From: Igor Brezac (igor at ipass dot net)
Date: Wed Jun 16 2004 - 01:07:56 EDT
On Wed, 16 Jun 2004, Andreas Winkelmann wrote:
> Am Mittwoch, 16. Juni 2004 00:16 schrieb Igor Brezac:
> > On Tue, 15 Jun 2004, Guillaume Rousse wrote:
>
> Additional to Igor.
More stuff to add... ;-)
>
> > > I'm trying to setup smtp auth with ldapdb plugin, but I'm quite lost
> > > with LDAP details...
> > >
> > > First, I build and installed the ldapdb plugin sucessfully:
> > > katu3:/etc/postfix/sasl# ls /usr/lib/sasl2/libsasldb.*
> > > /usr/lib/sasl2/libsasldb.a /usr/lib/sasl2/libsasldb.so.2@
> > > /usr/lib/sasl2/libsasldb.la* /usr/lib/sasl2/libsasldb.so.2.0.18*
> > > /usr/lib/sasl2/libsasldb.so@
>
> This is sasldb not ldapdb. Show a complete List of the Plugin-Directory.
This is a good point!
Check out https://bugzilla.andrew.cmu.edu/show_bug.cgi?id=2406 if you want
a patch that integrates ldapdb and cyrus sasl.
>
> > > Then, I created /etc/postfix/sasl/smtpd.conf with the following entries:
> > > pwcheck_method: auxprop
> > > auxprop_plugin: ldapdb
> > > ldapdb_id: cn=admin,dc=zarb,dc=org
> > ^^^^^^^^^^^^^^^^^^^^^^^
> > This needs to be a username, not a dn. (admin?)
> >
> > > ldapdb_pw: *passwd*
> > > ldapdb_mech: DIGEST-MD
> >
> > Try DIGEST-MD5
> >
> > > The first two lines make sasl use the plugin, and seems to be OK (except
> > > that I still have tons of messages "OTP unavailable because can't
> > > read/write key database /etc/opiekeys: No such file or directory" in my
> > > auth.log, how can I disable them ?)
> > >
> > > The following three configure the plugin to bind to slapd as the admin.
> > > From OpenLDAP manual, I understand I could have used a less
> > > privilegiated account, and then dropped privilege to user level, but
> > > courier-imap authentication already use this kind of access, so it's OK
> > > for me currently, and avoid to configure proxy authorisation.
> >
> > You cannot avoid proxy authorization setup.
> >
> > > However,
> > > It doesn't work:
> > >
> > > Jun 15 23:12:57 katu3 slapd[5347]: conn=30 fd=37 ACCEPT from
> > > IP=127.0.0.1:53435 (IP=0.0.0.0:389)
> > > Jun 15 23:12:57 katu3 slapd[5353]: conn=30 op=0 BIND dn="" method=163
> > > Jun 15 23:12:57 katu3 slapd[5356]: conn=30 op=1 BIND dn="" method=163
> > > Jun 15 23:12:57 katu3 slapd[5356]: SASL [conn=30] Failure: Invalid syntax
> > > Jun 15 23:12:57 katu3 slapd[5356]: SASL [conn=30] Failure: unable
> > > canonify user and get auxprops
> > > Jun 15 23:12:57 katu3 slapd[5356]: conn=30 op=1 RESULT tag=97 err=50
> > > text=SASL(-14): authorization failure: unable canonify user and get
> > > auxprops Jun 15 23:12:57 katu3 slapd[5362]: conn=30 op=2 UNBIND
> > > Jun 15 23:12:57 katu3 slapd[5362]: conn=30 fd=37 closed
> > >
> > >
> > > Last, and even if i'm still unable to check, I have to map authorisation
> > > request using some sasl-regexp directive. As I want to use a specific
> > > 'clearPassword' attribute (already used by courier-imap), I guess I have
> > > to use something as:
> > > sasl-regexp
> > > uid=(.*),cn=digest-md5,cn=auth
>
> This will only catch digest-md5, but you are not using a mech_list:-Option in
> smtpd.conf. If your Client chooses plain or something else, this will fail.
> Best to use
>
> uid=(.*),cn=.*,cn=auth
Well, this is not what mech_list (in smtpd.conf) is used for. mech_list
is a list of mechanisms offered by smptd (postfix) to smtp clients. At
the same time, postfix is an ldap sasl client that connects to the ldap
server using ldapdb_mech (digest-md5 in this case). So, this example
_may_ be OK for the openldap authorization.
>
> > > ldap:///ou=users,dc=zarb,dc=org?userPassword?sub?(&(uid=$1)(objectClass=C
> > >ourierMailAccount))
> >
> > sasl-regexp is used to map authorization usernames to ldap dns.
> >
> > Only userPassword and cmusaslsecretMECHNAME properties can be
> > used for storing secrets.
>
> And userPassword must be the Cleartext-Password.
>
>
-- Igor
|
|
|