need help with ldapdb plugin

• Previous message: Cyrus-announce: "Normal"
• Next in thread: Igor Brezac: "Re: need help with ldapdb plugin"
• Reply: Igor Brezac: "Re: need help with ldapdb plugin"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I'm trying to setup smtp auth with ldapdb plugin, but I'm quite lost
with LDAP details...

First, I build and installed the ldapdb plugin sucessfully:
katu3:/etc/postfix/sasl# ls /usr/lib/sasl2/libsasldb.*
/usr/lib/sasl2/libsasldb.a /usr/lib/sasl2/libsasldb.so.2@
/usr/lib/sasl2/libsasldb.la* /usr/lib/sasl2/libsasldb.so.2.0.18*
/usr/lib/sasl2/libsasldb.so@

Then, I created /etc/postfix/sasl/smtpd.conf with the following entries:
pwcheck_method: auxprop
auxprop_plugin: ldapdb
ldapdb_id: cn=admin,dc=zarb,dc=org
ldapdb_pw: *passwd*
ldapdb_mech: DIGEST-MD

The first two lines make sasl use the plugin, and seems to be OK (except
that I still have tons of messages "OTP unavailable because can't
read/write key database /etc/opiekeys: No such file or directory" in my
auth.log, how can I disable them ?)

The following three configure the plugin to bind to slapd as the admin.
 From OpenLDAP manual, I understand I could have used a less
privilegiated account, and then dropped privilege to user level, but
courier-imap authentication already use this kind of access, so it's OK
for me currently, and avoid to configure proxy authorisation. However,
It doesn't work:

Jun 15 23:12:57 katu3 slapd[5347]: conn=30 fd=37 ACCEPT from
IP=127.0.0.1:53435 (IP=0.0.0.0:389)
Jun 15 23:12:57 katu3 slapd[5353]: conn=30 op=0 BIND dn="" method=163
Jun 15 23:12:57 katu3 slapd[5356]: conn=30 op=1 BIND dn="" method=163
Jun 15 23:12:57 katu3 slapd[5356]: SASL [conn=30] Failure: Invalid syntax
Jun 15 23:12:57 katu3 slapd[5356]: SASL [conn=30] Failure: unable
canonify user and get auxprops
Jun 15 23:12:57 katu3 slapd[5356]: conn=30 op=1 RESULT tag=97 err=50
text=SASL(-14): authorization failure: unable canonify user and get auxprops
Jun 15 23:12:57 katu3 slapd[5362]: conn=30 op=2 UNBIND
Jun 15 23:12:57 katu3 slapd[5362]: conn=30 fd=37 closed

Last, and even if i'm still unable to check, I have to map authorisation
request using some sasl-regexp directive. As I want to use a specific
'clearPassword' attribute (already used by courier-imap), I guess I have
to use something as:
sasl-regexp
         uid=(.*),cn=digest-md5,cn=auth
ldap:///ou=users,dc=zarb,dc=org?userPassword?sub?(&(uid=$1)(objectClass=CourierMailAccount))

Any help appreciated.

-- 
A program generator creates programs that are more ``buggy'' than the 
program generator.
		-- The Last One's Law of Program Generators

• Previous message: Cyrus-announce: "Normal"
• Next in thread: Igor Brezac: "Re: need help with ldapdb plugin"
• Reply: Igor Brezac: "Re: need help with ldapdb plugin"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]