Joshua and Tobias, Once again, thanks for the advice. One of my key misunderstandings was that gentoo created a file called smtpd.conf under the sasl2 folder. In the file was pwcheck_method=pam. I read up on this some, and I think it's an error--it should of been saslauthd (might be a holdback to the sasl v1 era).
I got it working via pam, but have decided it's easier to maintain 1 ldap config file than potentially multiple pam files (imap, pop, sieve, etc). I'll try that out tonight using the config file you (Josh) sent as a template! I *think* I understand how sasl works now:) Woo hoo! Thanks, Kevin Williams On Fri, 2004-08-06 at 20:01, Joshua Schmidlkofer wrote: > Kevin Williams wrote: > > All, > > > > I posted this to cyrus imap's list, but no response. The local list > > seems to be much more helpful:) > > > > Anyway, I'm trying to understand the inner workings of cyrus sasl, in > > order to authenticate against LDAP via pam (imap-->sasl-->pam-->ldap). > > > > I've got an error in my understanding since it won't work. Here's what > > I THOUGHT my options were for configuring cyrus imap to authenticate > > against LDAP: > > > > > > 1. > > --imapd.conf file has NO sasl parameters. > > --imapd file in sasl2 folder has one paramter pwcheck_method:pam > > > > This option does NOT run against the saslauthd daemon. IMAP knows to > > use SASL, and checks for the sasl config file which says don't use SASL, > > forward to PAM directly. I have my PAM imap file configured to use LDAP > > (/etc/ldap.conf). > > > > 2. > > --imapd.conf file has sasl_pwcheck_method:pam > > This is the same as #1 > > > > > > 3. > > --imapd.conf file has no sasl parameter. > > --imapd file is sasl2 folder has one parameter pwcheck_method:saslauthd > > > > This option tells the imapd to forward the parameters to the saslauthd > > daemon. When the sasl daemon is started, the desired login mechanism is > > passed as a parameter (saslauthd -a pam). I have my PAM imap file > > configured to use LDAP (/etc/ldap.conf) > > > > 4. > > --imapd.conf file has sasl_pwcheck_method:saslauthd > > > > Same as #3. > > > > > > 5. > > --imapd.conf file has no sasl parameter. > > --imapd file in sasl2 folder has one parameter pwcheck_method:ldap > > > > This is similar to PAM process (#1) imap looks up imapd file and > > determines it's pam and uses sasl to configure against pam. The > > saslauthd.conf file stores the ldap config information. > > > > 6. > > --imapd.conf file has sasl_pwcheck_method:ldap > > > > Same as 5. The saslauthd.conf file stores the ldap config information. > > > > > > 7. > > --imapd.conf file has no sasl parameter. > > --imapd file is sasl2 folder has one parameter pwcheck_method:saslauthd > > > > This option tells the imapd to forward the parameters to the saslauthd > > daemon. When the sasl daemon is started, the desired login mechanism is > > passed as a parameter (saslauthd -a ldap). The saslauthd daemon uses > > the /saslauthd.conf file to store it's ldap config information. > > > > 8. > > --imapd.conf file has sasl_pwcheck_method:saslauthd > > > > Same as #7. > > > > > > > > > > Thanks in advance for clarifying this for me. > > > > Kevin Williams > > _______________________________________________ > > PDXLUG mailing list > > [EMAIL PROTECTED] > > http://pdxlug.org/mailman/listinfo/pdxlug > > > > > > I want to disclose that I am really tired right now. The haze is > killing my ability to read and follow your e-mail. > > What I can tell you is this: > > cyrus-sasl version 1 - this version has you set a million different > pwcheck_methods, etc. In all apps using sasl v2, [anything recent] > All apps are set to pwcheck_method of saslauthd. > > > saslauthd must be running, and other appes must have access to it's read > pipe. [housed in /var/run/saslauthd by default]/ > > Saslauthd, mostly configured on the command line, must have your > appropriate authentication configuration. > > the Cyrus-SASL documentation sucks like something I can't say here > > > Here is a sample saslauthd.conf: > > # (c) 2002 Tassilo Erlewein <[EMAIL PROTECTED]> > # (c) 2002 Martin Konold <[EMAIL PROTECTED]> > # (c) 2002 Achim Frank <[EMAIL PROTECTED]> > > # this file is automatically written by the Kolab config backend > # manual additions are lost unless made to the template in the Kolab > config directory > > ldap_servers: ldap://127.0.0.1:389 > #ldap_servers: <ldap://localhost/> > # Specify URI(s) refering to LDAP server(s), e.g. > ldaps://10.1.1.2:999/. > # You can specify multiple servers separated by a space. > > #ldap_bind_dn: <none> > # Specify DN (distinguished name) to bind to the LDAP directory. > Do not > # specify this parameter for the anonymous bind. > > #ldap_bind_pw: <none> > # Specify the password for ldap_bind_dn. Do not specify this > parameter > # for the anonymous bind. > > ldap_version: 3 > #ldap_version: <3> <2|3> > # Specify the LDAP protocol version to use. > > #ldap_timeout: <5> > # Specify a number of seconds a search can take before timing out. > > #ldap_time_limit: <5> > # Specify a number of seconds for a search request to complete. > > #ldap_deref: <none> <search|find|always|never> > # Specify how aliases dereferencing is handled during a search. > > #ldap_referrals: <no> > # Specify whether or not the client should follow referrals. > > #ldap_restart: <yes> > # Specify whether or not LDAP I/O operations are automatically > restarted > # if they abort prematurely. > > #ldap_cache_ttl: <0> > # Non zero enables client side caching. Cached results will > expire after > # specified number seconds, e.g. 30. Use this option with care. > # OpenLDAP folks consider this feature experimental. > > #ldap_cache_mem: <0> > # If client side caching is enabled, the value specifies the > cache size > # in bytes, e.g. 32768. > > #ldap_scope: <sub> <sub|one|base> > # Search scope. > > ldap_search_base: dc=webmail,dc=valuecad,dc=com > #ldap_search_base: <none> > # Specify a starting point for the search. e.g. dc=foo,dc=com > > #ldap_auth_method: <bind> <bind|custom> > # Specify an authentication method. The default 'bind' method > uses the > # LDAP simple bind facility to verify the password. The custom > method > # uses userPassword attribute to verify the password. Currently, > {CRYPT} > # hash is supported. > > ldap_filter: (|(uid=%u)(mail=%u)(alias=%u)) > #ldap_filter: <uid=%u> > # Specify a filter. Use the %u and %r tokens for the username > and realm > # substitution. The %u token has to be used at minimum for the > filter to > # be useful. If ldap_auth_method is 'bind', the filter will > search for > # the DN (distinguished name) attribute. Otherwise, the search > will look > # for the userPassword attribute. > > #ldap_debug: <0> > # Specify a debugging level in the OpenLDAP libraries. See > # ldap_set_option(3) for more (LDAP_OPT_DEBUG_LEVEL). > > #ldap_tls_check_peer: <no> <yes|no> > # Require and verify server certificate. If this option is yes, > # you must specify ldap_tls_cacert_file or ldap_tls_cacert_dir. > > #ldap_tls_cacert_file: <none> > # File containing CA (Certificate Authority) certificate(s). > > #ldap_tls_cacert_dir: <none> > # Path to directory with CA (Certificate Authority) certificates. > > #ldap_tls_ciphers: <DEFAULT> > # List of SSL/TLS ciphers to allow. The format of the string is > # described in ciphers(1). > > #ldap_tls_cert: <none> > # File containing the client certificate. > > #ldap_tls_key: <none> > # File containing the private client key. > > ______________________________________________________________________ > _______________________________________________ > PDXLUG mailing list > [EMAIL PROTECTED] > http://pdxlug.org/mailman/listinfo/pdxlug _______________________________________________ PDXLUG mailing list [EMAIL PROTECTED] http://pdxlug.org/mailman/listinfo/pdxlug
