[Update] Version 1.2.1 now accesses any attribute requested by SASL, so the use of cmusaslsecret* is possible. In this version the parameter "gl_attribute" has been omitted.
Downloadlinks in this article have been corrected to get the 1.2.1 version.
NOOOOO! Don't talk about saslauthd(8). Customer wanted CRAM-MD5 and DIGEST-MD5 as authentication mechanism for his Postfix authenticated SMTP service. No, not just PLAIN. So saslauthd is out of the game.
Customer has a "mail password" in cleartext in his LDAP structure [Update: he is using cmusaslsecretCRAM-MD5 now] - especially for this kind of thing. Is it possible to use Postfix with that?
First - this is not a postfix issue. Customer had Postfix linked with cyrus sasl. Not a bad idea - but to use these LDAP entries you have to have an appropriate cyrus sasl auxprop. Why?
CRAM-MD5 and DIGEST-MD5 are shared secret algorithms. The server MUST know the cleartext password or the mechanisms' secrets in order to validate the answer sent by the client.
At the first look, I saw a "ldapdb" auxprop plugin which should just do that - and it failed because we did not have a SASL enabled OpenLDAP so ldapdb authentication failed. "*cmusaslsecretCRAM-MD5" (in the case of CRAM-MD5, replace it with DIGEST-MD5 when using DIGEST-MD5) and userPassword are requested from the sasl auxprop.
So here it goes - I had to write my own ldap auxprop. You may use it if you want. I will expain the way to write SASL auxprops in the next days to come, but for now - here is the source.
Use syslogd(8) to get debug messages (loglevel debug, facility auth).
Downloadlinks in this article have been corrected to get the 1.2.1 version.
NOOOOO! Don't talk about saslauthd(8). Customer wanted CRAM-MD5 and DIGEST-MD5 as authentication mechanism for his Postfix authenticated SMTP service. No, not just PLAIN. So saslauthd is out of the game.
Customer has a "mail password" in cleartext in his LDAP structure [Update: he is using cmusaslsecretCRAM-MD5 now] - especially for this kind of thing. Is it possible to use Postfix with that?
First - this is not a postfix issue. Customer had Postfix linked with cyrus sasl. Not a bad idea - but to use these LDAP entries you have to have an appropriate cyrus sasl auxprop. Why?
CRAM-MD5 and DIGEST-MD5 are shared secret algorithms. The server MUST know the cleartext password or the mechanisms' secrets in order to validate the answer sent by the client.
At the first look, I saw a "ldapdb" auxprop plugin which should just do that - and it failed because we did not have a SASL enabled OpenLDAP so ldapdb authentication failed. "*cmusaslsecretCRAM-MD5" (in the case of CRAM-MD5, replace it with DIGEST-MD5 when using DIGEST-MD5) and userPassword are requested from the sasl auxprop.
So here it goes - I had to write my own ldap auxprop. You may use it if you want. I will expain the way to write SASL auxprops in the next days to come, but for now - here is the source.
Use syslogd(8) to get debug messages (loglevel debug, facility auth).
My auxprop code needs cleartext passwords in your LDAP server in whatever attribute defined in your schema. It is freely configurable. WARNING! Passwords are sent between your LDAP server and your Server using Cyrus SASL when retrieving the value of "userPassword". Use an SSL link (and OpenSSL enabled OpenLDAP libraries).
To build this auxprop, you have to have:
Edit the shell script "compile":
The first two lines are configurable:
CYRUSSASLPATH is the complete path to your cyrus sasl build tree. You have to have configured this source tree with "./configure" already and don't forget to set openldap-options.
LDAPLIBS are the libraries needed to link OpenLDAP. Use "-lcrypto -ssl" if you have OpenSSL enabled OpenLDAP libraries. This is recommended as passwords are sent through the wire!
After you did that, just type "./compile" or "sh compile". It should produce an output similar to that:
Type "make install" to install the auxprop - it will put the plugin in your sasl2 plugins dir (you defined it by configuring your cyrus sasl source tree!).
To use this plugin with Postfix, go to your sasl2 plugin directory (where all the sasl2 modules are located, as libcrammd5.so, libdigestmd5.so, and our new ldap auxprop plugin, ...) and set up a file named "smtpd.conf":
That's it! Enable sasl in your Postfix main.cf and you will be able to authenticate with CRAM-MD5 and DIGEST-MD5.
Source tarball: giengerldap_auxprop-1.2.1.tar.gz
MD5 checksum: 238962e379a0290475ca1e2559b04dac
Use at your own risk!
Feel free to ask me whatever question you want and enjoy it.
To build this auxprop, you have to have:
- a complete cyrus sasl 2.1.22 source tree, already configured with all Makefiles present
- OpenLDAP libraries and include files with OpenSSL support
- OpenSSL
-rwxr-xr-x 1 root root 765 Jun 20 21:25 compile
-rw-r--r-- 1 root root 5523 Jun 20 20:15 giengerldap.c
-rw-r--r-- 1 root root 637 Jun 20 20:15 giengerldap_init.c
-rw-r--r-- 1 root root 1447 Jun 20 21:25 Makefile
-rw-r--r-- 1 root root 807 Jun 20 21:24 Makefile.tmplEdit the shell script "compile":
The first two lines are configurable:
CYRUSSASLPATH=/var/home/pascal/src/cyrus-sasl-2.1.22
LDAPLIBS="-llber -lldap -lcrypto -lssl"CYRUSSASLPATH is the complete path to your cyrus sasl build tree. You have to have configured this source tree with "./configure" already and don't forget to set openldap-options.
LDAPLIBS are the libraries needed to link OpenLDAP. Use "-lcrypto -ssl" if you have OpenSSL enabled OpenLDAP libraries. This is recommended as passwords are sent through the wire!
After you did that, just type "./compile" or "sh compile". It should produce an output similar to that:
# ./compile
/var/home/pascal/src/cyrus-sasl-2.1.22/libtool --mode=compile gcc -Wall -W -g -O2 -c -I/var/home/pascal/src/cyrus-sasl-2.1.22/include -I/var/home/pascal/src/cyrus-sasl-2.1.22/lib -I/var/home/pascal/src/cyrus-sasl-2.1.22/sasldb -I/var/home/pascal/src/cyrus-sasl-2.1.22/plugins/include
[... rest omitted ...]
/var/home/pascal/src/cyrus-sasl-2.1.22/libtool --mode=link gcc -module -export-dynamic -rpath /usr/local/bastion/lib/sasl2 -L/usr/local/bastion/lib -R/usr/local/bastion/lib -L/usr/local/bastion/lib -L/usr/local/lib -L/usr/sfw/lib -R/usr/local/bastion/lib -R/usr/local/lib -R/usr/sfw/lib -llber -lldap -lcrypto -lssl -version-info 2:22:0 \
giengerldap.lo giengerldap_init.lo /var/home/pascal/src/cyrus-sasl-2.1.22/plugins/plugin_common.lo -o libgiengerldap.la
mkdir .libs
(cd . && ln -s giengerldap.lo giengerldap.o)
(cd . && ln -s giengerldap_init.lo giengerldap_init.o)
/usr/ccs/bin/ld -G -h libgiengerldap.so.2 -o .libs/libgiengerldap.so.2.0.22 giengerldap.lo giengerldap_init.lo /var/home/pascal/src/cyrus-sasl-2.1.22/plugins/plugin_common.lo -L/usr/local/bastion/lib -L/usr/local/lib -L/usr/sfw/lib -llber -lldap -lcrypto -lssl -lc
(cd .libs && rm -f libgiengerldap.so.2 && ln -s libgiengerldap.so.2.0.22 libgiengerldap.so.2)
(cd .libs && rm -f libgiengerldap.so && ln -s libgiengerldap.so.2.0.22 libgiengerldap.so)
creating libgiengerldap.la
(cd .libs && rm -f libgiengerldap.la && ln -s ../libgiengerldap.la libgiengerldap.la)Type "make install" to install the auxprop - it will put the plugin in your sasl2 plugins dir (you defined it by configuring your cyrus sasl source tree!).
To use this plugin with Postfix, go to your sasl2 plugin directory (where all the sasl2 modules are located, as libcrammd5.so, libdigestmd5.so, and our new ldap auxprop plugin, ...) and set up a file named "smtpd.conf":
auxprop_plugin: giengerldap
gl_uri: ldaps://mycuteldapserver.mydomain
gl_basedn: o=myorganization,c=DE
gl_binddn: cn=smtpauth,o=myorganization,c=DE
gl_bindpw: mysuperpassword
gl_search: (|(uid=%s)(mail=%s@southbrain.com))- gl_uri: The LDAP URI to your ldap server
- gl_basedn: The base DN used for your search request
- gl_binddn: The LDAP user you use to bind to the directory
- gl_bindpw: the password for binding the user
- gl_search: The RFC LDAP filter to select the approriate dn to get the password needed. %s will re replaced by the user name, %r by the user-supplied realm, %h by the serverFQDN of the server using SASL auth.
That's it! Enable sasl in your Postfix main.cf and you will be able to authenticate with CRAM-MD5 and DIGEST-MD5.
Source tarball: giengerldap_auxprop-1.2.1.tar.gz
MD5 checksum: 238962e379a0290475ca1e2559b04dac
Use at your own risk!
Feel free to ask me whatever question you want and enjoy it.
Thank you for the plugin!
The one thing that is missing for me is %r (realm) support in gl_search (like in saslauthd config). Is it possible to add this? Or just please give me a hint on how to obtain realm in giengerldap_auxprop_lookup() and I will do the rest.
Thank you.
I have included your suggestion. It is in 1.2.1.
%s will be replaced by the username, %r by the realm the user supplied and %h by the server name.