Inhaltsverzeichnis

SASL

A very conveniant way of configuring the Simple Authentication and Security Layer (SASL) is to use the Pluggable Authentication Modules (PAM), since it can use diffrent authentication sources like ldap or /etc/passwd - thus SASL is everything but simple ;-)


For configuring SASL with SUSE you have to modify several configuration files:


You should have the following additional packages installed:


/etc/sysconfig/saslauthd:

## Path:           System/Security/SASL
## Type:           list(getpwent,kerberos5,pam,rimap,shadow,ldap)
## Default:        pam
## ServiceRestart: saslauthd
#
# Authentication mechanism to use by saslauthd.
# See man 8 saslauthd for available mechanisms.
#
SASLAUTHD_AUTHMECH=pam


/etc/saslauthd.conf:

ldap_servers: ldap://127.0.0.1
ldap_version: 3
ldap_timeout: 10
ldap_time_limit: 10
ldap_cache_ttl: 30
ldap_cache_mem: 32768
ldap_scope: sub
ldap_search_base: ou=people,dc=example,dc=com
ldap_filter_mode: yes
ldap_filter: uid=%u
ldap_use_sasl: no
ldap_bind_dn: cn=ldapadmin,dc=example,dc=com
ldap_password: your-secret-ldap_admin-password


Modify your files /etc/pam.d/imap, /etc/pam.d/pop, /etc/pam.d/sieve and /etc/pam.d/smtp from:
#%PAM-1.0

auth     include        common-auth
account  include        common-account
password include        common-password
session  include        common-session

to:

#%PAM-1.0
auth sufficient pam_ldap.so
auth required pam_unix.so use_first_pass
account sufficient pam_ldap.so
account required pam_unix.so


/usr/lib/sasl2/smtpd.conf (SUSE <10.1) / /etc/sasl2/smtpd.conf (SUSE 10.2):

pwcheck_method: saslauthd
mech_list: plain login cram-md5 digest-md5
loglevel: 7


/usr/lib/sasl2/slapd.conf (SUSE <10.1) / /etc/sasl2/slapd.conf (SUSE 10.2)::

mech_list: plain login cram-md5 digest-md5


And restart saslauthd and cyrus

rcsaslauthd restart
rccyrus restart


Watch the output in /var/log/messages carefully for any errors!

Testing

Grep the /etc/passwd file for the user „cyrus“:

cat /etc/passwd | grep cyrus
cyrus:x:96:12:User for cyrus-imapd:/usr/lib/cyrus:/bin/bash


Set a password e.g. „tester“ for user „cyrus“:

station7:/ # passwd cyrus
Changing password for cyrus.
New Password:
Reenter New Password:
Password changed.


Test now if SASL is working:

station7:/ # testsaslauthd -u cyrus -p tester
0: OK "Success."


So SASL is working with UNIX-authentication via /etc/passwd.
Check now for a user that exists only in LDAP, e.g. user „haasc“ with password „tester1“:

station7:/ # testsaslauthd -u haasc -p tester1
0: OK "Success."



Test now, if cyradm can log on properly:

station7:/ # cyradm -u cyrus station7.example.com
IMAP Password:
  station7.example.com>


SASLfinger

saslfinger is a bash utility script that seeks to help you debugging your SMTP AUTH setup. It gathers various informations about Cyrus SASL and Postfix from your system and sends it to stdout.
It was written by Patrick Ben Koetter

Usage:
You must run saslfinger with one of the following options:
-c If you run saslfinger with the option -c it will collect data required for client-side SMTP AUTH. Client-side SMTP AUTH is when Postfix smtp daemon uses SMTP AUTH to authenticate itself with a remote mail server that offers SMTP AUTH.
saslfinger will try to telnet to all hosts listed in smtp_sasl_password_maps, if it may read smtp_sasl_password_maps
The telnet test verifies your host is able to reach the remote servers and shows what AUTH mechanisms they offer - in some cases this is required to debug client-side SMTP AUTH.
Important: By default smtp_sasl_password_maps must be read-only to root, since these maps contain the usernames and passwords to authenticate. If you run saslfinger as root access will be no problem, but saslfinger will fail if you lack the permissions to access smtp_sasl_password_maps.
If you want to run the telnet test, but don't want to run saslfinger as root change permissions of smtp_sasl_password_maps so that the user running saslfinger may access smtp_sasl_password_maps while you debug.
*note: You don't need to worry about saslfinger doing anything with the username or password stored next to the remote hosts in your smtp_sasl_password_maps; saslfinger completely ignores these informations!

-h If you run saslfinger with the option -h it will print a little help message that tells you about the options you can use.
-s If you run saslfinger with the option -s it will collect data required for server-side SMTP AUTH. Server-side SMTP AUTH is when Postfix smtpd daemon offers SMTP AUTH to mail clients.
Download at http://postfix.state-of-mind.de/patrick.koetter/saslfinger/saslfinger-1.0.2.tar.gz
zurück