using linux you can run autconfig with the varying options to enable sssd with
the appropriate settings
THIS IS ONLY AN EXAMPLE YOU’LL WANT TO TAKE APPROPRIATE SECURITY MEASURES SUCH
AS TLS ETC.. but you can test this way first.
IE:
authconfig --enablesssd --enablesssdauth --enablelocauthorize --enableldap
--enableldapauth --ldapserver=ldap://ldap.example.com:389 --disableldaptls
--ldapbasedn=dc=example,dc=com --enablerfc2307bis --enablemkhomedir
--enablecachecreds —update
Or you can directly adit your sssd config /etc/ssd/ssd.conf:
[sssd]
domains = default, LDAP
services = nss, pam, autofs
config_file_version = 2
[nss]
filter_groups = root
filter_users = root
[pam]
[domain/LDAP]
#debug_level = 9
ldap_tls_reqcert = never
auth_provider = ldap
id_provider = ldap
chpass_provider = ldap
ldap_schema = rfc2307bis
ldap_uri = ldap://ldap.example.com
ldap_search_base = dc=example,dc=com
cache_credentials = false
enumerate = False
Verify that PAM actually uses SSSD:
By enabling debug_level in the above file you can also look at /var/log/sssd
files for more details on where (if any) auth is failing.
[root@postoffice ~]# more /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
authrequired pam_env.so
authsufficientpam_fprintd.so
auth[default=1 success=ok] pam_localuser.so
auth[success=done ignore=ignore default=die] pam_unix.so nullok
try_first_pass
authrequisite pam_succeed_if.so uid >= 1000 quiet_success
authsufficientpam_sss.so forward_pass
authrequired pam_deny.so
account required pam_unix.so broken_shadow
account sufficientpam_localuser.so
account sufficientpam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
passwordrequisite pam_pwquality.so try_first_pass local_users_only
retry=3 authtok_type=
passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass
use_authtok
passwordsufficientpam_sss.so use_authtok
passwordrequired pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so skel=/etc/skel/ umask=0022
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet
use_uid
session required pam_unix.so
session optional pam_sss.so
You should be set.
> On Sep 18, 2015, at 7:48 AM, Sunny wrote:
>
> Hi,
>
> I've inherited a cyrus mail server and I'm currently learning how it's setup
> and would like some advice changing from a NIS to LDAP authentication.
>
> At the moment, the imap server uses NIS to authenticate ssh connections and I
> believe to also authenticate users to their mailboxes
>
> imapd.conf
> sasl_pwcheck_method: saslauthd
> sasl_mech_list: PLAIN
>
> /etc/sysconfig/saslauthd
> MECH=pam
>
> From the above output I believe that cyrus will use the pam service to lookup
> authentication information to authenticate a users cyrus mailbox.
>
> I want the imap server to use LDAP (via sssd) for ssh authentication and
> authenticating users to their mailboxes.
>
> If I configure the mail server to use sssd (also stop NIS) and update
> /etc/pam.d/system-auth with the required pam_sss.so entries, does anyone know
> or have experience if this change will allow users to authenticate to their
> mailboxes using LDAP?
>
> Regards
>
>
>
> Cyrus Home Page: http://www.cyrusimap.org/
> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
> To Unsubscribe:
> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus