On Jul 17, 2008, at 5:18 AM, George Forman wrote:
> George Forman wrote:
> > Based on my testing of saslauthd using ldap for authentication,
the bind
> > and the fastbind
> > configuration doesn't support my needs.
> > It appears in the bind method, an anonymous bind is first
completed,
> > then a ldap search is
> > requested looking for the user's DN. Once the DN is returned, a
second
> > simple bind request
> > is sent using the user's DN, uid and password.
> > I tried the fastbind but it seemed to try to bind using the
password
> > specified in saslauthd.conf
> > and then did an ldap search. If I remove the ldap_bind_pw, it
does an
> > anonymous bind which
> > doesn't meet my requirements.
> >
> >
> > I need to do a simple ldap bind using the user's credentials and
the
> > password provided.
>
> saslauthd cannot do an LDAP Simple Bind until it has mapped the
user's name to
> an LDAP DN. So it always needs to do a search first, to perform
this mapping.
>
> > Is creating a new plugin my best option?
>
> Is there a specific reason you need to use saslauthd? Does your
LDAP server
> support SASL authentication? If so, try using the ldapdb auxprop
instead.
>
Please excuse my ignorance, I'm just getting spun up on this project.
I have been asked to see if we can use postfix. We have a service
with a
rudimentary ldap front end which just accepts a simple bind request
converts it into an internal lookup.
I have been told the ldap front end does not support ldap search.
I expect that's not exactly true.
For LDAP you need to have a search base, a search scope, and a filter
(which may be NULL, or match anything). The search base is
effectively the specification for which database you are doing the
lookup in. Since data is hierarchical, the scope can say "one", or
"sub" according to whether you want to search the whole subtree or
not. If you happen to have the full DN, you can specify scope of
"base" to just get the single record directly.
To add to my problem, we have several
email address domains so for each request the DN must be different.
The rudimentary ldap front requires the DN
to be something like uid=,ou=poeple,dc=,dc=,dc=. I must use the
email address's domain name to create the DN's dc= values
It sounds like you need to construct the search base according to the
email domain. I'm guessing these different domains are hosted on
different LDAP servers. I'm not sure if the configuration allows you
to vary those things on a per-authentication basis, and I'll punt to
the list, or the documentation for the rest of your answer.
before I send the simple bind request, therefore, I can't configure
the ldap_bind_dn because I can't express it like the ldap_filter.
(ie ldap_filter: uid=%U,ou=people,dc=%9...dc=%1).
Is there a way I can create a custom ldap bind request without
having to modify the code?
With Windows Live for mobile, your contacts travel with you. Connect
on the go.
