opt/adnmail/openldap \
            --with-pam \
            --enable-anon \
            --enable-login \
            --enable-shared \
            --enable-static \
            --disable-gssapi \
            --disable-kerb5

Configuration in saslauthd.conf

ldap_servers: ldap://192.168.1.216/ ldap://192.168.5.216/ ldap://192.168.4.216/
ldap://192.168.6.216/
ldap_search_base: ou=people,dc=example,dc=com
ldap_bind_dn: cn=proxyagent,ou=special_users,dc=example,dc=com
ldap_password: secret
ldap_scope: one
ldap_uidattr: uid
ldap_filter_mode:  yes
ldap_filter: uid=%u

Authentication onfiguration in imapd.conf:

allowplaintext: yes
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN

saslauthd is started with:

saslauthd -a ldap -c -t 900 -O /path/to/saslauthd.conf

The disadvantage of using PAM is that the mail users get system accounts.

Regards,
Bernd

---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

More information about the Info-cyrus mailing list