Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

qmail and sasl

28 views
Skip to first unread message

Friedrich Locke

unread,
Jul 6, 2011, 2:58:43 PM7/6/11
to
Hi folks,

i am faced with the task to deploy a single sign on authentication
engine. For now we have openldap, kerberos working 100%.
I know qmail supports ldap.
My users' userPassword attribute are currently setted for {SASL}xx...@my.domain.
I wonder if qmail (even with ldap support) supports the SASL
authentication "method".
If not, is anybody aware about someone's patch that implement it ?

Thanks in advance.

Best regards,

Friedrich.

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-...@muc.de

Erwin Hoffmann

unread,
Jul 6, 2011, 4:12:45 PM7/6/11
to
Hi Friedrich

(oh we share the same name ..),

On Wed, 6 Jul 2011 15:58:43 -0300
Friedrich Locke <friedri...@gmail.com> wrote:

> Hi folks,
>
> i am faced with the task to deploy a single sign on authentication
> engine. For now we have openldap, kerberos working 100%.

Ok.

> I know qmail supports ldap.

With Andree Oppermann's patch.

> My users' userPassword attribute are currently setted for {SASL}xx...@my.domain.
> I wonder if qmail (even with ldap support) supports the SASL
> authentication "method".

What do you want to achieve ?

SASL is a library (and I doubt - except vor Inter7 - anyone is willing to marry it with qmail) -- and a framework.
However, SASL allows different authentication schemes, which may include the 'PAM' method (as 'external SASL' method).

> If not, is anybody aware about someone's patch that implement it ?

Tell us about your plans, what is your problem.


regards.
--eh.

>
> Thanks in advance.
>
> Best regards,
>
> Friedrich.
>


--
Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de | PGP Key-Id: 7E4034BE

Erwin Hoffmann

unread,
Jul 6, 2011, 4:54:42 PM7/6/11
to
Hi Friedrich,


On Wed, 6 Jul 2011 17:36:54 -0300
Friedrich Locke <friedri...@gmail.com> wrote:

> >
> >> If not, is anybody aware about someone's patch that implement it ?
> >

> > Tell us about your plans, what is your problem.
>

> My plan is to make qmail authenticate users whose entries'
> userPassword is set to be forwarded to SASL.

Thus your 'User DB' is either in the LDAP or Kerberos Realm ?
(Check for my SMTP Authentication tutorial).

With LDAP authentication, this should be possible; either for simple or strong bind.
This is the typical case, even if Kerberos is used else.

In fact, check for the following:

a) qmail-smtpd uses (by means of the PAM) an extensible authentication scheme.
b) You need a particular PAM to connect to the LDAP DB, binding, and exiting on success with RC=0.
c) Address mangling (Kerberos realm, DN etc), should not be to difficult (the target domain can be used as a hint).
d) A good starting point is my qmail-ldap PAM (in PERL) for user validation (not authentication).

regards.
--eh.

0 new messages