Hasse Hagen Johansen | 1 Jul 14:04 2011
Picon

Re: Authenticate

>>>>> "Friedrich" == Friedrich Locke <friedrich.locke <at> gmail.com> writes:

    Friedrich> By reading life with qmail, session "4.5 Fillling the
    Friedrich> Directory" the attribute userPassword is:

    Friedrich> userPassword: {MD5}X03MO1qnZdYdgyfeuILPmQ==

    Friedrich> I would not like this approach, because the user
    Friedrich> specified by the entry already have a password in
    Friedrich> kerberos.  Is there a mean by which i could tell: "Hey,
    Friedrich> lookup for the password at xxxx.yyy.zzzz ?

And now also to the list ;-)

You can in the userPassword use {sasl}username to get it to ask the
sasl service for authentication

You have to configure sasl on the ldap server to ask the correct server
for answer

Best Regards
Hasse Hagen Johansen

Friedrich Locke | 1 Jul 14:56 2011
Picon

Re: Authenticate

I got this working for ldap server.

I can log into the openldap server using GSSAPI (-Y flag) and simple
bind  (userPassword: {SASL}xxx <at> MY.DOMAIN) and it works ok by both
methods.
But for {SASL}xyz to work i had to write "pwcheck_method: saslauthd" into
/usr/local/lib/sasl2/slapd.conf.

Is it necessary to create configuration files for qmail (pop3,smtp,
...) inside /usr/local/lib/sasl2/ for each of qmail services ? Or what
i have done for slapd is enough?

Thank once more

Fried.

On Fri, Jul 1, 2011 at 9:04 AM, Hasse Hagen Johansen <hhj <at> musikcheck.dk> wrote:
>>>>>> "Friedrich" == Friedrich Locke <friedrich.locke <at> gmail.com> writes:
>
>    Friedrich> By reading life with qmail, session "4.5 Fillling the
>    Friedrich> Directory" the attribute userPassword is:
>
>    Friedrich> userPassword: {MD5}X03MO1qnZdYdgyfeuILPmQ==
>
>    Friedrich> I would not like this approach, because the user
>    Friedrich> specified by the entry already have a password in
>    Friedrich> kerberos.  Is there a mean by which i could tell: "Hey,
>    Friedrich> lookup for the password at xxxx.yyy.zzzz ?
>
> And now also to the list ;-)
(Continue reading)

Hasse Hagen Johansen | 1 Jul 15:12 2011
Picon

Re: Authenticate

>>>>> "Friedrich" == Friedrich Locke <friedrich.locke <at> gmail.com> writes:

    Friedrich> I got this working for ldap server.  I can log into the
    Friedrich> openldap server using GSSAPI (-Y flag) and simple bind
    Friedrich> (userPassword: {SASL}xxx <at> MY.DOMAIN) and it works ok by
    Friedrich> both methods.  But for {SASL}xyz to work i had to write
    Friedrich> "pwcheck_method: saslauthd" into
    Friedrich> /usr/local/lib/sasl2/slapd.conf.

    Friedrich> Is it necessary to create configuration files for qmail
    Friedrich> (pop3,smtp, ...) inside /usr/local/lib/sasl2/ for each of
    Friedrich> qmail services ? Or what i have done for slapd is enough?

No. The qmail-ldap daemons will look up the information in the ldap
server. The ldap server will then ask as a SASL client the server which
the SASL configuration is telling it. So you have to configure the ldap
server as a SASL client to the server which you will ask over SASL
(which also can be itself)

Best Regards
Hasse Hagen Johansen

Hasse Hagen Johansen | 1 Jul 15:15 2011
Picon

Re: Authenticate

>>>>> "Friedrich" == Friedrich Locke <friedrich.locke <at> gmail.com> writes:

    Friedrich> I got this working for ldap server.  I can log into the
    Friedrich> openldap server using GSSAPI (-Y flag) and simple bind
    Friedrich> (userPassword: {SASL}xxx <at> MY.DOMAIN) and it works ok by
    Friedrich> both methods.  But for {SASL}xyz to work i had to write
    Friedrich> "pwcheck_method: saslauthd" into
    Friedrich> /usr/local/lib/sasl2/slapd.conf.

    Friedrich> Is it necessary to create configuration files for qmail
    Friedrich> (pop3,smtp, ...) inside /usr/local/lib/sasl2/ for each of
    Friedrich> qmail services ? Or what i have done for slapd is enough?

I think I understand what you mean now. You are asking if the qmail
daemons is able to follow the {SASL}xyz syntax? I actually don't know that
because I havent used such an ldap setup with qmail-ldap :(

Best Regards
Hasse Hagen Johansen

Friedrich Locke | 1 Jul 20:13 2011
Picon

Re: Authenticate

Ok, see below:

On Fri, Jul 1, 2011 at 10:15 AM, Hasse Hagen Johansen <hhj <at> musikcheck.dk> wrote:
>>>>>> "Friedrich" == Friedrich Locke <friedrich.locke <at> gmail.com> writes:
>
>    Friedrich> I got this working for ldap server.  I can log into the
>    Friedrich> openldap server using GSSAPI (-Y flag) and simple bind
>    Friedrich> (userPassword: {SASL}xxx <at> MY.DOMAIN) and it works ok by
>    Friedrich> both methods.  But for {SASL}xyz to work i had to write
>    Friedrich> "pwcheck_method: saslauthd" into
>    Friedrich> /usr/local/lib/sasl2/slapd.conf.
>
>    Friedrich> Is it necessary to create configuration files for qmail
>    Friedrich> (pop3,smtp, ...) inside /usr/local/lib/sasl2/ for each of
>    Friedrich> qmail services ? Or what i have done for slapd is enough?
>
> I think I understand what you mean now. You are asking if the qmail
> daemons is able to follow the {SASL}xyz syntax? I actually don't know that
> because I havent used such an ldap setup with qmail-ldap :(

What about a try?

> Best Regards
> Hasse Hagen Johansen
>
>

thanks

(Continue reading)

Hasse Hagen Johansen | 1 Jul 20:38 2011
Picon

Re: Authenticate


On Jul 1, 2011, at 8:13 PM, Friedrich Locke wrote:

Ok, see below:

On Fri, Jul 1, 2011 at 10:15 AM, Hasse Hagen Johansen <hhj <at> musikcheck.dk> wrote:
"Friedrich" == Friedrich Locke <friedrich.locke <at> gmail.com> writes:

   Friedrich> I got this working for ldap server.  I can log into the
   Friedrich> openldap server using GSSAPI (-Y flag) and simple bind
   Friedrich> (userPassword: {SASL}xxx <at> MY.DOMAIN) and it works ok by
   Friedrich> both methods.  But for {SASL}xyz to work i had to write
   Friedrich> "pwcheck_method: saslauthd" into
   Friedrich> /usr/local/lib/sasl2/slapd.conf.

   Friedrich> Is it necessary to create configuration files for qmail
   Friedrich> (pop3,smtp, ...) inside /usr/local/lib/sasl2/ for each of
   Friedrich> qmail services ? Or what i have done for slapd is enough?

I think I understand what you mean now. You are asking if the qmail
daemons is able to follow the {SASL}xyz syntax? I actually don't know that
because I havent used such an ldap setup with qmail-ldap :(

What about a try?

Sorry. i cannot help you with that. It is many years since I had a qmail-ldap setup. I think it should work if qmail-ldap is accessing the ldap directory in a standard way. Anyway you will need the ldap server confiugred as a SASL client to the SASL server you would authenticate against. At work we use that kind of setup for check passwords against an Active Directory. That is we sync the users to the ldap server but without the password and then chech the password via SASL
Friedrich Locke | 6 Jul 16:35 2011
Picon

authentication

Dear list members,

i have setted up openldap, kerberos, sasl in order to auth in my systems.
My users' userPassword is:

{SASL}user <at> krb_realm

I wonder if qmail-ldap will work 100% with this authentication style?

Thanks in advance.

Friedrich Locke | 6 Jul 18:31 2011
Picon

SASL Bind

Hi,

i wonder if qmail-ldap can do SASL binds, i.e., when user's
userPassword attribute is {SASL}user <at> realm ?

Thanks in advance.

Friedrich.

Friedrich Locke | 11 Jul 16:34 2011
Picon

ldap

I am deploying qmail ldap and wonder if there is a special patch for
qmail-ldap necessary to run mailing lists.

Thanks in advance.

Gennady G. Marchenko | 11 Jul 18:00 2011
Picon

Re: ldap

In qmail-ldap you don't need any special patch to support ldap-enabled 
mailling lists.

Gennady.
11.07.2011 18:34, Friedrich Locke пишет:
> I am deploying qmail ldap and wonder if there is a special patch for
> qmail-ldap necessary to run mailing lists.
>
> Thanks in advance.


Gmane