Active Directory

[Paul Boven]

Hi Fabiano, everyone,

Fabiano F. Vitale wrote:

> I'm not experient in cyrus-sasl and I need to do a cyrus imap
> to authenticate in a windows 2000 active directory domain.
> I need a example of the ldap properties that must be configured
> in /etc/saslauth.conf.
>     Anybody has a HOWTO for this?

Kerberos is a lot of overhead: for every user who logs in, you first 
have to get a ticket-granting-ticket (tgt), and then the ticket proper 
for getting to use the service you want.
Much simpler, im(ns)ho, is to authenticate using just LDAP. Active 
Directory is almost (but not entirely) compatible with the Ldapv3(bis) 
specification. The way to authenticate against your ADS would be to have 
the cyrus saslauthd login (bind) to the ADS on behalf of the user with 
the user's credentials. If the bind succeeds, the user is authenticated.

Assuming all your users are in the same active directory domain, this 
can all be done quite straightforward:

/etc/imapd.conf: (just the settings for talking to ADS)
# Use the cyrus saslauthd to handle authentication
sasl_pwcheck_method: saslauthd
# Allow plaintext-passwords (might want to turn this off for production)
allowplaintext: yes
# Create the inbox for a user on login or receiving an email
createonpost: 1
# You must specify autocreatequota for createonpost to work.
# As we don't use quota, set it to a negative value.
autocreatequota: -1
# Users won't have a homedir on the cyrus system, so store Sieve files
# somewhere else.
sieveusehomedir: false
sievedir: /var/spool/sieve

/usr/local/etc/saslauthd.conf:
# ldap_servers is a list of LDAP urls. Use this for failover
# Only use ldaps if you have SSL working with the ADS servers
ldap_servers: ldaps://ads1.domain.local ldaps://ads2.domain.local
# The auth-method can be either 'bind' or 'fastbind'. We use fastbind
# because we don't need to use ldapfilter to find the user-DN.
ldap_auth_method: fastbind
# For the 'bind' method, ldap_filter must specify a ldap_search that
# will return the DN of the user. For the 'fastbind' method, ldap_filter
# does not actually specify a filter, but the DN to use for binding.
# DOMAIN is the name of the ADS domain.
ldap_filter: DOMAIN\%u
# When using SSL for LDAP, don't also do SASL or ADS gets confused.
ldap_use_sasl: no
# Where to find the ADS cert (only needed for SSL)
ldap_tls_cacert_file: /usr/local/openssl/certs/ads.cer

Don't forget to start saslauthd together with cyrus: saslauthd -a ldap

This probably means you will have to build cyrus, cyrus-sasl and 
openldap yourself from sources for them to have all needed parts 
configured in (such as SSL). Bonus points for getting Kerberos to work, 
too (There is a nasty circular dependancy when building cyrus-sasl to 
use openldap and kerberos).

Regards, Paul Boven.
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html