Applies to: Centrify DirectControl - All Versions
Question: How to make IMAP server authenticate AD Users?
In order to make IMAP server authenticate AD users, IMAP application has to be pam enabled, appropriate IMAP entries have to be added into the pam configuration files so that IMAP server can call Centrify PAM modules to authenticate AD Users.
If you look at Centrify's modified pam.conf file(At the time of join, Centrify modifies this file to support pam authentication) we are specifying "pam_centrifydc.so" which means you are using Centrify module to authenticate against AD.
Centrify /etc/pam.conf file (Solaris)
login auth sufficient pam_centrifydc.so unix_cred
login auth requisite pam_centrifydc.so deny
In the vendor's example, they are using "pam_unix.so module", which authenticates user from the system's shadow password file. So you need to replace the module name with ours and leave the rest the same. PAM-lines are read from top to bottom and so these lines need to go on top. Centrify highly recommends customer to take a backup of their existing pam.conf files before they make any changes. Also changes to these files will require you to re-start Centrify and the associated pam-related service which is in this case IMAP and POP3.
In Solaris, its a single file called /etc/pam.conf while Linux has separate files under /etc/pam.d for each of the Pam services. So the files will be /etc/pam.d/pop3 and /etc/pam.d/imap.
imap auth requisite pam_centrifydc.so
imap auth required pam_centrifydc.so
Notes: Some of the IMAP services doesn't support PAM, so make sure to read about IMAP server documentation to see if it supports PAM. For eg., "UW imap daemon" does not support PAM where as "Dovecot imap/pop3 daemon" has support for PAM.