We are trying to setup a Cyrus IMAP server(version 2.2.3) on a Redhat Enterprise LINUX AS 3.0 box. For ease of management we would like to authenticate users against a Microsoft Active Directory Domain controller since all users who would use the IMAP server are already there.
We have attempted to use Cyrus saslauthd( version 2.1.17) with kerberos5 to do this:
1. Cyrus sasl has been built with gssapi(kerberos5) support
OK.
2. cyrus imap has been built --with-auth=krb5
This is for authorisation, not authentication, but it is OK.
3. In /etc/imapd.conf sasl-pwcheck-method=saslauthd
Hmmm, relatively OK. One word of caution, though. This will relay all "SASL PLAIN" logins to Kerberos realm. If you do not use IMAP over SSL/TLS your user's username/password will travel unencrypted, thus defeating one of main Kerberos ideas. Use this for a fall-back situation only.
It should be possible to use "SASL GSSAPI" authentication method instead.
4. We followed the instructions in http://www.microsoft.com/windows2000/techinfo/planning/security/kerbstep s.asp to interoperate with the AD KDC: We generated both the host and service-instance(imap) keytab files and integrated them into the /etc/krb5.keytab file on the LINUX host. Finally, we modified /etc/krb5.conf according to the instructions. We tested kerberos with kinit and it seems to be working.
5. We started saslauthd with: saslauthd -n0 -a kerberos5 6. Finally, we started imap with master -d
Try testing from the server. Do a "kinit" to one of your ADS users and then try "imtest" using "GSSAPI" mechanism. Setup your e-mail clients to use GSSAPI, I think it is called "Secure Password Authentication" or something like that in MS Outlook and Outlook Express.
Nix.
--- Home Page: http://asg.web.cmu.edu/cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
