Hi there I've been copying users' mailboxes via IMAP from Office365 using Azure AD (now Microsoft Entra) , and needed imapsync's XOAUTH2 code for that in order to obtain a Bearer token with the admin's cooperation. In order to run your own cyrus imap repo and authenticate against AD I think you're going to need something like https://github.com/moriyoshi/cyrus-sasl-xoauth2, didn't tried yet though. Maybe a self-hosted AD doesn't require OAUTH2 as opposite to Azure. Best regards Carlos
On Thu, Mar 14, 2024 at 10:12 AM Stéphane Gaubert <[email protected]> wrote: > Hi Denis, > > I have a working configuration of Cyrus IMAP 3.4.6 that is relying on > saslauthd in order to authenticate our users with our LDAP directory. > > Our servers' OS is RHEL 8 but this should work with other Linux flavors. I > do not use the pam mechanism with saslauthd but the ldap mechanism. > > My saslauthd.cong file contains those four directives : > - ldap_servers: ldaps://ldap.server.fqdn > - ldap_search_base : the root DN of our LDAP directory ; you may > restrict your searches to the branch that contains your users' entries, > - ldap_filter : the search filter that is used in order to find an > user'sentry. A simple example could be *(uid=%U)* where %U is replaced by > the user portion of the login by saslauthd. You adapt your filter to your > directory's schema and may need to use other tokens than %U. The tokens are > documented in the file named LDAP_SASLAUTHD that comes with cyrus-sasl. For > instance I am also using the %r token in order to also use the realm in my > LDAP filter. > - ldap_tls_cert_file : the path to a file that contains a bundle of CA > certificates that can be used to check the LDAP server's certificate > signature. > > On our servers, saslauthd is run with those options : > > -m /run/saslauthd - a ldap -c -t 300 -O /etc/saslauthd.conf > > > On RHEL, this is configured in /etc/sysconfic/saslauthd where I have set > those 2 variables : > > MECH=ldap > FLAGS="-c -t 300 -O /etc/saslauthd.conf" > > > You may have to adapt this configuratoin for you OS. > > As for Cyrus IMAP I have set these 3 directives in order to authenticate > from our LDAP directory with the PLAIN mechanism on a TLS encrypted > connection : > > sasl_pwcheck_method : saslauthd > sasl_mech_list: PLAIN > allowplaintext: no > > > I hope that this will help you. > > Regards > *Cyrus <https://cyrus.topicbox.com/latest>* / Info / see discussions > <https://cyrus.topicbox.com/groups/info> + participants > <https://cyrus.topicbox.com/groups/info/members> + delivery options > <https://cyrus.topicbox.com/groups/info/subscription> Permalink > <https://cyrus.topicbox.com/groups/info/T1c604a219c5fa805-M365f16cac28eae3a8309701f> > ------------------------------------------ Cyrus: Info Permalink: https://cyrus.topicbox.com/groups/info/T1c604a219c5fa805-Mf4c9a67d3bd6671578ad92f1 Delivery options: https://cyrus.topicbox.com/groups/info/subscription
