Re: need help with ldapdb plugin

From: Guillaume Rousse (rousse at ccr dot jussieu dot fr)
Date: Wed Jun 16 2004 - 08:03:00 EDT

  • Next message: Simon Matter: "Re: Mail architecture (was Re: need help with ldapdb plugin)"

    Igor Brezac wrote:
    > On Wed, 16 Jun 2004, Andreas Winkelmann wrote:
    >
    >
    >>Am Mittwoch, 16. Juni 2004 00:16 schrieb Igor Brezac:
    >>
    >>>On Tue, 15 Jun 2004, Guillaume Rousse wrote:
    >>
    >>Additional to Igor.
    >
    >
    > More stuff to add... ;-)
    >
    >
    >>>>I'm trying to setup smtp auth with ldapdb plugin, but I'm quite lost
    >>>>with LDAP details...
    >>>>
    >>>>First, I build and installed the ldapdb plugin sucessfully:
    >>>>katu3:/etc/postfix/sasl# ls /usr/lib/sasl2/libsasldb.*
    >>>>/usr/lib/sasl2/libsasldb.a /usr/lib/sasl2/libsasldb.so.2@
    >>>>/usr/lib/sasl2/libsasldb.la* /usr/lib/sasl2/libsasldb.so.2.0.18*
    >>>>/usr/lib/sasl2/libsasldb.so@
    >>
    >>This is sasldb not ldapdb. Show a complete List of the Plugin-Directory.
    >
    >
    > This is a good point!
    Ooops...

    Here is correct list:
    katu3:/home/users/guillomovitch# ls /usr/lib/sasl2/libldapdb.*
    /usr/lib/sasl2/libldapdb.a /usr/lib/sasl2/libldapdb.so.2@
    /usr/lib/sasl2/libldapdb.la* /usr/lib/sasl2/libldapdb.so.2.0.18*
    /usr/lib/sasl2/libldapdb.so@

    > Check out https://bugzilla.andrew.cmu.edu/show_bug.cgi?id=2406 if you want
    > a patch that integrates ldapdb and cyrus sasl.
    Great, it would make compilation easier.

    >>>>Then, I created /etc/postfix/sasl/smtpd.conf with the following entries:
    >>>>pwcheck_method: auxprop
    >>>>auxprop_plugin: ldapdb
    >>>>ldapdb_id: cn=admin,dc=zarb,dc=org
    >>>
    >>> ^^^^^^^^^^^^^^^^^^^^^^^
    >>>This needs to be a username, not a dn. (admin?)
    So I have to use either an already existing user (root), or create a new
    one ? And store its shell password in the smptd.conf file ?

    >>>
    >>>>ldapdb_pw: *passwd*
    >>>>ldapdb_mech: DIGEST-MD
    >>>
    >>>Try DIGEST-MD5
    Cut'n'paste error, the file is already correct.

    >>>
    >>>>The first two lines make sasl use the plugin, and seems to be OK (except
    >>>>that I still have tons of messages "OTP unavailable because can't
    >>>>read/write key database /etc/opiekeys: No such file or directory" in my
    >>>>auth.log, how can I disable them ?)
    >>>>
    >>>>The following three configure the plugin to bind to slapd as the admin.
    >>>> From OpenLDAP manual, I understand I could have used a less
    >>>>privilegiated account, and then dropped privilege to user level, but
    >>>>courier-imap authentication already use this kind of access, so it's OK
    >>>>for me currently, and avoid to configure proxy authorisation.
    >>>
    >>>You cannot avoid proxy authorization setup.
    OK.

    >>>
    >>>>However,
    >>>>It doesn't work:
    >>>>
    >>>>Jun 15 23:12:57 katu3 slapd[5347]: conn=30 fd=37 ACCEPT from
    >>>>IP=127.0.0.1:53435 (IP=0.0.0.0:389)
    >>>>Jun 15 23:12:57 katu3 slapd[5353]: conn=30 op=0 BIND dn="" method=163
    >>>>Jun 15 23:12:57 katu3 slapd[5356]: conn=30 op=1 BIND dn="" method=163
    >>>>Jun 15 23:12:57 katu3 slapd[5356]: SASL [conn=30] Failure: Invalid syntax
    >>>>Jun 15 23:12:57 katu3 slapd[5356]: SASL [conn=30] Failure: unable
    >>>>canonify user and get auxprops
    >>>>Jun 15 23:12:57 katu3 slapd[5356]: conn=30 op=1 RESULT tag=97 err=50
    >>>>text=SASL(-14): authorization failure: unable canonify user and get
    >>>>auxprops Jun 15 23:12:57 katu3 slapd[5362]: conn=30 op=2 UNBIND
    >>>>Jun 15 23:12:57 katu3 slapd[5362]: conn=30 fd=37 closed
    >>>>
    >>>>
    >>>>Last, and even if i'm still unable to check, I have to map authorisation
    >>>>request using some sasl-regexp directive. As I want to use a specific
    >>>>'clearPassword' attribute (already used by courier-imap), I guess I have
    >>>>to use something as:
    >>>>sasl-regexp
    >>>> uid=(.*),cn=digest-md5,cn=auth
    >>
    >>This will only catch digest-md5, but you are not using a mech_list:-Option in
    >>smtpd.conf. If your Client chooses plain or something else, this will fail.
    >>Best to use
    >>
    >> uid=(.*),cn=.*,cn=auth
    >
    >
    > Well, this is not what mech_list (in smtpd.conf) is used for. mech_list
    > is a list of mechanisms offered by smptd (postfix) to smtp clients. At
    > the same time, postfix is an ldap sasl client that connects to the ldap
    > server using ldapdb_mech (digest-md5 in this case). So, this example
    > _may_ be OK for the openldap authorization.
    I also added mech_list: DIGEST-MD5 to smtpd.conf to avoid the spurious
    OTP-related messages in my logs. 

    --
After all is said and done, a lot more is said than done
		-- Murphy's Laws on Technology n°22
  • Next message: Simon Matter: "Re: Mail architecture (was Re: need help with ldapdb plugin)"





    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs



    		Powered By FreeBSD   Powered By FreeBSD