CyrusLdapSetupForOx

Installing/configuring Cyrus IMAP for OX

This document describes how to configure Cyrus IMAP against openLDAP. Note that this should also be good even when OX isn't involved.

Prereq

--> openldap already is configured, and works.

Useful information can be found in /usr/share/doc/sasl2-bin/LDAP_SASLAUTHD.gz.

Another good link can be found in http://wiki.debian.org/?LDAPAuthentication

Packages to install

apt-get install cyrus21-imapd cyrus21-admin cyrus21-clients
apt-get install sasl2-bin

/etc/saslauthd.conf

Create the file, /etc/saslauthd.conf. Put the following in there, adapting to your situation:

ldap_servers: ldap://server.domain.com
ldap_bind_dn: cn=Manager,dc=domain,dc=com
ldap_password: 12345678
ldap_search_base: dc=domain,dc=com
# you dont have to these 2, if openLDAP isn't TLS enabled
ldap_start_tls: yes
ldap_tls_cacert_file: /etc/ldap/certs/cacert.pem

/etc/default/saslauthd

Edit the /etc/default/saslauthd, and change:

MECHANISMS="pam"

MECHANISMS="ldap"

CONFIG_FILE="/etc/saslauthd.conf"

/etc/init.d/saslauthd file

Edit the /etc/init.d/saslauthd file, line 39, I changed:

PARAMS="${PARAMS} -a ${MECHANISMS}"

PARAMS="${PARAMS} -a ${MECHANISMS} -O ${CONFIG_FILE}"

If your saslauthd doesn't start, check the file /etc/default/saslauthd

START=yes

/etc/ldap.conf

My /etc/ldap.conf looks like this, but I don't know if it needed here anyway:

BASE dc=domain,dc=com
HOST server.domain.com
# again, following line not needed, if not using openLDAP with TLS enabled.
TLS_CACERT /etc/ldap/certs/cacert.pem

/etc/imapd.conf

Make sure the following settings are in your /etc/imapd.conf

allowplaintext: yes 
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN
admins: cyrus

Change the line "admins" to your needs and separate all the admin with spaces. Use the user id.

Cyrus in SASL group

Don't forget to check that the cyrus local user is well into the sasl group.

cat /etc/group |grep sasl

Testing

Test your connectivity with a known user in openldap (Assuming you are root at the moment):

su - cyrus -c "testsaslauthd -u username -p password"

Create mailbox

If the test is working fine, create a mailbox

cyradm --user=user imap.server.com
cm user.uid

Troubleshooting

1) You can start your slapd in debug mode. It will run in the foregroud:

slapd -d x

where 'x' is (from 'man slapd.conf'). You find the one you need :

   loglevel <integer>
                Specify  the  level  at which debugging statements and operation
              statistics  should  be  syslogged  (currently  logged   to   the
              syslogd(8)  LOG_LOCAL4  facility).  Log levels are additive, and
              available levels are:
                      1      trace function calls
                      2      debug packet handling
                      4      heavy trace debugging
                      8      connection management
                      16     print out packets sent and received
                      32     search filter processing
                      64     configuration file processing
                      128    access control list processing
                      256    stats log connections/operations/results
                      512    stats log entries sent
                      1024   print communication with shell backends
                      2048   entry parsing

2) Look in your /var/log/auth.log. See what happens in there.

3-) It's a good idea put your ldap logs in a file. To do this, follow:

a-) Open your /etc/ldap/slapd.conf and add:

 loglevel        4

b-) Open your /etc/syslog.conf and add:

local4.*                        /var/log/ldap.log

c-) Restart yours daemons:

/etc/init.d/slapd restart
/etc/init.d/sysklogd restart

4-) If you see a error "authentication failed" when you try use the 'testsaslauthd' command, please re-check your file 'saslauthd.conf' and restart saslauthd daemon!

Cyrus and Postfix

a-) Edit your master.cf and include this one:

cyrus   unix  -       n       n       -       -       pipe
  flags=R user=cyrus argv=/usr/sbin/cyrdeliver -e -m ${extension} ${user}

b-) Edit your main.cf with this line:

mailbox_transport=cyrus

c-) Restart your postfix daemon

See more information about this setup in PostfixLdapSetupForOx

Changelog

- Changed the tip that saslauthd does not start to the debian way

- Creating the Mailbox and added the admins

* 02/08/2006

- testsaslauthd: made example using the cyrus user (instead of assumed root), which matters most.

- Added "Cyrus in SASL group"

- Reversed Changelog entry to have most recent changelog on top

* 12/09/2005 - Postfix integration by TiagoCruz

* 12/06/2005 - Increase Troubleshooting section by TiagoCruz

MoinMoin Powered

Immutable page (last edited 2006-05-02 15:48:22 by AndreasCordes)

Or try one of these actions: AttachFile, LikePages, LocalSiteMap, SpellCheck