Alain, There are Cyrus IMAP specific parts in this document that you can use as a HOWTO.
http://www.bynari.net/Resellers/docs/bynari_ad_integration.txt Thanks, Trey Alain Williams <[EMAIL PROTECTED]> writes: > On Thu, Dec 04, 2003 at 10:41:04AM -0600, Trey Tabner wrote: >> Alain, >> >> You can also set saslauthd.conf to authenticate against LDAP on the >> AD server. You can use the autocreate patch at http://email.uoa.gr/ > Hmmm, I shall try that since I seem to be getting nowhere using kerberos. > > The trouble that I find is that the documentation seems to be aimed at developers > & people that really understand the protocols and that there is very little > in the way of diagnostics (or verbose mode) to trace what is happening. > Very frustrating. > > kinit works when I type something like (for a user 'internet.test'): > kinit [EMAIL PROTECTED] > and then enter the password, I see the file /tmp/krbcc_500 being created > with something that I can inspect with: > klist -v > (my user # is 500). > > If I change the server listed in /etc/krb5.conf ('kdc = server') it fails > as expected. This all suggests that the basic kerberos config is OK. > > Running saslauthd in debug mode > saslauthd -d -n0 -a kerberos5 > I see the request come in and it simply says 'no': > > saslauthd[9126] :main : num_procs : 0 > saslauthd[9126] :main : mech_option: NULL > saslauthd[9126] :main : run_path : /var/state/saslauthd > saslauthd[9126] :main : auth_mech : kerberos5 > saslauthd[9126] :detach_tty : master pid is: 0 > saslauthd[9126] :ipc_init : listening on socket: /var/state/saslauthd/mux > saslauthd[9126] :do_auth : auth failure: [user=internet.test] [service=imap] > [realm=] [mech=kerberos5] [reason=krb5_verify_user failed] > saslauthd[9126] :server_exit : pid file lock removed: > /var/state/saslauthd/saslauthd.pid.lock > saslauthd[9126] :ipc_cleanup : socket removed: /var/state/saslauthd/mux > saslauthd[9126] :server_exit : master exited: 0 > > The above is in response to: > telnet localhost imap > . login internet.test foobar > Quoting the username makes no difference: > . login "internet.test" foobar > > I just get: > . NO Login failed: authentication failure > > I have run saslauthd under strace, I can see it exchange a packet with the local > domain controller, > the packet is much longer (1430 bytes sent, 100 read) than the equivalent packet from > kinit (404 bytes sent, 1380 read). > > I am running on SuSE Linux SLES 8, with the latest cyrus/sasl - this has heimdal > gssapi. > > Where do I go from here ? > > * I can try ldap, but I can't see any documentation on how to configure sasl to do > this. > I already use ldap in the MTA (exim) to validate that the user exists. > * I can persist with kerberos5, but ... what ? > >> so the authenticated users will have mailboxes when logging in for >> the first time. > Autocreate seems to be the thing to do, thanks all -- first to get > authentication going. > > Thanks for bearing with me.