From: Igor Brezac (igor at ipass dot net)
Date: Tue Jun 15 2004 - 18:16:51 EDT
On Tue, 15 Jun 2004, Guillaume Rousse wrote:
> I'm trying to setup smtp auth with ldapdb plugin, but I'm quite lost
> with LDAP details...
>
> First, I build and installed the ldapdb plugin sucessfully:
> katu3:/etc/postfix/sasl# ls /usr/lib/sasl2/libsasldb.*
> /usr/lib/sasl2/libsasldb.a /usr/lib/sasl2/libsasldb.so.2@
> /usr/lib/sasl2/libsasldb.la* /usr/lib/sasl2/libsasldb.so.2.0.18*
> /usr/lib/sasl2/libsasldb.so@
>
> Then, I created /etc/postfix/sasl/smtpd.conf with the following entries:
> pwcheck_method: auxprop
> auxprop_plugin: ldapdb
> ldapdb_id: cn=admin,dc=zarb,dc=org
^^^^^^^^^^^^^^^^^^^^^^^
This needs to be a username, not a dn. (admin?)
> ldapdb_pw: *passwd*
> ldapdb_mech: DIGEST-MD
Try DIGEST-MD5
>
> The first two lines make sasl use the plugin, and seems to be OK (except
> that I still have tons of messages "OTP unavailable because can't
> read/write key database /etc/opiekeys: No such file or directory" in my
> auth.log, how can I disable them ?)
>
> The following three configure the plugin to bind to slapd as the admin.
> From OpenLDAP manual, I understand I could have used a less
> privilegiated account, and then dropped privilege to user level, but
> courier-imap authentication already use this kind of access, so it's OK
> for me currently, and avoid to configure proxy authorisation.
You cannot avoid proxy authorization setup.
> However,
> It doesn't work:
>
> Jun 15 23:12:57 katu3 slapd[5347]: conn=30 fd=37 ACCEPT from
> IP=127.0.0.1:53435 (IP=0.0.0.0:389)
> Jun 15 23:12:57 katu3 slapd[5353]: conn=30 op=0 BIND dn="" method=163
> Jun 15 23:12:57 katu3 slapd[5356]: conn=30 op=1 BIND dn="" method=163
> Jun 15 23:12:57 katu3 slapd[5356]: SASL [conn=30] Failure: Invalid syntax
> Jun 15 23:12:57 katu3 slapd[5356]: SASL [conn=30] Failure: unable
> canonify user and get auxprops
> Jun 15 23:12:57 katu3 slapd[5356]: conn=30 op=1 RESULT tag=97 err=50
> text=SASL(-14): authorization failure: unable canonify user and get auxprops
> Jun 15 23:12:57 katu3 slapd[5362]: conn=30 op=2 UNBIND
> Jun 15 23:12:57 katu3 slapd[5362]: conn=30 fd=37 closed
>
>
> Last, and even if i'm still unable to check, I have to map authorisation
> request using some sasl-regexp directive. As I want to use a specific
> 'clearPassword' attribute (already used by courier-imap), I guess I have
> to use something as:
> sasl-regexp
> uid=(.*),cn=digest-md5,cn=auth
> ldap:///ou=users,dc=zarb,dc=org?userPassword?sub?(&(uid=$1)(objectClass=CourierMailAccount))
sasl-regexp is used to map authorization usernames to ldap dns.
Only userPassword and cmusaslsecretMECHNAME properties can be
used for storing secrets.
-- Igor
|
|
|