cyrus mailbox authentication changing from NIS to LDAP
Shaheen Bakhtiar
shashaness at hotmail.com
Fri Sep 18 12:07:06 EDT 2015
using linux you can run autconfig with the varying options to enable sssd with the appropriate settings
THIS IS ONLY AN EXAMPLE YOU’LL WANT TO TAKE APPROPRIATE SECURITY MEASURES SUCH AS TLS ETC.. but you can test this way first.
IE:
authconfig --enablesssd --enablesssdauth --enablelocauthorize --enableldap --enableldapauth --ldapserver=ldap://ldap.example.com:389 --disableldaptls --ldapbasedn=dc=example,dc=com --enablerfc2307bis --enablemkhomedir --enablecachecreds —update
Or you can directly adit your sssd config /etc/ssd/ssd.conf:
[sssd]
domains = default, LDAP
services = nss, pam, autofs
config_file_version = 2
[nss]
filter_groups = root
filter_users = root
[pam]
[domain/LDAP]
#debug_level = 9
ldap_tls_reqcert = never
auth_provider = ldap
id_provider = ldap
chpass_provider = ldap
ldap_schema = rfc2307bis
ldap_uri = ldap://ldap.example.com
ldap_search_base = dc=example,dc=com
cache_credentials = false
enumerate = False
Verify that PAM actually uses SSSD:
By enabling debug_level in the above file you can also look at /var/log/sssd files for more details on where (if any) auth is failing.
[root at postoffice ~]# more /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth [default=1 success=ok] pam_localuser.so
auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so skel=/etc/skel/ umask=0022
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
You should be set.
> On Sep 18, 2015, at 7:48 AM, Sunny <ssn at ebi.ac.uk> wrote:
>
> Hi,
>
> I've inherited a cyrus mail server and I'm currently learning how it's setup and would like some advice changing from a NIS to LDAP authentication.
>
> At the moment, the imap server uses NIS to authenticate ssh connections and I believe to also authenticate users to their mailboxes
>
> imapd.conf
> sasl_pwcheck_method: saslauthd
> sasl_mech_list: PLAIN
>
> /etc/sysconfig/saslauthd
> MECH=pam
>
> From the above output I believe that cyrus will use the pam service to lookup authentication information to authenticate a users cyrus mailbox.
>
> I want the imap server to use LDAP (via sssd) for ssh authentication and authenticating users to their mailboxes.
>
> If I configure the mail server to use sssd (also stop NIS) and update /etc/pam.d/system-auth with the required pam_sss.so entries, does anyone know or have experience if this change will allow users to authenticate to their mailboxes using LDAP?
>
> Regards
>
>
> ----
> Cyrus Home Page: http://www.cyrusimap.org/
> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
> To Unsubscribe:
> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20150918/8837fe4b/attachment.html
More information about the Info-cyrus
mailing list