using linux you can run autconfig with the varying options to enable sssd with the appropriate settings
THIS IS ONLY AN EXAMPLE YOU’LL WANT TO TAKE APPROPRIATE SECURITY MEASURES SUCH AS TLS ETC.. but you can test this way first. IE: authconfig --enablesssd --enablesssdauth --enablelocauthorize --enableldap --enableldapauth --ldapserver=ldap://ldap.example.com:389 --disableldaptls --ldapbasedn=dc=example,dc=com --enablerfc2307bis --enablemkhomedir --enablecachecreds —update Or you can directly adit your sssd config /etc/ssd/ssd.conf: [sssd] domains = default, LDAP services = nss, pam, autofs config_file_version = 2 [nss] filter_groups = root filter_users = root [pam] [domain/LDAP] #debug_level = 9 ldap_tls_reqcert = never auth_provider = ldap id_provider = ldap chpass_provider = ldap ldap_schema = rfc2307bis ldap_uri = ldap://ldap.example.com ldap_search_base = dc=example,dc=com cache_credentials = false enumerate = False Verify that PAM actually uses SSSD: By enabling debug_level in the above file you can also look at /var/log/sssd files for more details on where (if any) auth is failing. [root@postoffice ~]# more /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_fprintd.so auth [default=1 success=ok] pam_localuser.so auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_oddjob_mkhomedir.so skel=/etc/skel/ umask=0022 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so You should be set. > On Sep 18, 2015, at 7:48 AM, Sunny <s...@ebi.ac.uk> wrote: > > Hi, > > I've inherited a cyrus mail server and I'm currently learning how it's setup > and would like some advice changing from a NIS to LDAP authentication. > > At the moment, the imap server uses NIS to authenticate ssh connections and I > believe to also authenticate users to their mailboxes > > imapd.conf > sasl_pwcheck_method: saslauthd > sasl_mech_list: PLAIN > > /etc/sysconfig/saslauthd > MECH=pam > > From the above output I believe that cyrus will use the pam service to lookup > authentication information to authenticate a users cyrus mailbox. > > I want the imap server to use LDAP (via sssd) for ssh authentication and > authenticating users to their mailboxes. > > If I configure the mail server to use sssd (also stop NIS) and update > /etc/pam.d/system-auth with the required pam_sss.so entries, does anyone know > or have experience if this change will allow users to authenticate to their > mailboxes using LDAP? > > Regards > > > ---- > Cyrus Home Page: http://www.cyrusimap.org/ > List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ > To Unsubscribe: > https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus