Chinaunix首页 | 论坛 | 博客
  • 博客访问: 7694096
  • 博文数量: 637
  • 博客积分: 10265
  • 博客等级: 上将
  • 技术积分: 6165
  • 用 户 组: 普通用户
  • 注册时间: 2004-12-12 22:00
文章分类

全部博文(637)

文章存档

2011年(1)

2010年(1)

2009年(3)

2008年(12)

2007年(44)

2006年(156)

2005年(419)

2004年(1)

分类:

2005-08-05 00:02:40

> >>i have a ldap. and i wish to do saslauthd on my ldap. basically,
> >>this is my configuration.
> >>
> >>file: /etc/postfix/main.cf
> >>--------------------------------
> >>smtpd_sasl_auth_enable = yes
> >>smtpd_sasl_local_domain = $myhostname
> >
> >If you append the domainname as REALM, which you do by setting
> >smtpd_sasl_local_domain this way, you need to run at least saslauthd
> >2.1.19 with the "-r" switch.

>
> i am a bit confused. pls explain. i thought, i have to add this since
> many of the resources in the internet keep mentioning it.
> perhaps, i should go for this???
> smtpd_sasl_local_domain=

What value you provide with smtpd_sasl_local_domain or not depends on
the format of your usernames:

SASL understands the concept of REALMS; you can define different
contexts for the same user and allow or restrict the use of certain
features. In combination with a username the REALM shows up as
domainpart e.g. mail.example.com.

Postfix supports this concept with limitations: It will only allow you
to provide one, identical REALM to all usernames that are transmitted to
SASL.

Now, if and what you send as REALM depends on the format of the
usernames in your "authentication backend" i.e. the source where you
store all usernames/passwords.

1. username (smtpd_sasl_local_domain = )
   If your authentication backend doesn't have a REALMS attached to
   usernames, you configure Postfix not to append anything to the
   username. If, for example, you had a user "yohiu" in passwd/shadow
   and had smtpd_sasl_local_domain = shinyang.com.my Postfix would
   always append shinyang.com.my to usernames that got sent.
   Authenticatio would fail because SASL would look for a user
   yohiushinyang.com.my in passwd, which does not exist.

2. usernamedomain (smtpd_sasl_local_domain = foo.bar.baz )
   If your authentication backend has stored usernames with a REALM e.g.
   yohiushinyang.com.my as username in, lets say an LDAP tree, then you
   have to configure Postfix to append the REALM (here: shinyang.com.my)
   to every username that is sent to SASL.

And now for something completely different: SASL

There's two ways to access an LDAP server as an authentication backend
through SASL: "saslauthd -m LDAP -O /path/to/saslauthd.conf" and ldapdb.

saslauthd
This gives you plaintext mechs i(PLAIN, LOGIN) only. LDAP configuration
to access and query the right tree for the right attributes has to be
written to a separate saslauthd.conf. By default SASL will look for it
in /usr/local/etc/saslauthd.conf (you might want to look this up. I
haven't had a coffee yet...).

ldapdb
ldapdb is an auxprop plugin - you need to use it in combination with
pwcheck_method: auxprop. ldapdb gets you plaintext _and_ shared-secret
mechanisms (CRAM-MD5, DIGEST-MD5) and it requires configuration in
Postfix, SASL and OpenLDAP.
This plugin comes within the contrib tree of OpenLDAP source and has
been contributed to the SASL sources. It has been scheduled to be part
of future SASL versions, but its low priority. Writing no documentation
seems to be of higher priority ;)

I recommend you use saslauthd. If you use saslauthd you must be aware
that this daemon strips REALMS unless you configure it not to do so with
the command line option "-r". This option is available for
Cyrus-SASL.2.x newer than 2.1.19.

> >>smtpd_sasl_security_options = noanomymous
> >>broken_sasl_auth_clients = yes
> >>
> >>smtpd_recipient_restrictions = permit_sasl_authenticated,
> >>permit_mynetworks, reject_invalid_hostname
> >>
> >>file: /usr/lib/sasl2/smtpd.conf
> >>---------------------------------------
> >>pwcheck_method: saslauthd
> >Add:
> >
> >mech_list: PLAIN LOGIN
> i added this.
>
> >>file: /etc/pam.d/smtp.postfix
> >>--------------------------------------
> >>auth required pam_ldap.so
> >>account required pam_ldap.so
> >>session required pam_ldap.so
> >>
> >>file: /etc/saslauthd.conf (initially, i dont have this file in my Redhat
> >>AS 3, but, i created it)
> >>--------------------------------------------------------------------------------------------------
> >>ldap_server: ldap://192.168.1.1
> >>ldap_bind_dn: ou=**,cn=**,dc=**,dc=**
> >>ldap_bind_pw: 123
> >>ldap_filter: uid=%u,ou=**,cn=**,dc=**,dc=**
> >>ldap_auth_method: bind
> >>ldap_search_base: cn=**,dc=**,dc=**
> >>
> >>
> >>my problem is that, i cant get authenticated from the ldap. how
> >>should i do next? what should i troubleshoot? pls advise.....
> >>thanks.....
> >
> >Use testsaslauthd to test SASL in itself. Only when you can
> >authenticate successfully turn to Postfix.
> >
> i dun have testsaslauthd in my redhat linux as3. how should i get this out?
> this is my sasl packages. does it compactible?
> [rootmail local]# rpm -qa | egrep 'sasl'
> cyrus-sasl-gssapi-2.1.15-3
> cyrus-sasl-md5-2.1.15-3
> cyrus-sasl-2.1.15-3
> cyrus-sasl-plain-2.1.15-3
> cyrus-sasl-devel-2.1.15-3

I don't know the RPMs for redhat linux as3. As an alternative you can
search the RPMs for "server" and "client". Those are two sample apps
that come with SASL. IIRC they are in cyrus-sasl-devel, but RH has
renamed them to cyrus-sasl2-server and cyrus-sasl2-client.

They need some configuration, which you should be able to find in the
SASL docs.

> another question, where is my saslauthd.conf??? how come i cant find
> it? have i missed anything? pls advise...thanks???

saslauthd.conf has to be created. It's not there by default.

prick

--
SMTP AUTH howto:
<
SMTP AUTH debug utility:
<

阅读(2629) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~