authentification question (passwords stored in /etc/shadow) => sasl (conversion)

Igor Brezac igor at ipass.net
Fri Mar 21 13:58:39 EST 2003


On Fri, 21 Mar 2003, Jeremy Rumpf wrote:

> On Friday 21 March 2003 10:20 am, Markus Welsch wrote:
> > > This may be a long shot, passwords in /etc/shadow (depending on your
> > > system), may be unix crypt or md5 hashes. Perhaps you could setup ldap,
> > > and transplant the password hashes into the userPassword attribute. I've
> > > never tried it personally, but it may be worth a shot.
> >
> > MD5 hashes are used if I'm not wrong here!
>
> Aaah, then setup a simple ldap schema, something like:
>
>   dn: uid=john.doe at doeworld.com,ou=mail,dc=somecompany,dc=com
>   sn: Doe
>   givenName: John
>   userPassword: {MD5}xxxxxxxxxxxxDZgg==
>   description: mail user account
>   uid: john.doe at doeworld.com
>   cn: john.doe
>   mail: john.doe at doeworld.com
>
> Construct the entries, and pop in the login value into the uid. Cut and paste
> in the md5 hash prepending an {md5}. From there, setup cyrus to use
> saslauthd. The saslauthd config file for ldap resolution may be like:
>
>   ldap_servers: ldap://ldap1.somecompany.com/
>   ldap_bind_dn: cn=someadminuser,dc=somecompany,dc=com
>   ldap_bind_pw: xxxxxxx
>   ldap_timeout: 20
>   ldap_scope: one
>   ldap_search_base: ou=mail,dc=somecompany,dc=com
>   ldap_auth_method: bind
>   ldap_filter: (uid=%u)
>   ldap_ssl: no

Does not exist.  Use ldap_servers: ldaps://some.ldap.server/

>   ldap_start_tls: no

It is not available yet.  It will be available soon.  You can use the
example from above for the transport protection.

If you use schema from the example above, you can do something like this.

ldap_servers: ldap://ldap1.somecompany.com/
ldap_filter: uid=%u,ou=mail,dc=somecompany,dc=com
ldap_auth_method: fastbind

This is much much faster.  ldap_auth_method: custom is very fast as well,
but you need to get the latest CVS version of saslauthd.

> The only question I don't know, is how cyrus 2.2.x handles mailbox names with
> a domain (virtual domain support) and specifically how that relates to
> username/password resolution in saslauthd. I haven't had any direct
> experience yet with the two.

Saslauthd does not do anything special.  So if a (virtual) user logs in as
user at example.com, the following tokens with be available to ldap_filter,
ldap_search_base and ldap_group_dn parameters:

%u - user at example.com
%U - user
%d - example.com
%1 - com
%2 - example

Now you can play with ldap_filter any way you see fit.  I am not sure which
version of saslauthd you use, but I strongly recommend that you get the latest
CVS version of saslauthd.  There is one important bug fix when custom
auth_method is used and a fair amount of enhacements.

For more check
http://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sasl/saslauthd/LDAP_SASLAUTHD?rev=1.5&content-type=text/x-cvsweb-markup

Somehow the latest version of LDAP_SASLAUTHD got reverted back to a fairly old
version.  I'll send the fix.

Hope this helps.

-- 
Igor




More information about the Info-cyrus mailing list