Am Dienstag, 1. Juli 2003 22:05 schrieb Buchan Milne: > Martin Fahrendorf wrote: ... > > OK, I have now added the ldapdb plugin from openldap-2.1.22 to cyrus-sasl2: > > http://ranger.dnsalias.com/mandrake/cooker/cyrus-sasl2-2.1.13-2mdk.src.rpm > > But I am not sure if I have it configured right (in fact I suspect I > don't). Not knowing too much about SASL myself, can you summarise what > is needed? > > At present I have: > -added a sasl-regexp to my slapd.conf on my ldap server > -put the following in my /usr/lib/sasl2/smtpd.conf: > pwcheck_method: ldapdb > ldapdb_uri: ldapi://bgmilne.cae.co.za > ldapdb_mech: EXTERNAL
The pwcheck_method must be auxprop and the auxprop_plugin: ldapdb (as stated by Luca). attached you can see a mail from Howard Chu at the openldap mailinglist to this topic. ... > > I bumped up the log level on my slapd, and get no queries coming through > when postfix tries authenticating. Yes, thats the missing auxprop entry in the pwcheck_method. > > I guess I should have started off with a working configuration before > updating so many packages ... but maybe I will try that at home ... > > OK, I tried with "pwcheck_method: pam", and it doesn't work either ... > time to go home ... > > BTW, I really think sasl has about the worst documentation of any of the > server-side software ... Yes, by far the worst documentation. The postfix guys recently discussed to replace the sasl stuff with something simple (a daemon like sasauthd but with all functionality of sasl; so a auth program only needs to pass the auth handshake through to the daemon). > > Regards, > Buchan Martin -- ------------------------------------------------------------ H E L I X Gesellschaft f�r Software & Engineering mbH ------------------------------------------------------------ Hanauer Landstrasse 52 Telefon (069) 4789 35-30 D-60314 Frankfurt am Main Telefax (069) 4789 35-44 ------------------------------------------------------------ http://www.helix-gmbh.net [EMAIL PROTECTED] ------------------------------------------------------------
By the way, if you upgrade to OpenLDAP 2.1.13 you can use SASL/EXTERNAL with
ldapi. This is much better than using SASL/PLAIN because you don't even need
to put a username or password into the config file:
ldapdb_uri: ldapi://
ldapdb_mech: EXTERNAL
This is the regexp mapping you need:
sasl-regexp uidNumber=(.*)\\+gidNumber=(.*),cn=peercred,cn=external,cn=auth
ldap:///dc=komi,dc=mts,dc=ru??sub?(&(uidnumber=$1)(gidnumber=$2))
The SASL DN is "uidNumber=xx+gidNumber=yy,cn=peercred,cn=external,cn=auth"
and you have to escape the "+" because it is a regexp metacharacter.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support
> -----Original Message-----
> From: Alex Deiter [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, February 26, 2003 7:12 AM
> To: [EMAIL PROTECTED]
> Subject: ldapdb auxprop SASL plugin
>
>
> Hello!
>
> Help me please with ldapdb auxprop SASL plugin.
>
> I try to realize such circuit:
> service(smtp/imap/pop3) -> SASLv2 -> libldapdb -> LDAP
> directory (users with
> cleartext passwords)
>
> I compile openldap-2.1.12 + cyrus-sasl-2.1.12 + ldapdb.c on
> FreeBSD 4.7
> STABLE, also has setting them as follows:
>
> /usr/local/etc/openldap/slapd.conf:
> include /usr/local/etc/openldap/schema/core.schema
> include /usr/local/etc/openldap/schema/cosine.schema
> include /usr/local/etc/openldap/schema/nis.schema
> include /usr/local/etc/openldap/schema/inetorgperson.schema
> pidfile /var/run/slapd.pid
> argsfile /var/run/slapd.args
> database bdb
> suffix "dc=komi,dc=mts,dc=ru"
> rootdn "cn=Manager,dc=komi,dc=mts,dc=ru"
> rootpw secret
> directory /var/db/openldap-data
> index objectClass eq
> loglevel 256
> saslAuthzTo: cn=.*,dc=komi,dc=mts,dc=ru
>
>
> /usr/local/lib/sasl2/sample.conf:
> ldapdb_uri: ldapi://
> ldapdb_id: root
> ldapdb_pw: secret
> ldapdb_mech: PLAIN
>
pgp00000.pgp
Description: signature
