-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Kev- I had a similar problem with my imapd, although not cyrus, but in the end it turned out that I didn't have saslauthd running, and when it was, it's pipe wasn't in the right place. I also needed to tell Postfix, for smtpauth, about it too, via the smtpd.conf. (...remember I'm on Debian so YMMV) pwcheck_method: saslauthd mech_list: PLAIN LOGIN
The easiest way to *line things up* was to tell saslauthd to listen
elsewhere with -m in my init script:
[snip...]
NAME=saslauthd
DAEMON="/usr/sbin/${NAME}"
DESC="SASL Authentication Daemon"
DEFAULTS=/etc/default/saslauthd
PWDIR=/var/run/saslauthd
PARAMS="-m /var/spool/postfix/var/run/saslauthd"
[...snip]Does testsaslauthd work for you?
I hope this what you were asking for. I'm un-caffienated at the moment and I always regret sending mail in this state :)
Glad to see you're still at it, your resolve is impressive!
Hope this helps Tobias
Joshua Schmidlkofer wrote: | Kevin Williams wrote: | |> All, |> |> I posted this to cyrus imap's list, but no response. The local list |> seems to be much more helpful:) |> |> Anyway, I'm trying to understand the inner workings of cyrus sasl, in |> order to authenticate against LDAP via pam (imap-->sasl-->pam-->ldap). |> |> I've got an error in my understanding since it won't work. Here's what |> I THOUGHT my options were for configuring cyrus imap to authenticate |> against LDAP: |> |> |> 1. --imapd.conf file has NO sasl parameters. |> --imapd file in sasl2 folder has one paramter pwcheck_method:pam |> This option does NOT run against the saslauthd daemon. IMAP knows to |> use SASL, and checks for the sasl config file which says don't use SASL, |> forward to PAM directly. I have my PAM imap file configured to use LDAP |> (/etc/ldap.conf). |> |> 2. --imapd.conf file has sasl_pwcheck_method:pam |> This is the same as #1 |> |> |> 3. |> --imapd.conf file has no sasl parameter. |> --imapd file is sasl2 folder has one parameter pwcheck_method:saslauthd |> |> This option tells the imapd to forward the parameters to the saslauthd |> daemon. When the sasl daemon is started, the desired login mechanism is |> passed as a parameter (saslauthd -a pam). I have my PAM imap file |> configured to use LDAP (/etc/ldap.conf) |> |> 4. |> --imapd.conf file has sasl_pwcheck_method:saslauthd |> |> Same as #3. |> |> |> 5. |> --imapd.conf file has no sasl parameter. |> --imapd file in sasl2 folder has one parameter pwcheck_method:ldap |> |> This is similar to PAM process (#1) imap looks up imapd file and |> determines it's pam and uses sasl to configure against pam. The |> saslauthd.conf file stores the ldap config information. |> |> 6. |> --imapd.conf file has sasl_pwcheck_method:ldap |> |> Same as 5. The saslauthd.conf file stores the ldap config information. |> |> |> 7. |> --imapd.conf file has no sasl parameter. |> --imapd file is sasl2 folder has one parameter pwcheck_method:saslauthd |> |> This option tells the imapd to forward the parameters to the saslauthd |> daemon. When the sasl daemon is started, the desired login mechanism is |> passed as a parameter (saslauthd -a ldap). The saslauthd daemon uses |> the /saslauthd.conf file to store it's ldap config information. |> |> 8. |> --imapd.conf file has sasl_pwcheck_method:saslauthd |> |> Same as #7. |> |> |> |> |> Thanks in advance for clarifying this for me. |> Kevin Williams |> _______________________________________________ |> PDXLUG mailing list |> [EMAIL PROTECTED] |> http://pdxlug.org/mailman/listinfo/pdxlug |> | | | | I want to disclose that I am really tired right now. The haze is | killing my ability to read and follow your e-mail. | | What I can tell you is this: | | cyrus-sasl version 1 - this version has you set a million different | pwcheck_methods, etc. In all apps using sasl v2, [anything recent] All | apps are set to pwcheck_method of saslauthd. | | | saslauthd must be running, and other appes must have access to it's read | pipe. [housed in /var/run/saslauthd by default]/ | | Saslauthd, mostly configured on the command line, must have your | appropriate authentication configuration. | | the Cyrus-SASL documentation sucks like something I can't say here | | | Here is a sample saslauthd.conf: | | # (c) 2002 Tassilo Erlewein <[EMAIL PROTECTED]> | # (c) 2002 Martin Konold <[EMAIL PROTECTED]> | # (c) 2002 Achim Frank <[EMAIL PROTECTED]> | | # this file is automatically written by the Kolab config backend | # manual additions are lost unless made to the template in the Kolab | config directory | | ldap_servers: ldap://127.0.0.1:389 | #ldap_servers: <ldap://localhost/> | # Specify URI(s) refering to LDAP server(s), e.g. | ldaps://10.1.1.2:999/. | # You can specify multiple servers separated by a space. | | #ldap_bind_dn: <none> | # Specify DN (distinguished name) to bind to the LDAP directory. | Do not | # specify this parameter for the anonymous bind. | | #ldap_bind_pw: <none> | # Specify the password for ldap_bind_dn. Do not specify this | parameter | # for the anonymous bind. | | ldap_version: 3 | #ldap_version: <3> <2|3> | # Specify the LDAP protocol version to use. | | #ldap_timeout: <5> | # Specify a number of seconds a search can take before timing out. | | #ldap_time_limit: <5> | # Specify a number of seconds for a search request to complete. | | #ldap_deref: <none> <search|find|always|never> | # Specify how aliases dereferencing is handled during a search. | | #ldap_referrals: <no> | # Specify whether or not the client should follow referrals. | | #ldap_restart: <yes> | # Specify whether or not LDAP I/O operations are automatically | restarted | # if they abort prematurely. | | #ldap_cache_ttl: <0> | # Non zero enables client side caching. Cached results will | expire after | # specified number seconds, e.g. 30. Use this option with care. | # OpenLDAP folks consider this feature experimental. | | #ldap_cache_mem: <0> | # If client side caching is enabled, the value specifies the | cache size | # in bytes, e.g. 32768. | | #ldap_scope: <sub> <sub|one|base> | # Search scope. | | ldap_search_base: dc=webmail,dc=valuecad,dc=com | #ldap_search_base: <none> | # Specify a starting point for the search. e.g. dc=foo,dc=com | | #ldap_auth_method: <bind> <bind|custom> | # Specify an authentication method. The default 'bind' method | uses the | # LDAP simple bind facility to verify the password. The custom | method | # uses userPassword attribute to verify the password. Currently, | {CRYPT} | # hash is supported. | | ldap_filter: (|(uid=%u)(mail=%u)(alias=%u)) | #ldap_filter: <uid=%u> | # Specify a filter. Use the %u and %r tokens for the username | and realm | # substitution. The %u token has to be used at minimum for the | filter to | # be useful. If ldap_auth_method is 'bind', the filter will | search for | # the DN (distinguished name) attribute. Otherwise, the search | will look | # for the userPassword attribute. | | #ldap_debug: <0> | # Specify a debugging level in the OpenLDAP libraries. See | # ldap_set_option(3) for more (LDAP_OPT_DEBUG_LEVEL). | | #ldap_tls_check_peer: <no> <yes|no> | # Require and verify server certificate. If this option is yes, | # you must specify ldap_tls_cacert_file or ldap_tls_cacert_dir. | | #ldap_tls_cacert_file: <none> | # File containing CA (Certificate Authority) certificate(s). | | #ldap_tls_cacert_dir: <none> | # Path to directory with CA (Certificate Authority) certificates. | | #ldap_tls_ciphers: <DEFAULT> | # List of SSL/TLS ciphers to allow. The format of the string is | # described in ciphers(1). | | #ldap_tls_cert: <none> | # File containing the client certificate. | | #ldap_tls_key: <none> | # File containing the private client key. | | | ------------------------------------------------------------------------ | | _______________________________________________ | PDXLUG mailing list | [EMAIL PROTECTED] | http://pdxlug.org/mailman/listinfo/pdxlug -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFBFPD58SyNUqEG5J0RAoTHAJ9LW3s6sMkJZvN7NhDKkHpiSDuCEgCfVFDs gCXabGzaooDxnPCQofQX+JM= =3nzp -----END PGP SIGNATURE----- _______________________________________________ PDXLUG mailing list [EMAIL PROTECTED] http://pdxlug.org/mailman/listinfo/pdxlug
