* Terry L. Inzauro <tinza...@ha-solutions.net>:
> What is the recommended and most scalable method for implementing SMTP Auth
> against OpenLDAP that currently manages all IMAP accounts?
Cyrus SASL ldapdb plugin:
The ldapdb auxprop plugin provides access to credentials stored in an
OpenLDAP LDAP server. It is the only plugin that implements proxy
authorization.
Proxy authorization in this context means: The ldapdb plugin must SASL
authenticate with the OpenLDAP server. The server then decides if the
ldapdb plugin should be authorized to read the authenticating users
password.
Once the ldapdb plugin has gone through proxy authorization it may proceed
and authenticate the submitted credentials.
In a nutshell: Configuring ldapdb means authentication and authorization
must be configured twice - once in the Postfix SMTP server smtpd to
authenticate and authorize mail clients and once in the OpenLDAP slapd
server to authenticate and authorize the ldapdb plugin.
This example configures libsasl to use the ldapdb plugin and the plugin to
connect to an OpenLDAP server:
/etc/sasl2/smtpd.conf:
pwcheck_method: auxprop
auxprop_plugin: ldapdb
mech_list: PLAIN LOGIN NTLM CRAM-MD5 DIGEST-MD5
ldapdb_uri: ldap://localhost
ldapdb_id: proxyuser
ldapdb_pw: password
ldapdb_mech: DIGEST-MD5
Important
Set appropriate permissions if smtpd.conf contains a password.
auxprop_plugin
Set ldapdb to enable the plugin
ldapdb_uri
Specify either ldapi:// for a UNIX domain socket, ldap:// for an
unencrypted TCP socket or ldaps:// to use an encrypted TCP
connection.
ldapdb_id
Sets the login name for the the ldapdb plugin (proxy
authorization)
ldapdb_pw
Sets the password (in cleartext) for the ldapdb plugin (proxy
authorization)
ldapdb_mech
Specify the mechanism ldapdb should use, when it authenticates
with the OpenLDAP slapd server.
Note
It must be a mechanism supported by the OpenLDAP slapd server.
ldapdb_rc (optional)
Specifies the path to a file containing individual configuration
options for the ldapdb LDAP client (libldap). This allows to
specify a TLS client certificate which in turn can be used to use
the SASL EXTERNAL mechanism.
Note
This mechanism provides authentication over an encrypted transport
layer, which is recommended if the plugin must connect to an
OpenLDAP server on a remote machine.
ldapdb_starttls (optional)
Specify either "try" or "demand" for a TLS policy. If the option
is "try" the plugin will attempt to establish a TLS encrypted
connection and will fallback to an unencrypted connection if TLS
fails. If it is "demand" and a TLS encrypted connection fails no
subsequent attempts will be made and the connection fails
completely.
When the ldapdb plugin connects to the OpenLDAP server and successfully
authenticates, the server must decide if the plugin user should be
authorized to read other users passwords.
The following configuration gives an example of authorization
configuration in the OpenLDAP slapd server:
/etc/openldap/slapd.conf:
authz-regexp
uid=(.*),cn=.*,cn=auth
ldap:///dc=example,dc=com??sub?cn=$1
authz-policy to
The "authz-regexp" option serves authentication of the ldapdb user. It
maps its login name (SASL identity) to a DN in the LDAP directory tree
where slapd can lookup the password. The "authz-policy" options defines
the authentication policy. In this case it grants authentication
privileges "to" the ldapdb plugin.
The last configuration step is to tell the OpenLDAP slapd server where
ldapdb may search for usernames matching the one given by the mail client.
An additional attribute added to the ldapdb user object (here: authzTo
because the authz-policy is "to") configures the scope within the ldapdb
login name "proxyuser" may search:
dn: cn=proxyuser,dc=example,dc=com
changetype: modify
add: authzTo
authzTo: dn.regex:uniqueIdentifier=(.*),ou=people,dc=example,dc=com
Use the ldapmodify or ldapadd command to add the additional attribute.
HTH,
p...@rick
--
All technical answers asked privately will be automatically answered on
the list and archived for public access unless privacy is explicitely
required and justified.
saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
