Re: Problems Enabling Authentication using Cyrus SASL

[Dan White <dwhite@olp.net>]

On 19/11/10 10:31 -0400, Fernando Torrez wrote:
> Hi all
>
>    I got work  sasl authentication to access ldap server by correcting two things:
> 1.- inserting the proxyuser's userpassword in clear text  (userPassord=secret)
> 2.- fixing the proxyuser's authzTo atributte to
>     authzTo: ldap:///ou=people,dc=plainjoe,dc=org??sub?(objectClass=account)
>     (results at the end of this mail)
>
>    As far as it can be seen, there's no need for cyrus-sasl for these matter
>
>
>     but my final purpose is to enable Cyrus-sasl with openldap as
> backend to authenticate users for cyrus-imapd and postfix services.

ldapdb is one way to accomplish that.

See:

http://www.cyrusimap.org/docs/cyrus-sasl/2.1.23/options.php

for cyrus options and basic usage documentation.

> firewall:~ # ldapwhoami -U proxyuser -X u:test -Y digest-md5
> SASL/DIGEST-MD5 authentication started
> Please enter your password:
> SASL username: u:test
> SASL SSF: 128
> SASL data security layer installed.
> dn:uid=test,ou=people,dc=plainjoe,dc=org

If you've got a proxy user set up and authenticating, then you've done most
of the work.

In Postfix (/etc/postfix/sasl/smtpd.conf), you could do:

mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 EXTERNAL
pwcheck_method: auxprop
auxprop_plugin: ldapdb
ldapdb_uri: ldap://ldap.example.net
ldapdb_id: proxyuser
ldapdb_pw: <proxy user's secret>
ldapdb_mech: DIGEST-MD5

and in /etc/imapd.conf:

sasl_mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 EXTERNAL
sasl_pwcheck_method: auxprop 
sasl_auxprop_plugin: ldapdb
sasl_ldapdb_uri: ldap://ldap.example.net
sasl_ldapdb_id: proxyuser
sasl_ldapdb_pw: <proxy user's secret>
sasl_ldapdb_mech: DIGEST-MD5

--
Dan White