Connecting Cyrus to LDAP

Implementing Cyrus on Redhat with an LDAP backend

Note: It is assumed that you already have an LDAP backend capable of authenticating via uid and userPassword attributes. This does not need to be on the same box as the cyrus imap server. It should have a valid "cyrus" user though.

Using RPMs downloaded from Simon Matter's Website:

  • Build from the source RPMs: rpmbuild -ba --target arch cyrus-imapd-2.x.x-x.src.rpm
  • Install ALL of the resulting RPMS.
  • Note: if you are happy without LDAP authentication, you may skip to the cyradm section below.
  • Edit /etc/imapd.conf - ensure sasl_pwcheck_method is set to saslauthd. That's right. EVEN though you will be using pam!
  • Edit /etc/sysconfig/saslauthd, and add the line MECH="pam"
  • Edit /etc/pam.d/imap (and pop if you wish to run that). It should only contain the following lines:
auth        sufficient   /lib/security/pam_ldap.so
account     sufficient   /lib/security/pam_ldap.so
  • Edit /etc/openldap/ldap.conf and add the following lines.
    Note: Please see below regarding whether to modify /etc/openldap/ldap.conf or /etc/ldap.conf
host                 your.ldap.server
base                 ou=Your-Account-Container,dc=your,dc=domain,dc=components
scope                sub
pam_login_attribute  uid
  • Ensure saslauthd and cyrus-imapd are set to start at boot time (chkconfig saslauthd on && chkconfig cyrus-imapd on).
  • Start both services (service saslauthd start && service cyrus-imapd start).
  • That's it - you can now create mailboxes, and auth to them using your LDAP accounts.

Implementing Cyrus 2.1 on Debian Woody with an LDAP backend

This is the same as above, but implemented under Debian Woody instead. Again, make sure there is a cyrus user with a password you can use to run cyradm.

Get the backported cyrus21 debs and dependencies from http://people.debian.org/hmh/ or the cyrus21 debs from sid/unstable.

  • Install cyrus21-{admin,clients,common,docs,imapd,pop3d}
  • Install libsasl2-modules libsasl2 sasl2-bin
  • Make sure /etc/sasldb2 is readable by group sasl. Pay attention to overrides (dpkg-statoverride)!
  • Make sure user cyrus belongs to group sasl (cyrus21-common's install tries to do this automatically for you).
  • Note: if you are happy without LDAP authentication, you may skip to the cyradm section below.
  • Edit /etc/cyrus.conf and check that the processes you want running are enabled
  • Edit /etc/imapd.conf - ensure sasl_pwcheck_method is set to saslauthd. Set the admin user to cyrus. I also suggest enabling plain text logins, and setting sasl_minimum_layer: 0
  • Edit /etc/defaults/saslauthd and ensure that START="yes" and MECHANISM="pam" are uncommented
  • Edit /etc/pam.d/imap (and pop if you wish to run that). It should only contain the following lines:
auth        sufficient   /lib/security/pam_ldap.so
account     sufficient   /lib/security/pam_ldap.so
  • Edit /etc/ldap.conf (SEE NOTE BELOW regarding /etc/openldap/ldap.conf vs. /etc/ldap.conf) and add the following lines:
host                 your.ldap.server
base                 ou=Your-Account-Container,dc=your,dc=domain,dc=components
scope                sub
pam_login_attribute  uid
  • Ensure saslauthd and cyrus-imapd are set to start at boot time (update-rc.d cyrus21 defaults && update-rc.d saslauthd defaults)
  • Start both services (/etc/init.d/saslauthd start && /etc/init.d/cyrus-imapd start).
  • That's it - you can now create mailboxes, and auth to them using your LDAP accounts.

Be warned: there is a nasty bug regarding Cyrus and SASL on Debian Woody that can cause a lot of problems. If you don't need it, you need to get the deb src, edit debian/rules and remove --with-cyrus-sasl, recompile, and reinstall. Note that this is a bug with cyrus and not LDAP/SASL.

Troubleshooting

Login failed: generic failure at /usr/lib/perl5/Cyrus/IMAP/Admin.pm line 118

Also found in syslog:

Oct 12 22:57:56 ''server'' perl: No worthy mechs found
Oct 12 22:57:57 ''server'' cyrus/imapd[''number'']: cannot connect to saslauthd server: Permission denied

You need to make sure that Cyrus can read /var/run/saslauthd/mux. The best way to do this (as done in Sarge and up) is to make a 'sasl' group on your system, make 'cyrus' a member of this group, and set /var/run/saslauthd/ group +x permissions (only needs +x in order to be able to get into the dir, the actual socket on /var/run/saslauthd/mux is world +rwx anyway). This way, if you have other apps that use SASL, you just need to make them members of the sasl group as well and they can also read the socket.

No worthy mechs found

Sep 20 14:44:35 ''server'' perl: No worthy mechs found
 Sep 20 14:44:37 ''server'' saslauthd[6341]: pam_ldap: ldap_search_s No such object
 Sep 20 14:44:37 ''server'' saslauthd[6341]: do_auth         : auth failure: [user=cyrus]
                 [service=imap] [realm=] [mech=pam] [reason=PAM auth error]

The LDAP client config file can be at either /etc/openldap/ldap.conf or /etc/ldap.conf. The additions listed above for /etc/openldap/ldap.conf should actually be added to /etc/ldap.conf. This was figured out by setting the loglevel on openldap to -1 and watching the conversation while doing a cyradm --user cyrus localhost.

In Debian, the file is /etc/pam_ldap.conf with content as in /etc/openldap/ldap.conf. You should configure it with dpkg-reconfigure libpam-ldap.

auth failure: [user=user] [service=imap] [realm=domain.co.nz] [mech=pam] [reason=PAM auth error]

Aug 24 15:01:49 vienne saslauthd[29787]: (pam_unix) check pass; user unknown
Aug 24 15:01:49 vienne saslauthd[29787]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 24 15:01:52 vienne saslauthd[29787]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
Aug 24 15:01:52 vienne saslauthd[29787]: do_auth         : auth failure: [user=craig] [service=imap] [realm=domain.co.nz] [mech=pam] [reason=PAM auth error]

You're using a new saslauthd, which by default, will present the user without the @domain.co.nz in it. This might break your virtual hosting setup. The fix is add -r to your saslauthd command line, which on Debian you can do in /etc/default/saslauthd with PARAMS="-r".(Debian bug)

Note: see LDAPNotes for more information regarding LDAP under Debian.

cyradm: cannot connect to server

(cyrus2.2 on Debian 4.0 (Etch))

Following the walkthrough in /usr/share/doc/cyrus-imapd-2.2/README.Debian.simpleinstall.gz, I got to here and couldn't log in as admin to create users.

The problem was that I had only enabled imaps (ie over SSL) and not imap in /etc/cyrus.conf, and the cyradm tool appears to do configuration over plain imap. Enable imap in /etc/cyrus.conf, restart cyrus, and you should now be able to log in to localhost using cyradm.

Recovering from accidental deletion of mailspool dir

If you have (stupidly - I did this!) deleted the cyrus spool directory for a mailbox, you will find you are unable to easily remove the mailbox from the db - cyrus will always think it exists. While I have no reason to believe this will harm anything, it is not a pleasant state to leave things in. I fixed it like this:

  1. Copy an existing mailbox spool dir, being careful to preserve the permissions, and name it the same as the one you deleted.
  2. Su to the cyrus admin user (ie su cyrus)
  3. Run reconstruct -f nameofmailbox (eg /usr/lib/cyrus/bin/reconstruct -f user/mailbox@I.accidentally.trashed).
  4. Use the cyradm "sam" command to set the acls on the mailbox so the cyrus user has full rights to it
  5. NOW you can use dm to delete the mailbox.
  6. Don't do it again! ;)

Getting Sieve working with Cyrus2.1 on Debian Sarge

By Default Cyrus2.1 uses SASL2 based Authentication, which requires the installation of sasl2-bin, but doesn't install libsasl2-modules, which are required for sieve authentication. Websieve login will fail without libsasl2-modules.

Setting Cyrus to listen for LMTP deliver

Cyrus supports LMTP mail delivery - this is much more efficient than using a delivery program such as deliver, or using procmail. Edit /etc/cyrus.conf and enable a SERVICES entry similar to the following (it may already be enabled)

lmtp          cmd="lmtpd -a" listen="127.0.0.1:lmtp" prefork=0

This will listen for lmtp on the localhost IP. You may wish to use a unix domain socket instead:

lmtpunix      cmd="lmtpd -a" listen="/var/imap/socket/lmtp" prefork=0

You can now set your MTA to deliver to Cyrus via LMTP, by specifying the appropriate address. See LMTPNotes for more information, or EximNotes for connecting to Exim.

Delivering to Cyrus from procmail

If you happen to be using an MTA that doesn't support LMTP delivery, and you really have to use something like procmail to get the mail from the MTA into Cyrus, then you MUST use the deliver program packaged with Cyrus. Do not attempt to deliver directly into the Cyrus mailspool.