Patrick Ben Koetter wrote:
* David van Geest <davidv@xxxxxxxxxxxxx>:
Use saslauthd -> PAM -> pam:mysql -> MySQL(crypted passwords)
p@rick
Thanks Patrick! I'm attempting what you suggest using pam:mysql. My
/etc/pam.d/smtp.postfix looks like this:
saslauthd calls this? Usually it would be /etc/pam.d/smtp, because the service
name is "smtp".
Hmmmm yeah, that could be wrong. I haven't actually tried it out yet,
and it looks like every how-to except for the one I used has 'smtp'.
Thanks for the correction.
auth optional pam_mysql.so user=<mysql_username>
passwd=<mysql_pw> host=host.domain db=<db_name> table=<user_table>
usercolumn=<user_column> passwdcolumn=<user_pass_column> crypt=1
account required pam_mysql.so user=<mysql_username>
passwd=<mysql_pw> host=host.domain db=<db_name> table=<user_table>
usercolumn=<user_column> passwdcolumn=<user_pass_column> crypt=1
A follow-up question: how does this work when using a salt? The DB
admin wants to store the password hash and password salt in separate
columns in MySQL, so it seems like I would need to add another option in
the above lines to specify the salt column, so the salt value can be
used with crypt().
I personally haven't used "saslauthd -> PAM -> pam:mysql" before, so I can't
give you any first hand experience. Maybe someone else can share their
knowledge on this.
p@rick
Digging into this more, seems like using a salt isn't even possible. Looking at the pam_mysql options on this page (http://pam-mysql.sourceforge.net/Documentation/package-readme.php?seemore=y) I don't see any way to add a salt from the DB into the crypt() function. However, if somebody knows more about this, I'm all ears.
-David
