[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Postfix 2.0.16 CRAM/DIGEST-MD5 SMTP AUTH

On Mon, 13 Oct 2003, Tony Earnshaw wrote:

> Tony Earnshaw wrote:
> > O.k. Shortly: DIGEST-MD5 and CRAM-MD5 (the latter necessary for some
> > MUAs) work now - but not exactly as I'd like. Nevertheless, I can now
> > use the latest Postfix snapshots with Cyrus SASL 2.1.15 on RH 9 and thus
> > avoid the re-entrance problems of the 2.1.13 that I was experiencing.
> Following up on my own post, just for the archives:
> ldapwhoami and ldapsearch using PLAIN and DIGEST-MD5 work as they should
> now with previously sated slapd.conf sasl regexps. As Igor pointed out,
> the CRAM-MD5 does not give the required result. Unfortunate for clients
> like Mozilla 1.4 that insist on using it.

The ldapdb auxprop plugin has to use PLAIN and DIGEST-MD5, however Mozilla
1.4 can use CRAM-MD5 or any other mech offered by the imap (?) server.

Mozilla ---CRAM-MD5---> imapd --> ldapdb ---DIGEST-MD5---> slapd

> What I didn't realize was, that I had actually to add an internal
> saslAuthzTo attribute to my proxy user's DIT entry using ldapmodify.
> After using this utility, the attribute can be altered or supplementary
> values added with a tool such as GQ 0.7.0b2.
> After a great number of hints from others, I found Edward Rudd's
> Openldap Cyrus SASL imapd and generic smtpd "HOWTO" of 247-7-03 on the
> Cyrus SASL mailing list (on my hard disk :). The text is included below.
> His comments on smtpd.conf apply to the Openldap 2.1.x releases prior to
> 2.1.23
> --Tonni
> _________________________________________________________________________
> Saslauthd only supports plain/login methods not CRAM-MD5 nor
> You haver to use the auxprop plugin..
> Attached is a patch for Cyrus-SASL 2.1.14 to add in the ldapdb auxprop
> plugin.  Just add --with-ldapdb when you run ./configure.
> You must use Openldap 2.1.x compiled with sasl2 to use this however. (I
> am running 2.1.19 currently) Read the openldap documentation on setting
> up sasl authentication and sasl authz users..
> Configuration of sasl is as follows.
> in the /etc/imapd.conf add this
> -- imapd.conf
> sasl_pwcheck_method: auxprop
> sasl_auxprop_plugin: ldapdb
> sasl_mech_list:  plain digest-md5 cram-md5
> sasl_ldapdb_uri: ldap:///
> sasl_ldapdb_id: auxprop
> sasl_ldapdb_pw: auxprop
> sasl_ldapdb_mech: DIGEST-MD5
> ---
> configure your smtpd.conf in /usr/lib/sasl2 likewise but without the
> sasl_ prefixes (for sendmail, though it may be sendmail.conf I use
> postfix personally)
> in your /etc/openldap/slapd.conf file put this in.
> --- slapd.conf
> sasl-authz-policy to
> sasl-regexp
>      uid=(.*),cn=digest-md5,cn=auth
>      uid=$1,ou=people,o=mydomain,c=us
> sasl-regexp
>      uid=(.*),cn=(.*),cn=digest-md5,cn=auth
>      uid=$1,ou=People,o=mydomain,c=us
> ---
> the first command (sasl-authz-policy) tells openldap to allow proxy
> authentication.
> the sasl-regexp lines map the SASL DN to the real user DN in your
> directory. (the first is a username w/o a realm, the second with a
> realm)
> you'll have to adjust them according to your directory configuration..
> All passwords must be in CLEAR PLAIN TEXT form in the directory!!
> (mentioned in the openldap admin guide)
> for your auxprop user..
> ie..uid=auxprop,ou=people,o=mydomain,c=us
> do this..
> run ldapmodify on this ldif file..
> --- auxprop.ldif
> dn: uid=auxprop,ou=people,o=mydomain,c=us
> saslAuthzTo: uid=.*,ou=people,o=mydomain,c=us
> ---
> Then...(yup there's more)
> actually wait, that should be it..
> there are serveral how-tos on the 'net that explain setting this mess
> up..  I've to get around to writting one up...
> Hope it didn't confuse you TOO much..