From: Tony Earnshaw (no email)
Date: Sun Jan 02 2005 - 09:52:31 EST
Mark Clarke:
> I am new to kerberos and postfix so I guess it might be a weird setup.
>
> Its just that I would like to secure the ldap server from no-authorised
> lookups etc and thought that the best way to do this would be to use
> kerberos.
As Magnus pointed out, Postfix supports simple binds, not SASL binds. SASL
is shorthand for a number of different ways of using strong authorization
("strong" means non-refutable - no-one can come along and say: "it wasn't
me").
This doesn't mean that postfix doesn't support authorized binds. You can
enable authorized binds by using a proxy user with rights to read
attributes hidden by your LDAP ACLs. However, in practice this would only
be necessary where you are looking up attributes that are hidden from
normal users. In practice, this is the exception to most rules: uid, mail,
objectClass and others never need to be hidden. Furthermore, wherever you
need to use the proxy user (only root has read access), you can't use
proxy_read_maps, which will cut down your performance appreciably.
> This also means that windows machines can authenticated against
> the kerberos/ldap server.
You don't have to cut this off, it will work.
> I have therefore disabled anonymous bind operations
As I wrote, you don't have to disenable authorized binds for postfix.
However, by insisting on them unnecessarily, you are shooting yourself in
the foot.
> and required all
> users to be authenticated to query the server. As far as I am aware in
> kerberos each service has its own principle and keys so that they can
> authenticate themselves to other servers and users. It seems though that
> when doing lookups against ldap the postfix server does not use its
> kerberos credentials.
Magnus already told you that it can't. Furthermore, there would be little
point in augmenting this, IMHO. SASL binds for SMTP AUTH is another matter
and that is supported by the Cyrus SASL libraries. That is absolutely
necessary, IMHO.
> Is this correct? I would hate to have to go and undo all the kerberos
> setup I have put in place for authentication and securing ldap but if
> thats
> the only way then I guess thats what I will have to do.
No it's not necessary. You have to learn more about LDAP ;) And Postfix.
--Tonni
-- mail: http://www.billy.demon.nl
|
|
|