|
Y’ello, First of all, make sure to read the LDAP Admin Guide at www.openldap.org! Then, make sure to double check with Turbo’s KRB + SASL +
OpenLDAP Howto at www.bayour.com. (Forget
about the KRB stuff there, he’s got some very good hints at testing the
security install etc.) As a general rule, you don’t want LDAP to be your password
database, instead you want LDAP to use SASL to connect to something more useful
like Kerberos or RADIUS or a combination or something else. This is simply
because LDAP is not meant to be a password database, but rather an information
store (as in: the telephone book in your country doesn’t list the PIN code for
the people’s bank cards...). If all else fails, you can always post the exact error you are
getting, increase debug levels all over the place, and make sure to cut and
paste the relevant log entries to the mailing list. A query akin your own query
will not necessarily give any useful hints to other people as to why things would
fail in your particular situation. Regards, Guus From: cyrus-sasl-bounces@xxxxxxxxxxxxxxxxxxxx
[mailto:cyrus-sasl-bounces@xxxxxxxxxxxxxxxxxxxx] On Behalf Of NguyenHuynh SASL
over LDAP I’m
trying to using SASL over LDAP for authentication but I don’t still work yet Details:
OS:
FreeBSD Packages:
cyrus-sasl-2.1.22
RFC 2222 SASL (Simple Authentication and Security Layer) cyrus-sasl-ldapdb-2.1.22
SASL LDAPDB auxprop plugin cyrus-sasl-saslauthd-2.1.22
SASL authentication server for cyrus-sasl2 postfix-current-2.5.20071006,4
A secure alternative to widely-used Sendmail Configure
SASL in main.cf for postfix: ……………….. smtpd_sasl_auth_enable
= yes smtpd_recipient_restrictions
= permit_sasl_authenticated, reject_unauth_destination, permit_mynetworks,
reject smtpd_sasl_authenticated_header
= yes ……………….. Configure
SASL for authentication: #vi
/usr/local/lib/sasl2/smtpd.conf pwcheck_method:
saslauthd auxprop_plugin:
ldap mech_list:
PLAIN LOGIN CRAM-MD5 DIGEST-MD5 Configure
LDAP server’s details for SASL-ldapdb: #vi
/usr/local/etc/saslauthd.conf ldap_servers:
ldap://192.168.1.70 ldap_search_base:
dc=yescall,dc=com,dc=vn ldap_bind_dn:
cn=admin,dc=yescall,dc=com,dc=vn ldap_password:
123 ldap_filter:
(&(objectClass=qmailUser)(mail=%u)(accountStatus=active)) the
details of one node in my LDAP dn:
cn=huynhnguyen,dc=yescall.com.vn,o=hosting,dc=yescall,dc=com,dc=vn accountStatus:
active cn:
huynhnguyen homeDirectory:
/vmail/hosting/yescall.com.vn/huynhnguyen mailMessageStore:
/vmail/hosting/yescall.com.vn/huynhnguyen/Maildir/ objectClass:
top objectClass:
person objectClass:
organizationalPerson objectClass:
inetOrgPerson objectClass:
qmailUser objectClass:
CourierMailAccount sn:
Nguyen Dac Huynh2 structuralObjectClass:
inetOrgPerson entryUUID:
f069f88e-1c17-102c-93d5-25c7f79a19b1 creatorsName:
cn=admin,dc=yescall,dc=com,dc=vn createTimestamp:
20071031161319Z mailHost:
mail.mikorn.com userPassword::
aWtvcm40MTI4NA== mail:
huynhnguyen@xxxxxxxxxxxxxx entryCSN:
20071205114520.832948Z#000000#000#000000 modifiersName:
cn=admin,dc=yescall,dc=com,dc=vn modifyTimestamp:
20071205114520Z Start
saslauthd: #saslauthd
-a ldap /usr/local/etc/saslauthd.conf I
always have authentication fails when using testsaslauth My
problems: -
Must I have a schema in LDAP for SASL only? -
Does it neccessary to change my node in LDAP to another structure which is
suitable with SASL -
How can I use ldap_filter better in this case? Could
anybody help me to solve this problem? I’m
a newbie in OpenSource. I’m
not good in English. Sorry if any problem Thank
you for your careness Thanks
& Best Regards, Nguyen Dac
Huynh System
Engineer Mirae
Ikorn Co., Ltd |
