> >>i have a ldap. and i wish to do saslauthd on my ldap. basically,

> >>this is my configuration.

> >>

> >>file: /etc/postfix/main.cf

> >>--------------------------------

> >>smtpd_sasl_auth_enable = yes

> >>smtpd_sasl_local_domain = $myhostname

> >

> >If you append the domainname as REALM, which you do by setting

> >smtpd_sasl_local_domain this way, you need to run at least saslauthd

> >2.1.19 with the "-r" switch.

>

> i am a bit confused. pls explain. i thought, i have to add this since

> many of the resources in the internet keep mentioning it.

> perhaps, i should go for this???

> smtpd_sasl_local_domain=

What value you provide with smtpd_sasl_local_domain or not depends on

the format of your usernames:

SASL understands the concept of REALMS; you can define different

contexts for the same user and allow or restrict the use of certain

features. In combination with a username the REALM shows up as

domainpart e.g. mail.example.com.

Postfix supports this concept with limitations: It will only allow you

to provide one, identical REALM to all usernames that are transmitted to

SASL.

Now, if and what you send as REALM depends on the format of the

usernames in your "authentication backend" i.e. the source where you

store all usernames/passwords.

1. username (smtpd_sasl_local_domain = )

If your authentication backend doesn't have a REALMS attached to

usernames, you configure Postfix not to append anything to the

username. If, for example, you had a user "yohiu" in passwd/shadow

and had smtpd_sasl_local_domain = shinyang.com.my Postfix would

always append shinyang.com.my to usernames that got sent.

Authenticatio would fail because SASL would look for a user

yohiushinyang.com.my in passwd, which does not exist.

2. username

domain (smtpd_sasl_local_domain = foo.bar.baz )

If your authentication backend has stored usernames with a REALM e.g.

yohiushinyang.com.my as username in, lets say an LDAP tree, then you

have to configure Postfix to append the REALM (here: shinyang.com.my)

to every username that is sent to SASL.

And now for something completely different: SASL

There's two ways to access an LDAP server as an authentication backend

through SASL: "saslauthd -m LDAP -O /path/to/saslauthd.conf" and ldapdb.

saslauthd

This gives you plaintext mechs i(PLAIN, LOGIN) only. LDAP configuration

to access and query the right tree for the right attributes has to be

written to a separate saslauthd.conf. By default SASL will look for it

in /usr/local/etc/saslauthd.conf (you might want to look this up. I

haven't had a coffee yet...).

ldapdb

ldapdb is an auxprop plugin - you need to use it in combination with

pwcheck_method: auxprop. ldapdb gets you plaintext _and_ shared-secret

mechanisms (CRAM-MD5, DIGEST-MD5) and it requires configuration in

Postfix, SASL and OpenLDAP.

This plugin comes within the contrib tree of OpenLDAP source and has

been contributed to the SASL sources. It has been scheduled to be part

of future SASL versions, but its low priority. Writing no documentation

seems to be of higher priority ;)

I recommend you use saslauthd. If you use saslauthd you must be aware

that this daemon strips REALMS unless you configure it not to do so with

the command line option "-r". This option is available for

Cyrus-SASL.2.x newer than 2.1.19.

> >>smtpd_sasl_security_options = noanomymous

> >>broken_sasl_auth_clients = yes

> >>

> >>smtpd_recipient_restrictions = permit_sasl_authenticated,

> >>permit_mynetworks, reject_invalid_hostname

> >>

> >>file: /usr/lib/sasl2/smtpd.conf

> >>---------------------------------------

> >>pwcheck_method: saslauthd

> >Add:

> >

> >mech_list: PLAIN LOGIN

> i added this.

>

> >>file: /etc/pam.d/smtp.postfix

> >>--------------------------------------

> >>auth required pam_ldap.so

> >>account required pam_ldap.so

> >>session required pam_ldap.so

> >>

> >>file: /etc/saslauthd.conf (initially, i dont have this file in my Redhat

> >>AS 3, but, i created it)

> >>--------------------------------------------------------------------------------------------------

> >>ldap_server: ldap://192.168.1.1

> >>ldap_bind_dn: ou=**,cn=**,dc=**,dc=**

> >>ldap_bind_pw: 123

> >>ldap_filter: uid=%u,ou=**,cn=**,dc=**,dc=**

> >>ldap_auth_method: bind

> >>ldap_search_base: cn=**,dc=**,dc=**

> >>

> >>

> >>my problem is that, i cant get authenticated from the ldap. how

> >>should i do next? what should i troubleshoot? pls advise.....

> >>thanks.....

> >

> >Use testsaslauthd to test SASL in itself. Only when you can

> >authenticate successfully turn to Postfix.

> >

> i dun have testsaslauthd in my redhat linux as3. how should i get this out?

> this is my sasl packages. does it compactible?

> [rootmail local]# rpm -qa | egrep 'sasl'

> cyrus-sasl-gssapi-2.1.15-3

> cyrus-sasl-md5-2.1.15-3

> cyrus-sasl-2.1.15-3

> cyrus-sasl-plain-2.1.15-3

> cyrus-sasl-devel-2.1.15-3

I don't know the RPMs for redhat linux as3. As an alternative you can

search the RPMs for "server" and "client". Those are two sample apps

that come with SASL. IIRC they are in cyrus-sasl-devel, but RH has

renamed them to cyrus-sasl2-server and cyrus-sasl2-client.

They need some configuration, which you should be able to find in the

SASL docs.

> another question, where is my saslauthd.conf??? how come i cant find

> it? have i missed anything? pls advise...thanks???

saslauthd.conf has to be created. It's not there by default.

p

rick

--

SMTP AUTH howto:

SMTP AUTH debug utility: