subject:"cyrus mailbox authentication changing from NIS to LDAP"

cyrus mailbox authentication changing from NIS to LDAP

2015-09-18 Thread Sunny


Hi,

I've inherited a cyrus mail server and I'm currently learning how it's 
setup and would like some advice changing from a NIS to LDAP authentication.


At the moment, the imap server uses NIS to authenticate ssh connections 
and I believe to also authenticate users to their mailboxes


imapd.conf
sasl_pwcheck_method: *saslauthd*
sasl_mech_list: PLAIN

/etc/sysconfig/saslauthd
MECH=*pam*

From the above output I believe that cyrus will use the pam service to 
lookup authentication information to authenticate a users cyrus mailbox.


I want the imap server to use LDAP (via sssd) for ssh authentication and 
authenticating users to their mailboxes.


If I configure the mail server to use sssd (also stop NIS) and update 
/etc/pam.d/system-auth with the required pam_sss.so entries, does anyone 
know or have experience if this change will allow users to authenticate 
to their mailboxes using LDAP?


Regards



Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

Re: cyrus mailbox authentication changing from NIS to LDAP

2015-09-18 Thread Dan White

On 09/18/15 15:48 +0100, Sunny wrote:
>Hi,
>
>I've inherited a cyrus mail server and I'm currently learning how it's 
>setup and would like some advice changing from a NIS to LDAP 
>authentication.
>
>At the moment, the imap server uses NIS to authenticate ssh 
>connections and I believe to also authenticate users to their 
>mailboxes
>
>imapd.conf
>sasl_pwcheck_method: *saslauthd*
>sasl_mech_list: PLAIN
>
>/etc/sysconfig/saslauthd
>MECH=*pam*
>
>From the above output I believe that cyrus will use the pam service to 
>lookup authentication information to authenticate a users cyrus 
>mailbox.

Correct.

>I want the imap server to use LDAP (via sssd) for ssh authentication 
>and authenticating users to their mailboxes.
>
>If I configure the mail server to use sssd (also stop NIS) and update 
>/etc/pam.d/system-auth with the required pam_sss.so entries, does 
>anyone know or have experience if this change will allow users to 
>authenticate to their mailboxes using LDAP?

Do you have imap/pop/etc. specific pam configuration (e.g.
/etc/pam.d/imap)?

If not, then it's likely that be all you need to do, with regards to cyrus
services.

As a test, you could created a dummy service pam configuration, such as
/etc/pam.d/willthiswork, with your ldap/sssd configuration, then then run
testsaslauthd with '-s willthiswork ...'.

-- 
Dan White

Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

Re: cyrus mailbox authentication changing from NIS to LDAP

2015-09-18 Thread Shaheen Bakhtiar


using linux you can run autconfig with the varying options to enable sssd with 
the appropriate settings 

THIS IS ONLY AN EXAMPLE YOU’LL WANT TO TAKE APPROPRIATE SECURITY MEASURES SUCH 
AS TLS ETC.. but you can test this way first. 

IE:
authconfig --enablesssd --enablesssdauth --enablelocauthorize --enableldap 
--enableldapauth --ldapserver=ldap://ldap.example.com:389 --disableldaptls 
--ldapbasedn=dc=example,dc=com --enablerfc2307bis --enablemkhomedir 
--enablecachecreds —update

Or you can directly adit your sssd config /etc/ssd/ssd.conf:

[sssd]
domains = default, LDAP
services = nss, pam, autofs
config_file_version = 2

[nss]
filter_groups = root
filter_users = root

[pam]

[domain/LDAP]
#debug_level = 9
ldap_tls_reqcert = never
auth_provider = ldap
id_provider = ldap
chpass_provider = ldap
ldap_schema = rfc2307bis
ldap_uri = ldap://ldap.example.com
ldap_search_base = dc=example,dc=com
cache_credentials = false
enumerate = False

Verify that PAM actually uses SSSD:

By enabling debug_level in the above file you can also look at /var/log/sssd 
files for more details on where (if any) auth is failing.

[root@postoffice ~]# more /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
authrequired  pam_env.so
authsufficientpam_fprintd.so
auth[default=1 success=ok] pam_localuser.so
auth[success=done ignore=ignore default=die] pam_unix.so nullok 
try_first_pass
authrequisite pam_succeed_if.so uid >= 1000 quiet_success
authsufficientpam_sss.so forward_pass
authrequired  pam_deny.so

account required  pam_unix.so broken_shadow
account sufficientpam_localuser.so
account sufficientpam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required  pam_permit.so

passwordrequisite pam_pwquality.so try_first_pass local_users_only 
retry=3 authtok_type=
passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass 
use_authtok
passwordsufficientpam_sss.so use_authtok
passwordrequired  pam_deny.so

session optional  pam_keyinit.so revoke
session required  pam_limits.so
-session optional  pam_systemd.so
session optional  pam_oddjob_mkhomedir.so skel=/etc/skel/ umask=0022
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet 
use_uid
session required  pam_unix.so
session optional  pam_sss.so


You should be set.



> On Sep 18, 2015, at 7:48 AM, Sunny  wrote:
> 
> Hi, 
> 
> I've inherited a cyrus mail server and I'm currently learning how it's setup 
> and would like some advice changing from a NIS to LDAP authentication.
> 
> At the moment, the imap server uses NIS to authenticate ssh connections and I 
> believe to also authenticate users to their mailboxes 
> 
> imapd.conf
> sasl_pwcheck_method: saslauthd
> sasl_mech_list: PLAIN
> 
> /etc/sysconfig/saslauthd 
> MECH=pam
> 
> From the above output I believe that cyrus will use the pam service to lookup 
> authentication information to authenticate a users cyrus mailbox.
> 
> I want the imap server to use LDAP (via sssd) for ssh authentication and 
> authenticating users to their mailboxes.
> 
> If I configure the mail server to use sssd (also stop NIS) and update 
> /etc/pam.d/system-auth with the required pam_sss.so entries, does anyone know 
> or have experience if this change will allow users to authenticate to their 
> mailboxes using LDAP?
> 
> Regards
> 
> 
> 
> Cyrus Home Page: http://www.cyrusimap.org/
> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
> To Unsubscribe:
> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus


Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

cyrus mailbox authentication changing from NIS to LDAP

Re: cyrus mailbox authentication changing from NIS to LDAP

Re: cyrus mailbox authentication changing from NIS to LDAP

3 matches

Site Navigation

Mail list logo

Footer information