saslauthd: support several authentication methods

Sat Dec 12 21:33:47 UTC 2009

Hi Dan!

Thanks for the reply. The idea of using sasldb is really interesting, as 
I don't need to run saslauthd anymore. But the configuration is 
absolutely crazy. First of all I do not understand, why sasldb needs 
sasl_ldapdb_id and sasl_ldapdb_pw to complete authorization. Does it use 
2-stage binding (first with supplied user/password pair and then using 
the pair from service?). There is no way to specify the search filter, 
as saslauthd configuration allows. Pity!

Debian package maintaners were cleaver enough not to include 
README.ldapdb into the distro, so I cannot really see what are the 
options and sample configurations. As I see from internet:

- I can use
sasl_ldapdb_uri: ldap://127.0.0.1/
and provide id/ps pair. Should id be a complete DN? What mechanizms are 
then applicable, if LDAP stores password as SHA1 (no plain passwords)?

- I can use
sasl_ldapdb_uri: ldapi://
sasl_ldapdb_mech: EXTERNAL
but then I need to put cyrus account into LDAP and also create a mapping 
for DNs like this:
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

Why such a complication? Why it cannot be done as simple as in 
saslauthd? Can you share your configuration? I have found this message:

http://www.mail-archive.com/cyrus-sasl@lists.andrew.cmu.edu/msg00105.html

which can be used as a guide... Or maybe you have something more fresh?

Thanks in advance!

Dan White wrote on 10.12.2009 20:51:
> Dmitry,
>
> In theory, the following configuration in your postfix smtpd.conf will do
> what you want:
>
> pwcheck_method: saslauthd auxprop
> auxprop_plugin: sasldb
>
> Alternatively, you could drop saslauthd, and do something like:
>
> pwcheck_method: auxprop
> auxprop_plugin: ldapdb sasldb
>
> But that would require some ldapdb setup.
>
> I'm doing something similar to the first scenario on a production server at
> the moment (except that I have auxprop listed before saslauthd).

-- 
With best regards,
Dmitry