need help with ldapdb plugin

From: Guillaume Rousse (rousse at ccr dot jussieu dot fr)
Date: Tue Jun 15 2004 - 17:20:29 EDT

  • Next message: Guillaume Rousse: "secure autentication over insecure transport vs insecure autentication over secure transport"

    I'm trying to setup smtp auth with ldapdb plugin, but I'm quite lost
    with LDAP details...

    First, I build and installed the ldapdb plugin sucessfully:
    katu3:/etc/postfix/sasl# ls /usr/lib/sasl2/libsasldb.*
    /usr/lib/sasl2/libsasldb.a /usr/lib/sasl2/libsasldb.so.2@
    /usr/lib/sasl2/libsasldb.la* /usr/lib/sasl2/libsasldb.so.2.0.18*
    /usr/lib/sasl2/libsasldb.so@

    Then, I created /etc/postfix/sasl/smtpd.conf with the following entries:
    pwcheck_method: auxprop
    auxprop_plugin: ldapdb
    ldapdb_id: cn=admin,dc=zarb,dc=org
    ldapdb_pw: *passwd*
    ldapdb_mech: DIGEST-MD

    The first two lines make sasl use the plugin, and seems to be OK (except
    that I still have tons of messages "OTP unavailable because can't
    read/write key database /etc/opiekeys: No such file or directory" in my
    auth.log, how can I disable them ?)

    The following three configure the plugin to bind to slapd as the admin.
     From OpenLDAP manual, I understand I could have used a less
    privilegiated account, and then dropped privilege to user level, but
    courier-imap authentication already use this kind of access, so it's OK
    for me currently, and avoid to configure proxy authorisation. However,
    It doesn't work:

    Jun 15 23:12:57 katu3 slapd[5347]: conn=30 fd=37 ACCEPT from
    IP=127.0.0.1:53435 (IP=0.0.0.0:389)
    Jun 15 23:12:57 katu3 slapd[5353]: conn=30 op=0 BIND dn="" method=163
    Jun 15 23:12:57 katu3 slapd[5356]: conn=30 op=1 BIND dn="" method=163
    Jun 15 23:12:57 katu3 slapd[5356]: SASL [conn=30] Failure: Invalid syntax
    Jun 15 23:12:57 katu3 slapd[5356]: SASL [conn=30] Failure: unable
    canonify user and get auxprops
    Jun 15 23:12:57 katu3 slapd[5356]: conn=30 op=1 RESULT tag=97 err=50
    text=SASL(-14): authorization failure: unable canonify user and get auxprops
    Jun 15 23:12:57 katu3 slapd[5362]: conn=30 op=2 UNBIND
    Jun 15 23:12:57 katu3 slapd[5362]: conn=30 fd=37 closed

    Last, and even if i'm still unable to check, I have to map authorisation
    request using some sasl-regexp directive. As I want to use a specific
    'clearPassword' attribute (already used by courier-imap), I guess I have
    to use something as:
    sasl-regexp
             uid=(.*),cn=digest-md5,cn=auth
    ldap:///ou=users,dc=zarb,dc=org?userPassword?sub?(&(uid=$1)(objectClass=CourierMailAccount))

    Any help appreciated.

    -- 
    A program generator creates programs that are more ``buggy'' than the 
    program generator.
    		-- The Last One's Law of Program Generators
    

  • Next message: Guillaume Rousse: "secure autentication over insecure transport vs insecure autentication over secure transport"





    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs



    Powered By FreeBSD   Powered By FreeBSD