Cyrus-sasl Digest, Vol 29, Issue 6

NguyenHuynh huynhnguyen at mikorn.com
Tue Dec 11 02:19:59 EST 2007 

Thanks for your help
	Perhaps, you misunderstood my idea.
		I don't want to use LDAP over SASL authentication
	I want to use Postfix over SASL authentication
		And SASL get password database from LDAP ( LDAP's
information in the previous message)

Thanks  

-----Original Message-----
From: cyrus-sasl-bounces at lists.andrew.cmu.edu
[mailto:cyrus-sasl-bounces at lists.andrew.cmu.edu] On Behalf Of
cyrus-sasl-request at lists.andrew.cmu.edu
Sent: Tuesday, December 11, 2007 1:57 PM
To: cyrus-sasl at lists.andrew.cmu.edu
Subject: Cyrus-sasl Digest, Vol 29, Issue 6

Send Cyrus-sasl mailing list submissions to
	cyrus-sasl at lists.andrew.cmu.edu

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.andrew.cmu.edu/mailman/listinfo/cyrus-sasl
or, via email, send a message with subject or body 'help' to
	cyrus-sasl-request at lists.andrew.cmu.edu

You can reach the person managing the list at
	cyrus-sasl-owner at lists.andrew.cmu.edu

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Cyrus-sasl digest..."


Today's Topics:

   1. SASL over LDAP don't work (NguyenHuynh)
   2. RE: SASL over LDAP don't work (Guus Leeuw jr.)


----------------------------------------------------------------------

Message: 1
Date: Tue, 11 Dec 2007 11:23:53 +0700
From: "NguyenHuynh" <huynhnguyen at mikorn.com>
Subject: SASL over LDAP don't work
To: <cyrus-sasl at lists.andrew.cmu.edu>
Message-ID: <20071211042353.53A63B170F at h1.yescall.com>
Content-Type: text/plain; charset="us-ascii"

SASL over LDAP 
 
I'm trying to using SASL over LDAP for authentication but I don't still work
yet
 
Details: 
OS: FreeBSD
Packages: 
cyrus-sasl-2.1.22   RFC 2222 SASL (Simple Authentication and Security Layer)
cyrus-sasl-ldapdb-2.1.22 SASL LDAPDB auxprop plugin
cyrus-sasl-saslauthd-2.1.22 SASL authentication server for cyrus-sasl2
postfix-current-2.5.20071006,4 A secure alternative to widely-used Sendmail
 
Configure SASL in  main.cf for postfix:
........
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,
reject_unauth_destination,     permit_mynetworks, reject
smtpd_sasl_authenticated_header = yes
........
 
Configure SASL for authentication: 
#vi /usr/local/lib/sasl2/smtpd.conf
pwcheck_method: saslauthd
auxprop_plugin: ldap
mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
 
Configure LDAP server's details for SASL-ldapdb:      
#vi /usr/local/etc/saslauthd.conf
ldap_servers: ldap://192.168.1.70
ldap_search_base:       dc=yescall,dc=com,dc=vn
ldap_bind_dn:   cn=admin,dc=yescall,dc=com,dc=vn
ldap_password:  123
ldap_filter:    (&(objectClass=qmailUser)(mail=%u)(accountStatus=active))
 
the details of one node in my LDAP
dn: cn=huynhnguyen,dc=yescall.com.vn,o=hosting,dc=yescall,dc=com,dc=vn
accountStatus: active
cn: huynhnguyen
homeDirectory: /vmail/hosting/yescall.com.vn/huynhnguyen
mailMessageStore: /vmail/hosting/yescall.com.vn/huynhnguyen/Maildir/
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: qmailUser
objectClass: CourierMailAccount
sn: Nguyen Dac Huynh2
structuralObjectClass: inetOrgPerson
entryUUID: f069f88e-1c17-102c-93d5-25c7f79a19b1
creatorsName: cn=admin,dc=yescall,dc=com,dc=vn
createTimestamp: 20071031161319Z
mailHost: mail.mikorn.com
userPassword:: aWtvcm40MTI4NA==
mail: huynhnguyen at yescall.com.vn
entryCSN: 20071205114520.832948Z#000000#000#000000
modifiersName: cn=admin,dc=yescall,dc=com,dc=vn
modifyTimestamp: 20071205114520Z
 
Start saslauthd:
#saslauthd -a ldap /usr/local/etc/saslauthd.conf
 
I always have authentication fails when using testsaslauth
 
My problems: 
- Must I have a schema in LDAP for SASL only?
- Does it neccessary to change my node in LDAP to another structure which is
suitable with SASL
- How can I use ldap_filter better in this case? 
 
Could anybody help me to solve this problem?
I'm a newbie in OpenSource.
I'm not good in English. Sorry if  any problem
Thank you for your careness
 
 
Thanks & Best Regards,
Nguyen Dac Huynh
System Engineer
Mirae Ikorn Co., Ltd
 
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
https://lists.andrew.cmu.edu/mailman/private/cyrus-sasl/attachments/20071211
/dd34142a/attachment-0001.html 

------------------------------

Message: 2
Date: Tue, 11 Dec 2007 06:56:45 -0000
From: "Guus Leeuw jr." <guus.leeuw at guusleeuwit.com>
Subject: RE: SASL over LDAP don't work
To: "'NguyenHuynh'" <huynhnguyen at mikorn.com>,
	<cyrus-sasl at lists.andrew.cmu.edu>
Message-ID: <00d201c83bc2$feeae400$fcc0ac00$@leeuw at guusleeuwit.com>
Content-Type: text/plain; charset="us-ascii"

Y'ello,

 

First of all, make sure to read the LDAP Admin Guide at www.openldap.org!

Then, make sure to double check with Turbo's KRB + SASL + OpenLDAP Howto at
www.bayour.com. (Forget about the KRB stuff there, he's got some very good
hints at testing the security install etc.)

 

As a general rule, you don't want LDAP to be your password database, instead
you want LDAP to use SASL to connect to something more useful like Kerberos
or RADIUS or a combination or something else. This is simply because LDAP is
not meant to be a password database, but rather an information store (as in:
the telephone book in your country doesn't list the PIN code for the
people's bank cards...).

 

If all else fails, you can always post the exact error you are getting,
increase debug levels all over the place, and make sure to cut and paste the
relevant log entries to the mailing list. A query akin your own query will
not necessarily give any useful hints to other people as to why things would
fail in your particular situation.

 

Regards,

Guus

 

From: cyrus-sasl-bounces at lists.andrew.cmu.edu
[mailto:cyrus-sasl-bounces at lists.andrew.cmu.edu] On Behalf Of NguyenHuynh
Sent: 11 December 2007 04:24
To: cyrus-sasl at lists.andrew.cmu.edu
Subject: SASL over LDAP don't work

 

SASL over LDAP 

 

I'm trying to using SASL over LDAP for authentication but I don't still work
yet

 

Details: 

OS: FreeBSD

Packages: 

cyrus-sasl-2.1.22   RFC 2222 SASL (Simple Authentication and Security Layer)

cyrus-sasl-ldapdb-2.1.22 SASL LDAPDB auxprop plugin

cyrus-sasl-saslauthd-2.1.22 SASL authentication server for cyrus-sasl2

postfix-current-2.5.20071006,4 A secure alternative to widely-used Sendmail

 

Configure SASL in  main.cf for postfix:

........

smtpd_sasl_auth_enable = yes

smtpd_recipient_restrictions = permit_sasl_authenticated,
reject_unauth_destination,     permit_mynetworks, reject

smtpd_sasl_authenticated_header = yes

........

 

Configure SASL for authentication: 

#vi /usr/local/lib/sasl2/smtpd.conf

pwcheck_method: saslauthd

auxprop_plugin: ldap

mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5

 

Configure LDAP server's details for SASL-ldapdb:           

#vi /usr/local/etc/saslauthd.conf

ldap_servers: ldap://192.168.1.70

ldap_search_base:       dc=yescall,dc=com,dc=vn

ldap_bind_dn:   cn=admin,dc=yescall,dc=com,dc=vn

ldap_password:  123

ldap_filter:    (&(objectClass=qmailUser)(mail=%u)(accountStatus=active))

 

the details of one node in my LDAP

dn: cn=huynhnguyen,dc=yescall.com.vn,o=hosting,dc=yescall,dc=com,dc=vn

accountStatus: active

cn: huynhnguyen

homeDirectory: /vmail/hosting/yescall.com.vn/huynhnguyen

mailMessageStore: /vmail/hosting/yescall.com.vn/huynhnguyen/Maildir/

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: inetOrgPerson

objectClass: qmailUser

objectClass: CourierMailAccount

sn: Nguyen Dac Huynh2

structuralObjectClass: inetOrgPerson

entryUUID: f069f88e-1c17-102c-93d5-25c7f79a19b1

creatorsName: cn=admin,dc=yescall,dc=com,dc=vn

createTimestamp: 20071031161319Z

mailHost: mail.mikorn.com

userPassword:: aWtvcm40MTI4NA==

mail: huynhnguyen at yescall.com.vn

entryCSN: 20071205114520.832948Z#000000#000#000000

modifiersName: cn=admin,dc=yescall,dc=com,dc=vn

modifyTimestamp: 20071205114520Z

 

Start saslauthd:

#saslauthd -a ldap /usr/local/etc/saslauthd.conf

 

I always have authentication fails when using testsaslauth

 

My problems: 

- Must I have a schema in LDAP for SASL only?

- Does it neccessary to change my node in LDAP to another structure which is
suitable with SASL

- How can I use ldap_filter better in this case? 

 

Could anybody help me to solve this problem?

I'm a newbie in OpenSource.

I'm not good in English. Sorry if  any problem

Thank you for your careness

 

 

Thanks & Best Regards,

Nguyen Dac Huynh

System Engineer

Mirae Ikorn Co., Ltd

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
https://lists.andrew.cmu.edu/mailman/private/cyrus-sasl/attachments/20071211
/952d21f1/attachment.html 

------------------------------

_______________________________________________
Cyrus-sasl mailing list
Cyrus-sasl at lists.andrew.cmu.edu
https://lists.andrew.cmu.edu/mailman/listinfo/cyrus-sasl


End of Cyrus-sasl Digest, Vol 29, Issue 6
*****************************************

More information about the Cyrus-sasl mailing list