Has anyone setup their cyrus-imap server to authenticate against a Windows
Active Directory domain?
Any tips on doing it?
-Bill Kearney
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ:
List Archives/Info:

Heh, 'easy enough' and LDAP rarely seem to be found together. Throw in SASL
and it /really/ goes downhill.

I figure it should be easy but given that I've never actually made a
'generic' LDAP connection to an active directory I'm not entirely sure where
to start. And given the potential for amount of time fiddling with sasl is
known to absorb I'm doubly cautious.
-Bill Kearney

Message

I do alot of auth against our active directory for certain internal
websites (using mod_ldap), but have had no need to do this for Cyrus
yet. However, your domain controller is just an ldap server, for all
intents and purposes. You can use saslauthd ldap auth, using your DC as
the ldap server. The only thing I remember was that the filter was a
little different, but you should be able to find that via google easy
enough.

Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ:
List Archives/Info:

Sat, 3 Dec 2005, Bill Kearney wrote:

Heh, 'easy enough' and LDAP rarely seem to be found together. Throw in SASL
and it /really/ goes downhill.

I figure it should be easy but given that I've never actually made a
'generic' LDAP connection to an active directory I'm not entirely sure where
to start. And given the potential for amount of time fiddling with sasl is
known to absorb I'm doubly cautious.

I use cyrus-imapd -saslauthd -pam_ldap -iplanet directory server.

At our site, we create unix accounts by creating ldap entries in the
iplanet directory server, then we create matching, synchronized accounts
in AD for Windows. To the end users, it appears as one account.

I don't authenticate against AD for cyrus, but I'm fairly familiar with
using LDAP to talk to AD. Do you have any specific questions? I know of
no reason it wouldn't work using pam_ldap as above.

Andy

Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ:
List Archives/Info:

But since cyrus 2.2 has the ability to speak LDAP directly where's the need
to use saslauthd any longer?

Message
Heh, 'easy enough' and LDAP rarely seem to be found together. Throw in
SASL
and it /really/ goes downhill.

I figure it should be easy but given that I've never actually made a
'generic' LDAP connection to an active directory I'm not entirely sure
where
to start. And given the potential for amount of time fiddling with sasl
is
known to absorb I'm doubly cautious.

I use cyrus-imapd -saslauthd -pam_ldap -iplanet directory server.

At our site, we create unix accounts by creating ldap entries in the
iplanet directory server, then we create matching, synchronized accounts
in AD for Windows. To the end users, it appears as one account.

I don't authenticate against AD for cyrus, but I'm fairly familiar with
using LDAP to talk to AD. Do you have any specific questions? I know of
no reason it wouldn't work using pam_ldap as above.

Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ:
List Archives/Info:

Sat, 3 Dec 2005, Bill Kearney wrote:

But since cyrus 2.2 has the ability to speak LDAP directly where's the need
to use saslauthd any longer?

In our case, we're still running 2.1.18. Also, we do not put system
accounts in ldap, so our cyrus admin user comes from pam_unix. :)

Andy

Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ:
List Archives/Info: