On 30/11/11 11:16 +0100, Christian Roessner wrote:
Hello, I had some email contact with Patrick-Ben Koetter and we both tried to figure out some SASL configuration. We came to a point, where he gave me this mailing list address and told me, I could meet Dan White here. To speak for myself: I have the following situation: A running Postfix server with cyrus sasl (module ldapdb). The ldapdb connects to my LDAP server, which has passwords in cleartext in the userPassword attribute. This is a working setup, but sure you guess, I do not really like cleartext passwords in the database. Yet we could not find out, if it is possible to create LDAP schema attrbutes like: cmusaslsecretCRAM-MD5 cmusaslsecretDIGEST-MD5 and cmusaslsecretNTLM
I am not sure. I have not ever used those attributes, and assumed that they were used in cyrus sasl version 1. The documentation states that for shared secret mechanisms, sasldb stores passwords in plain text: http://www.cyrussasl.org/docs/cyrus-sasl/2.1.25/sysadmin.php and that should apply equally to ldapdb.
Is there some place for the saslpasswd2.conf configuration file? Could someone please show me, how this file must look like for ldapdb? In this case also interesting: Does it support SASL/EXTERNAL for certificate based authentication/authorization to the LDAP-server?
You'll want to name it 'saslpasswd.conf', and place it in /usr/lib/sasl2, or the directory that was specified at compile time, via the '--with-configdir' configure option. An example that performs SASL/EXTERNAL via UNIX socket peercred is: auxprop_plugin: ldapdb ldapdb_uri: ldapi:/// ldapdb_mech: EXTERNAL To perform certificate based authentication, you'll need to additionally specify 'ldapdb_starttls' and 'ldapdb_rc'. See: http://www.cyrussasl.org/docs/cyrus-sasl/2.1.25/options.php and the ldap.conf(5) manpage.
If this is easy to do, my final question goes like this: Can I remove the userPassword attribute after adding the new attributes? And is a mail client (Thunderbird, Outlook, ...) still be able to do _any_ kind of authentication (Postfix does allow PLAIN over TLS). If the client would do NTLM, and there is no more cleartext password in the LDAP database; how can SASL do its job? I do not fully understand, how both sides can have CRAM-MD5 or NTLM i.e. and still check passwords? I guess my understanding about SASL and the attributes seen above lacks some information ;-) Hope I could describe my/our problem clear enough and I really thank a lot in advance for any kind of help on this topic.
Specifically for NTLM, you can proxy authentication to a Windows or Samba server via the 'ntlm_server' option (or use ldapdb and its cleartext password). For DIGEST-MD5 and CRAM-MD5, you'll need to use a cleartext password within userPassword. ldapdb (and cleartext passwords) are not required to perform PLAIN or LOGIN authentication. You could alternatively use saslauthd as your pwcheck_method, and use it's ldap backend, which does not require passwords to be stored in plaintext. See saslauthd/LDAP_SASLAUTHD within the cyrus sasl source for documentation. -- Dan White