[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problems Enabling Authentication using Cyrus SASL



On 19/11/10 10:31 -0400, Fernando Torrez wrote:




Hi all

   I got work  sasl authentication to access ldap server by correcting two things:
1.- inserting the proxyuser's userpassword in clear text  (userPassord=secret)
2.- fixing the proxyuser's authzTo atributte to
    authzTo: ldap:///ou=people,dc=plainjoe,dc=org??sub?(objectClass=account)
    (results at the end of this mail)

   As far as it can be seen, there's no need for cyrus-sasl for these matter


    but my final purpose is to enable Cyrus-sasl with openldap as
backend to authenticate users for cyrus-imapd and postfix services.

ldapdb is one way to accomplish that.

See:

http://www.cyrusimap.org/docs/cyrus-sasl/2.1.23/options.php

for cyrus options and basic usage documentation.

firewall:~ # ldapwhoami -U proxyuser -X u:test -Y digest-md5
SASL/DIGEST-MD5 authentication started
Please enter your password:
SASL username: u:test
SASL SSF: 128
SASL data security layer installed.
dn:uid=test,ou=people,dc=plainjoe,dc=org

If you've got a proxy user set up and authenticating, then you've done most
of the work.

In Postfix (/etc/postfix/sasl/smtpd.conf), you could do:

mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 EXTERNAL
pwcheck_method: auxprop
auxprop_plugin: ldapdb
ldapdb_uri: ldap://ldap.example.net
ldapdb_id: proxyuser
ldapdb_pw: <proxy user's secret>
ldapdb_mech: DIGEST-MD5

and in /etc/imapd.conf:

sasl_mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 EXTERNAL
sasl_pwcheck_method: auxprop sasl_auxprop_plugin: ldapdb
sasl_ldapdb_uri: ldap://ldap.example.net
sasl_ldapdb_id: proxyuser
sasl_ldapdb_pw: <proxy user's secret>
sasl_ldapdb_mech: DIGEST-MD5

--
Dan White