[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Postfix 2.0.16 CRAM/DIGEST-MD5 SMTP AUTH

Tony Earnshaw wrote:

O.k. Shortly: DIGEST-MD5 and CRAM-MD5 (the latter necessary for some
MUAs) work now - but not exactly as I'd like. Nevertheless, I can now
use the latest Postfix snapshots with Cyrus SASL 2.1.15 on RH 9 and thus
avoid the re-entrance problems of the 2.1.13 that I was experiencing.

Following up on my own post, just for the archives:

ldapwhoami and ldapsearch using PLAIN and DIGEST-MD5 work as they should now with previously sated slapd.conf sasl regexps. As Igor pointed out, the CRAM-MD5 does not give the required result. Unfortunate for clients like Mozilla 1.4 that insist on using it.

What I didn't realize was, that I had actually to add an internal saslAuthzTo attribute to my proxy user's DIT entry using ldapmodify. After using this utility, the attribute can be altered or supplementary values added with a tool such as GQ 0.7.0b2.

After a great number of hints from others, I found Edward Rudd's Openldap Cyrus SASL imapd and generic smtpd "HOWTO" of 247-7-03 on the Cyrus SASL mailing list (on my hard disk :). The text is included below. His comments on smtpd.conf apply to the Openldap 2.1.x releases prior to 2.1.23



Saslauthd only supports plain/login methods not CRAM-MD5 nor
You haver to use the auxprop plugin..
Attached is a patch for Cyrus-SASL 2.1.14 to add in the ldapdb auxprop
plugin.  Just add --with-ldapdb when you run ./configure.
You must use Openldap 2.1.x compiled with sasl2 to use this however. (I
am running 2.1.19 currently) Read the openldap documentation on setting
up sasl authentication and sasl authz users..

Configuration of sasl is as follows.
in the /etc/imapd.conf add this
-- imapd.conf
sasl_pwcheck_method: auxprop
sasl_auxprop_plugin: ldapdb
sasl_mech_list:  plain digest-md5 cram-md5
sasl_ldapdb_uri: ldap:///
sasl_ldapdb_id: auxprop
sasl_ldapdb_pw: auxprop
sasl_ldapdb_mech: DIGEST-MD5
configure your smtpd.conf in /usr/lib/sasl2 likewise but without the
sasl_ prefixes (for sendmail, though it may be sendmail.conf I use
postfix personally)

in your /etc/openldap/slapd.conf file put this in.
--- slapd.conf
sasl-authz-policy to
the first command (sasl-authz-policy) tells openldap to allow proxy
the sasl-regexp lines map the SASL DN to the real user DN in your
directory. (the first is a username w/o a realm, the second with a
you'll have to adjust them according to your directory configuration..
All passwords must be in CLEAR PLAIN TEXT form in the directory!!
(mentioned in the openldap admin guide)
for your auxprop user..
do this..
run ldapmodify on this ldif file..
--- auxprop.ldif
dn: uid=auxprop,ou=people,o=mydomain,c=us
saslAuthzTo: uid=.*,ou=people,o=mydomain,c=us

Then...(yup there's more)
actually wait, that should be it..
there are serveral how-tos on the 'net that explain setting this mess
up..  I've to get around to writting one up...
Hope it didn't confuse you TOO much..

-- Tony Earnshaw

Once the camel's head has entered your tent,
it's very difficult to stop the rest of the
animal from following it

Mail: billy-at-billy.demon.nl