[Vietlug] qmail + vpopmail + openldap authentication/password encryption problem

Thu, 06 Jan 2005 04:55:00 -0800 

Xin cha`o,
To^i dda~ ca`i dda(.t xong qmail + vpopmail vo+'i openldap la`
backend. Mo.i thu+' dde^`u cha.y to^'t.
Ba^y gio+` to^i muo^'n su+? du.ng ca'i directory co' sa(~n dde^?
authenticate ca'c user cu?a nhu+~ng di.ch vu. kha'c (vi' du. nhu+
squid, egroupware...) thi` mo^.t va^'n dde^` pha't sinh to^i kho^ng
the^? authenticate user cu?a nhu+~ng di.ch vu. kha'c su+? du.ng ca'i
directory ddo'. Ly' do chi'nh la` ca'ch thu+'c ma~ ho'a va`
authenticate cu?a egroupware hoa(.c squid kha'c vo+'i vpopmail. Nhu+ng
tru+o+'c tie^n to^i co' hai ca^u ho?i ve^` openldap:
1. Ca'ch thu+'c openldap ddo^'i xu+? vo+'i attribute userPassword?
To^i ra^'t confuse ve^` va^'n dde^` na`y, ddo.c mo^.t so^' ta`i lie^.u
thi` tha^'y ra(`ng lu'c du`ng ldapadd dde^? the^m mo+'i mo^.t user
va`o thi` openldap ma~ ho'a ca'i attribute na`y (du`ng SSHA hoa(.c
du`ng ca'i option password-hash trong slapd.conf), co`n khi chi?nh
su+?a thi` no' la.i hoa`n toa`n tua^n thu? theo nhu+~ng gi` tha(`ng
application be^n tre^n muo^'n ma` kho^ng ma~ ho'a gi` nu+~a he^'t.
Tha^.t te^' la` nhu+ the^' na`o? Ca^u ho?i thu+' hai o+? du+o+'i cu~ng
lie^n quan dde^'n va^'n dde^` na`y\.
2. Ca'ch thu+'c ca'c application su+? du.ng openldap dde^?
authenticate user cu?a mi`nh. To^i cu+' nghi~ ddo+n gia?n LDAP cu~ng
gio^'ng nhu+ mo^.t ca'i database dde^? lu+u tru+~ du+~ lie^.u, do ddo'
mo.i va^'n dde^` lie^n quan dde^'n ma~ ho'a hoa(.c ca'ch thu+'c lu+u
tru+~ dde^`u do application quye^'t ddi.nh (gio^'ng nhu+ ne^'u du`ng
mysql, to^i lu+u sao thi` lu+u, mysql chi? co' nhie^.m vu. lu+u tru~).
Tuy nhie^n, thu+.c te^' la.i kho^ng nhu+ va^.y, to^i tha^'y hi`nh nhu+
OpenLDAP ba?n tha^n no' la.i ho^~ tro+. co+ che^' SASL, cho phe'p ca'c
application su+? du.ng chi'nh co+ che^' na`y cu?a openldap dde^?
authenticate user cu?a application thi` pha?i? Hi`nh nhu+ chi'nh vi`
va^.y mo+'i xin ra ra('c ro^'i o+? cho^~ ca'i attribute userPasswd,
to^i cu~ng chu+a hie^?u va^'n dde^` na`y, xin ba'c na`o gia?i thi'ch
cho^~ na`y cho to^i ddu+o+.c ro~.

Quay tro? la.i va^'n dde^` o+? tre^n, dda^y la` ca'c file to^i nghi~
la` ca^`n thie^'t dde^? ca'c ba'c "ddoa'n be^.nh":

----file: qmailUser.schema----
attributetype ( 1.3.6.1.4.1.8868.3.1.8
        NAME 'clearPassword'
        DESC 'qmail Clear Password for APOP'
        EQUALITY octetStringMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128}
        SINGLE-VALUE )

objectclass ( 1.3.6.1.4.1.8868.3.1
        NAME 'qmailUser'
        DESC 'qmail local mail recipient'
        SUP ( top $ person $ organizationalPerson )
        MAY ( qmailGID $ qmailUID $ qmaildomain $
                mailQuota $ mailMessageStore $ clearPassword $
                uid $ name $ sn $ cn ) )
-----end-------------------------------

Do la`m theo hu+o+'ng da^~n tu+` ca'i README.ldap trong vpopmail, ne^n
gio+` ddo.c la.i, to^i tha^'y ca'i schema na`y no' ki` ki`, no' su+?
du.ng attribute clearPassword dde^? authenticate? Ne^'u va^.y ta.i sao
tha(`ng attribute userPassword cu~ng co' gia' tri., da.ng 
{MD5}$1$tDTuRfMn$PxWnpSsscl45YBH4Aa8Dz/  va` khi to^i du`ng
phpldapadmin, thu+? chi?nh la.i gia' tri. cu?a ca'c attribute na`y,
vi' du. vo+'i gia' tri. 12345, thi` attribute na`y co' gia' tri. la`
{MD5}gnzLDuqKcGxMNKFokfhOew== ,va` to^i kho^ng co`n login va`o
ddu+o+.c nu+~a. Ca'i attribute clearPasswod khi to^i coi ba(`ng
phpldapadmin thi` no' ba'o la` binary value.

---------file slapd.conf----------------------
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.4 2000/08/26
17:06:18 kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /home/ldap/etc/openldap/schema/core.schema
include         /home/ldap/etc/openldap/schema/cosine.schema
include         /home/ldap/etc/openldap/schema/inetorgperson.schema
include         /home/ldap/etc/openldap/schema/qmailUser.schema
include         /home/ldap/etc/openldap/schema/pureftpd.schema
include         /home/ldap/etc/openldap/schema/nis.schema
include         /home/ldap/etc/openldap/schema/misc.schema

#egroupware's schema files, added by Thaidn on 2004-11-27
include         /home/ldap/etc/openldap/schema/phpgwaccount.schema
include        /home/ldap/etc/openldap/schema/phpgwcontact.schema

# we need to turn schema checking off as a workaround to a problem
# with the qmailUser schema. The issue is that qmailUser objectclass
# is defined as top $ person $ organizationalPerson, but according
# to core.schema, a person MUST have a cn and sn. But these fields
# dont exist in the vpopmail implementation. We can either modify
# core.schema to make cn and sn MAY rather than MUST, or we can
# disable schemacheck
schemacheck off

pidfile         /var/run/slapd.pid
argsfile        /var/run/slapd.args
loglevel        768
database        bdb
suffix          "o=root"
rootdn          "cn=admin,o=root"
rootpw          xxxxxx
directory       /home/ldap/var/openldap-data
index           objectClass             pres,eq
index           cn,sn,uid               eq
index           qmailUID,qmailGID   eq

(co`n mo^.t ddoa.n ACL nu+~a, to^i tha^'y kho^ng ca^`n thie^'t)
-------------------end-------------------

To^i tha^'y co' mo^.t email trong squid-users list co' dde^` ca^.p
dde^'n va^'n dde^` na`y ta.i ddi.a chi?
http://www.squid-cache.org/mail-archive/squid-users/200401/0130.html.
Trong ddo' ta'c gia? co' dde^` ca^.p dde^'n mo^.t ca'i workaround nhu+
sau:

----quote from squid-users-----
I've found a workaround for this, I disable vpopmail's MD5 password
encryption and use the standard crypt instead. Now both vpopmail and ldap
can read the password. 
---------end---------------------------

Co' ba'c na`o bie^'t ca'ch la`m nhu+ tre^n kho^ng? Chi?nh o+? dda^u
trong source code cu?a vpopmail dde^? thay the^' MD5 ba(`ng crypt?
To^i cu~ng muo^'n thay the^' ta.i vi` trong tu+o+ng lai directory na`y
cu~ng se~ ddu+o+.c du`ng dde^? authenticate ca'c *nix user.
Xin ca?m o+n va` mong ddu+o+.c giu'p ddo~.
Tha'i.


-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
VietLUG-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/vietlug-users

Trả lời cho