Hi Denis, I have a working configuration of Cyrus IMAP 3.4.6 that is relying on saslauthd in order to authenticate our users with our LDAP directory.
Our servers' OS is RHEL 8 but this should work with other Linux flavors. I do not use the pam mechanism with saslauthd but the ldap mechanism. My saslauthd.cong file contains those four directives : - ldap_servers: ldaps://ldap.server.fqdn - ldap_search_base : the root DN of our LDAP directory ; you may restrict your searches to the branch that contains your users' entries, - ldap_filter : the search filter that is used in order to find an user'sentry. A simple example could be *(uid=%U)* where %U is replaced by the user portion of the login by saslauthd. You adapt your filter to your directory's schema and may need to use other tokens than %U. The tokens are documented in the file named LDAP_SASLAUTHD that comes with cyrus-sasl. For instance I am also using the %r token in order to also use the realm in my LDAP filter. - ldap_tls_cert_file : the path to a file that contains a bundle of CA certificates that can be used to check the LDAP server's certificate signature. On our servers, saslauthd is run with those options : > -m /run/saslauthd - a ldap -c -t 300 -O /etc/saslauthd.conf On RHEL, this is configured in /etc/sysconfic/saslauthd where I have set those 2 variables : > MECH=ldap > FLAGS="-c -t 300 -O /etc/saslauthd.conf" You may have to adapt this configuratoin for you OS. As for Cyrus IMAP I have set these 3 directives in order to authenticate from our LDAP directory with the PLAIN mechanism on a TLS encrypted connection : > sasl_pwcheck_method : saslauthd > sasl_mech_list: PLAIN > allowplaintext: no I hope that this will help you. Regards ------------------------------------------ Cyrus: Info Permalink: https://cyrus.topicbox.com/groups/info/T1c604a219c5fa805-M365f16cac28eae3a8309701f Delivery options: https://cyrus.topicbox.com/groups/info/subscription
