Re: Cyradm saslauthd issue

Mon, 13 Apr 2020 06:38:50 -0700 

On 04/12/20 11:29 +0000, David Faller wrote:

I have a question of my configuration,
we’re using multiple domains and the users are stored on our samba ad dc server.

In past I wanted to prevent the issue, that user can login with their username 
and not with a fqdn mail address.

I had solved this issue by editing the /etc/default/saslauthd service file and 
added ‚-r‘  at options in the end:

# Settings for saslauthd daemon
START=yes
DESC="SASL Authentication Daemon"
NAME="saslauthd"
MECHANISMS="ldap"
MECH_OPTIONS=""
THREADS=5
OPTIONS="-r -c -m /var/run/saslauthd"

My saslauthd.config file here use an other filter than default one:

ldap_servers: ldap://XXXXX
ldap_search_base: dc= XXX,dc=dir
#ldap_filter: sAMAccountName=%U
ldap_filter: userPrincipalName=%u

#ldap_version: 3
ldap_auth_method: bind
ldap_bind_dn: cn=Administrator,cn=Users,dc=XXX,dc=dir
ldap_bind_pw: XXX
#ldap_scope: sub
ldap_debug: -1

Here I have problem this config works fine all users can only sign in with 
their full e-mail address

So max.mu...@web.de can login AND Max.murry can’t login.

This is working fine,

but when I want to use cyradm I need to switch the filter on 
/etc/saslauthd.conf to sAMAccountName=%U
If I don’t do this I can’t access the cyradm tool, perhaps someone could help 
here?
I think the problem is here the same, authentication are only allowed with a 
fqdn but the linux user cyrus has no domain ending.


Hi David,

What error do you get when you attempt to login as the cyrus user? Try
adding 'cyrus@<domain>' to your admins entry in impad.conf. Depending on
your deployment, that may not be sufficient for administering all of your
domains. You may need a unique cyrus@<domain> account for each domain, with
each entry listed within an admins config line.

Since your problem is only with cyradm, consider running a second imapd
instance, using local sasldb authentication to, support cyradm, i.e.:

Within /etc/cyrus.conf:
  imap          cmd="imapd" listen="192.168.0.1:imap" prefork=0
  imaplocal     cmd="imapd" listen="127.0.0.1:imap" prefork=0

Then within /etc/imapd.conf, carve out a unique sasl pwcheck method for
imaplocal:

imaplocal_sasl_pwcheck_method: auxprop
imaplocal_sasl_auxprop_plugin: sasldb
#imaplocal_sasl_mech_list: PLAIN

Then you would maintain the cyrus user's password with saslpasswd2.

--
Dan White
Network Admin Lead

Reply via email to