Postfix, SASL and LDAPDB [definitely solved]
in [Postfix]
|
Prev: fatal: /etc/postfix/master.cf: line 32: valid hostname or network address required in "[fc00::0.0.0.25]:25"
Next: Disable NDR
From: Julien Vehent on 24 May 2010 13:30 Final solution provided by the Openldap mailing list: > Just change your authz-regexp line to > > authz-regexp "^uid=([^,]+).*,cn=[^,]*,cn=auth$" > "ldap:///dc=linuxwall,dc=info??sub?(|(uid=$1)(mail=$1))" And the authentication works. I think it's worth a line in the sasl howto to explain that postfix will use the email value to authenticate the user, and therefore the authz-regex should take it into account... Julien
From: Victor Duchovni on 24 May 2010 14:04 On Mon, May 24, 2010 at 07:30:56PM +0200, Julien Vehent wrote: > Final solution provided by the Openldap mailing list: > > > Just change your authz-regexp line to > > > > authz-regexp "^uid=([^,]+).*,cn=[^,]*,cn=auth$" > > "ldap:///dc=linuxwall,dc=info??sub?(|(uid=$1)(mail=$1))" > > > And the authentication works. > I think it's worth a line in the sasl howto to explain that postfix will > use the email value to authenticate the user, and therefore the authz-regex > should take it into account... This looks wrong. As Patrick points out you are likely confusing authentication realms (user(a)realm principals) with email addresses. DON'T. Rather configure Postfix with an empty or other correct setting of the realm that will work correctly without matching user(a)mail again email addresses. -- Viktor. P.S. Morgan Stanley is looking for a New York City based, Senior Unix system/email administrator to architect and sustain our perimeter email environment. If you are interested, please drop me a note.
From: Victor Duchovni on 24 May 2010 16:43
On Mon, May 24, 2010 at 09:18:44PM +0200, Julien Vehent wrote: > === case 2: authentification succeeds =================================== > > Same authz-regex in slapd, same smtpclient command, I just removed the > smtpd_sasl_local_domain value: > > ---- > # postconf |grep "smtpd_sasl" > smtpd_sasl_auth_enable = yes > smtpd_sasl_authenticated_header = yes > smtpd_sasl_exceptions_networks = > smtpd_sasl_local_domain = > smtpd_sasl_path = smtpd > smtpd_sasl_security_options = noanonymous > smtpd_sasl_tls_security_options = $smtpd_sasl_security_options > smtpd_sasl_type = cyrus > ---- > > Authentication works: > This is the correct configuration for you. Your SASL<->LDAP integration requires "realm-less" security principals. Now change any passwords used during testing, and especially those where the SASL raw debug data was posted to this list. After that, you're all set. -- Viktor. P.S. Morgan Stanley is looking for a New York City based, Senior Unix system/email administrator to architect and sustain our perimeter email environment. If you are interested, please drop me a note. |