All,
I'm installing my first cyrus imap server that uses LDAP for
authentication. I understand the sasldb2/auxprop mechanism all right,
but am confused when it comes to saslauthd/PAM/LDAP. I'm want to use
PLAIN over TLS against an LDAP server. Seems like there's a LOT of ways
to do that (auxprop, sasl-ldap, and sasl-pam-ldap).
Hi,
I'm little confused. I don't know about an auxprop ldap plugin, the two
ways I know are saslauthd-ldap and saslauthd-pam-ldap. IIRC you never
put a file into the sasl2 lib folder, only use imapd.conf to configure it.
For both methods I know, I think the following config is what you need in
imapd.conf:
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN
There is no sasl_pwcheck_method pam or ldap with cyrus-imapd 2.1 and 2.2.
Then you have to configure saslauthd to either use its builtin ldap
support or use pam. The way to do this depends on how you installed
cyrus-sasl but it basically means you just start saslauthd with '-a ldap'
or '-a pam'.
saslauthd's ldap is configured with the file /etc/saslauthd.conf
for pam, you have to configure the used services like
imap,lmtp,mupdate,news,pop and sieve.
Simon
All the different ways confuse me, and I want to clarify my options.
Would someone please verify what I THINK is supposed to happen?
1.
--imapd.conf file has NO sasl parameters.
--imapd file in sasl2 folder has one paramter pwcheck_method:pam
This option does NOT run against the saslauthd daemon. IMAP knows to
use SASL, and checks for the sasl config file which says don't use SASL,
forward to PAM directly. I have my PAM imap file configured to use LDAP
(/etc/ldap.conf).
2.
--imapd.conf file has sasl_pwcheck_method:pam
This is the same as #1
3.
--imapd.conf file has no sasl parameter.
--imapd file is sasl2 folder has one parameter pwcheck_method:saslauthd
This option tells the imapd to forward the parameters to the saslauthd
daemon. When the sasl daemon is started, the desired login mechanism is
passed as a parameter (saslauthd -a pam). I have my PAM imap file
configured to use LDAP (/etc/ldap.conf)
4.
--imapd.conf file has sasl_pwcheck_method:saslauthd
Same as #3.
5.
--imapd.conf file has no sasl parameter.
--imapd file in sasl2 folder has one parameter pwcheck_method:ldap
This is similar to PAM process (#1) imap looks up imapd file and
determines it's pam and uses sasl to configure against pam. The
saslauthd.conf file stores the ldap config information.
6.
--imapd.conf file has sasl_pwcheck_method:ldap
Same as 5. The saslauthd.conf file stores the ldap config information.
7.
--imapd.conf file has no sasl parameter.
--imapd file is sasl2 folder has one parameter pwcheck_method:saslauthd
This option tells the imapd to forward the parameters to the saslauthd
daemon. When the sasl daemon is started, the desired login mechanism is
passed as a parameter (saslauthd -a ldap). The saslauthd daemon uses
the /saslauthd.conf file to store it's ldap config information.
8.
--imapd.conf file has sasl_pwcheck_method:saslauthd
Same as #7.
Another question:
1. Does cyradm authenticate against the imapd.conf authentication
process, or do I have to use the sasldb2 database regardless? I'd like
to keep all authentication in LDAP, but one user in the sasldb2 database
wouldn't be too bad...
Thanks in advance for clarifying this for me. Hopefully this can help
others down the road as well!
Kevin Williams
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html