On 30/11/11 11:16 +0100, Christian Roessner wrote:
Hello,
I had some email contact with Patrick-Ben Koetter and we both tried to
figure out some SASL configuration. We came to a point, where he gave me
this mailing list address and told me, I could meet Dan White here.
To speak for myself: I have the following situation:
A running Postfix server with cyrus sasl (module ldapdb). The ldapdb
connects to my LDAP server, which has passwords in cleartext in the
userPassword attribute. This is a working setup, but sure you guess, I do
not really like cleartext passwords in the database.
Yet we could not find out, if it is possible to create LDAP schema
attrbutes like:
cmusaslsecretCRAM-MD5
cmusaslsecretDIGEST-MD5 and
cmusaslsecretNTLM
I am not sure. I have not ever used those attributes, and assumed that they
were used in cyrus sasl version 1.
The documentation states that for shared secret mechanisms, sasldb stores
passwords in plain text:
http://www.cyrussasl.org/docs/cyrus-sasl/2.1.25/sysadmin.php
and that should apply equally to ldapdb.
Is there some place for the saslpasswd2.conf configuration file? Could
someone please show me, how this file must look like for ldapdb? In this
case also interesting: Does it support SASL/EXTERNAL for certificate based
authentication/authorization to the LDAP-server?
You'll want to name it 'saslpasswd.conf', and place it in /usr/lib/sasl2,
or the directory that was specified at compile time, via the
'--with-configdir' configure option.
An example that performs SASL/EXTERNAL via UNIX socket peercred is:
auxprop_plugin: ldapdb
ldapdb_uri: ldapi:///
ldapdb_mech: EXTERNAL
To perform certificate based authentication, you'll need to additionally
specify 'ldapdb_starttls' and 'ldapdb_rc'. See:
http://www.cyrussasl.org/docs/cyrus-sasl/2.1.25/options.php
and the ldap.conf(5) manpage.
If this is easy to do, my final question goes like this:
Can I remove the userPassword attribute after adding the new attributes?
And is a mail client (Thunderbird, Outlook, ...) still be able to do _any_
kind of authentication (Postfix does allow PLAIN over TLS). If the client
would do NTLM, and there is no more cleartext password in the LDAP
database; how can SASL do its job? I do not fully understand, how both
sides can have CRAM-MD5 or NTLM i.e. and still check passwords? I guess my
understanding about SASL and the attributes seen above lacks some
information ;-)
Hope I could describe my/our problem clear enough and I really thank a lot
in advance for any kind of help on this topic.
Specifically for NTLM, you can proxy authentication to a Windows or Samba
server via the 'ntlm_server' option (or use ldapdb and its cleartext
password).
For DIGEST-MD5 and CRAM-MD5, you'll need to use a cleartext password within
userPassword.
ldapdb (and cleartext passwords) are not required to perform PLAIN or LOGIN
authentication. You could alternatively use saslauthd as your
pwcheck_method, and use it's ldap backend, which does not require passwords
to be stored in plaintext. See saslauthd/LDAP_SASLAUTHD within the cyrus
sasl source for documentation.
--
Dan White
