Re: [Cooker] Postfix auth using saslauthd - pam
[EMAIL PROTECTED] writes: I think changing to sasl2 in postfix was a bit premature, since the dependencies are quite complex ... this is AFAIK how it works: Openldap, postfix, cyrus, should be compiled against the same libsasl. Openldap, sasl should be compiled against the same version of db4, and they Buildrequire each other. Since postfix will segfault if two different sasl versions are used together when using ldap, maybe sasl1 should be simply removed from cooker, what do you think warly? That way, it will prevent from bad bugreports of segfaults, and force people to rebuild faster :). Is there anything that should still badly need sasl1 in the 9.2? -- Guillaume Cottenceau - http://people.mandrakesoft.com/~gc/
Re: [Cooker] Postfix auth using saslauthd - pam
Guillaume Cottenceau [EMAIL PROTECTED] writes: [EMAIL PROTECTED] writes: I think changing to sasl2 in postfix was a bit premature, since the dependencies are quite complex ... this is AFAIK how it works: Openldap, postfix, cyrus, should be compiled against the same libsasl. Openldap, sasl should be compiled against the same version of db4, and they Buildrequire each other. Since postfix will segfault if two different sasl versions are used together when using ldap, maybe sasl1 should be simply removed from cooker, what do you think warly? That way, it will prevent from bad bugreports of segfaults, and force people to rebuild faster :). Is there anything that should still badly need sasl1 in the 9.2? AFAIK we tried but failed for 9.1 cos of some Florin packages, Florin, can you confirm? -- Warly
Re: [Cooker] Postfix auth using saslauthd - pam
Warly [EMAIL PROTECTED] writes: Guillaume Cottenceau [EMAIL PROTECTED] writes: [EMAIL PROTECTED] writes: I think changing to sasl2 in postfix was a bit premature, since the dependencies are quite complex ... this is AFAIK how it works: Openldap, postfix, cyrus, should be compiled against the same libsasl. Openldap, sasl should be compiled against the same version of db4, and they Buildrequire each other. Since postfix will segfault if two different sasl versions are used together when using ldap, maybe sasl1 should be simply removed from cooker, what do you think warly? That way, it will prevent from bad bugreports of segfaults, and force people to rebuild faster :). Is there anything that should still badly need sasl1 in the 9.2? AFAIK we tried but failed for 9.1 cos of some Florin packages, Florin, can you confirm? openldap still depends on libsasl1 ... we will eventually upgrade openldap, make sure that everything works ... and maybe move sasl1 in the contribs or get rid of it ... -- Florin http://www.mandrakesoft.com http://people.mandrakesoft.com/~florin/
Re: [Cooker] Postfix auth using saslauthd - pam
Martin Fahrendorf [EMAIL PROTECTED] writes: do you know why postfix in cooker still uses sasl v1? anyway i just took the sources for sasl v1 and rebuild saslauthd for sasl1 (changing the socket path) and it works like charm with postfix. regards, L. because ldap uses sasl v1 and postfix is bind to ldap and it is not good to use sasl v1 libs and sasl v2 libs in one application. Argh :(. Should I revert 2.0.12-2mdk change then? (pardon my lack of knowledge in postfix field..) I think changing to sasl2 in postfix was a bit premature, since the dependencies are quite complex ... this is AFAIK how it works: Openldap, postfix, cyrus, should be compiled against the same libsasl. Openldap, sasl should be compiled against the same version of db4, and they Buildrequire each other. Openldap-2.1 requires db4-4.1 (I couldn't get it to build without bdb, and bdb requires db4-4.1) Any package that links directly to both sasl and openldap *must* be rebuilt, and rpm will also tell you that any package the requires libldap2 will need to be rebuilt (as dependencies will include libsasl7 instead of libsasl2). So, the way this should be done is: 1)get db4-4.1 into main 2)Rebuild sasl2 against db4-4.1 3)Rebuild openldap-2.1 against sasl2 4)Rebuild sasl2 against openldap-2.1 (I think there are some bits of sasl2 that require ldap) 5)Rebuild postfix against libldap2-2.1 and sasl2 6)Rebuild all other apps dependant on libldap2 and sasl (samba,samba3,kdebase,pam_ldap,nss_ldap,directory_administrator,gq, etc etc) Packages involved in this that are ready (those with packages please add to the list): http://ranger.dnsalias.com/mandrake/cooker/db4-4.1.25-1mdk.src.rpm http://ranger.dnsalias.com/mandrake/cooker/openldap.spec (2.1.19, Oden has a 2.1.20 package, but there is still some work to be done on ensuring an existing directory will work after upgrade). I have Oden's openldap-2.1.20, and will see if I can get some pre/post combo to migrate data correctly from 2.0.x to 2.1.x (or just figure out how to turn off schema checking). Maybe we should agree when we want to do the switch, and get all the packages ready? Can we aim for Friday 20 June? BTW, there is a problem with the naming of the sasl2 packages IMHO. The library name is libsasl2 (ie use -lsasl2 for LDFLAGS), the major version is 2, so the lib packages should be libsasl2_2 instead of libsasl2. This makes understanding which package (libsasl2 vs libsasl7) much easier ... Regards, Buchan
Re: [Cooker] Postfix auth using saslauthd - pam
On Thu, Jun 12, 2003 at 11:34:04PM +0200, Luca Olivetti wrote: Postfix in 9.1 uses sasl v1, so it cannot use saslauthd. It can use pwcheck but I doubt pwcheck can use ldap. Since sasl v1 can use pam directly you can try to put in /etc/sasl/smtpd.conf (before 9.1 it would have been /usr/lib/sasl/smtpd.conf) the line do you know why postfix in cooker still uses sasl v1? anyway i just took the sources for sasl v1 and rebuild saslauthd for sasl1 (changing the socket path) and it works like charm with postfix. regards, L. -- Luca Berra -- [EMAIL PROTECTED] Communication Media Services S.r.l. /\ \ / ASCII RIBBON CAMPAIGN XAGAINST HTML MAIL / \
Re: [Cooker] Postfix auth using saslauthd - pam
Am Freitag, 13. Juni 2003 09:08 schrieb Luca Berra: On Thu, Jun 12, 2003 at 11:34:04PM +0200, Luca Olivetti wrote: Postfix in 9.1 uses sasl v1, so it cannot use saslauthd. It can use pwcheck but I doubt pwcheck can use ldap. Since sasl v1 can use pam directly you can try to put in /etc/sasl/smtpd.conf (before 9.1 it would have been /usr/lib/sasl/smtpd.conf) the line do you know why postfix in cooker still uses sasl v1? anyway i just took the sources for sasl v1 and rebuild saslauthd for sasl1 (changing the socket path) and it works like charm with postfix. regards, L. because ldap uses sasl v1 and postfix is bind to ldap and it is not good to use sasl v1 libs and sasl v2 libs in one application. Martin -- H E L I X Gesellschaft für Software Engineering mbH Hanauer Landstrasse 52 Telefon (069) 4789 35-30 D-60314 Frankfurt am Main Telefax (069) 4789 35-44 http://www.helix-gmbh.net[EMAIL PROTECTED] pgp0.pgp Description: signature
Re: [Cooker] Postfix auth using saslauthd - pam
Martin Fahrendorf [EMAIL PROTECTED] writes: do you know why postfix in cooker still uses sasl v1? anyway i just took the sources for sasl v1 and rebuild saslauthd for sasl1 (changing the socket path) and it works like charm with postfix. regards, L. because ldap uses sasl v1 and postfix is bind to ldap and it is not good to use sasl v1 libs and sasl v2 libs in one application. Argh :(. Should I revert 2.0.12-2mdk change then? (pardon my lack of knowledge in postfix field..) -- Guillaume Cottenceau - http://people.mandrakesoft.com/~gc/
Re: [Cooker] Postfix auth using saslauthd - pam
Guillaume Cottenceau wrote: do you know why postfix in cooker still uses sasl v1? anyway i just took the sources for sasl v1 and rebuild saslauthd for sasl1 (changing the socket path) and it works like charm with postfix. regards, L. because ldap uses sasl v1 and postfix is bind to ldap and it is not good to use sasl v1 libs and sasl v2 libs in one application. Argh :(. Should I revert 2.0.12-2mdk change then? (pardon my lack of knowledge in postfix field..) If postfix 2.0.12-2mdk built with sasl2, that is the way it should be. Eventually all apps should be built against sasl2, and sasl1 phased-out. I would be happy to take a look at the postfix package, but am not running a cooker environment. I'm mostly 9.1 based, with a few cooker additions, and others that haven't made it in the cooker yet (Openldap 2.1.20 db41 that Oden Buchan have been working on). There was a question about (current) openldap requiring db41: From the openldap admin guide... Berkeley DB http://www.sleepycat.com/ is available from Sleepycat Software http://www.sleepycat.com/'s download page http://www.sleepycat.com/download.html. There are several versions available. At the time of this writing, the latest release, version 4.1, is recommended. This package is required if you wish to use the BDB database backend. OpenLDAP's /slapd/(8) LDBM backend supports a variety of data base managers including Berkeley DB http://www.sleepycat.com/ and GDBM http://www.gnu.org/software/gdbm/. GDBM http://www.gnu.org/software/gdbm/ is available from FSF http://www.fsf.org/'s download site ftp://ftp.gnu.org/pub/gnu/gdbm/. Thanks, S
Re: [Cooker] Postfix auth using saslauthd - pam
Luca Berra wrote: On Thu, Jun 12, 2003 at 11:34:04PM +0200, Luca Olivetti wrote: Postfix in 9.1 uses sasl v1, so it cannot use saslauthd. It can use pwcheck but I doubt pwcheck can use ldap. Since sasl v1 can use pam directly you can try to put in /etc/sasl/smtpd.conf (before 9.1 it would have been /usr/lib/sasl/smtpd.conf) the line do you know why postfix in cooker still uses sasl v1? anyway i just took the sources for sasl v1 and rebuild saslauthd for sasl1 (changing the socket path) and it works like charm with postfix. While this approach may work, I believe it to be counter productive. (We should be building apps against sasl2, not rebuilding apps already built with sasl2, for sasl1.) Cheers! S
[Cooker] Postfix auth using saslauthd - pam
I was just wondering if anyone has gotten postfix to work this way under mdk 9.1. I am getting error: postfix/smtpd[2693]: fatal: no SASL authentication mechanisms I am successfully authenticating imap (cyrus), ssh, login against an ldap backend using saslauthd pam (just can't get Postfix going). I spent most of the day reading FAQ's, searching mailing lists, and editing master.cf main.cf MANY times; but nothing seems to work. SASL: libsasl2-2.1.12-1mdk cyrus-sasl-2.1.12-1mdk libsasl2-plug-plain-2.1.12-1mdk libsasl2-devel-2.1.12-1mdk libsasl7-1.5.28-5mdk Postfix: postfix-2.0.6-1mdk Thanks, Scott .
Re: [Cooker] Postfix auth using saslauthd - pam
En/na magic ha escrit: I was just wondering if anyone has gotten postfix to work this way under mdk 9.1. I am getting error: postfix/smtpd[2693]: fatal: no SASL authentication mechanisms I am successfully authenticating imap (cyrus), ssh, login against an ldap backend using saslauthd pam (just can't get Postfix going). I Postfix in 9.1 uses sasl v1, so it cannot use saslauthd. It can use pwcheck but I doubt pwcheck can use ldap. Since sasl v1 can use pam directly you can try to put in /etc/sasl/smtpd.conf (before 9.1 it would have been /usr/lib/sasl/smtpd.conf) the line pwcheck_method:pam but that's going to work only if postfix has enough privileges to access the required files (for example, it wouldn't work if it had to access /etc/shadow). Configure /etc/pam.d/smtp to use ldap and it should work. It does for me (under 8.2) with pam_smb. Oh, under 9.1 postfix is chrooted, so it's possible that the correct sasl configuration file is /var/spool/postfix/etc/sasl/smtpd.conf instead. Bye -- Que les importa a las viudas, a los huérfanos, a los desvalidos si las masacres se hacen en nombre del totalitarismo o en el sagrado nombre de la libertad y la democracia. Mahatma Gandhi (1869 - 1948) pgp0.pgp Description: PGP signature
Re: [Cooker] Postfix auth using saslauthd - pam
Am Donnerstag, 12. Juni 2003 23:34 schrieb Luca Olivetti: En/na magic ha escrit: I was just wondering if anyone has gotten postfix to work this way under mdk 9.1. I am getting error: postfix/smtpd[2693]: fatal: no SASL authentication mechanisms I am successfully authenticating imap (cyrus), ssh, login against an ldap backend using saslauthd pam (just can't get Postfix going). I Postfix in 9.1 uses sasl v1, so it cannot use saslauthd. It can use pwcheck but I doubt pwcheck can use ldap. Since sasl v1 can use pam directly you can try to put in /etc/sasl/smtpd.conf (before 9.1 it would have been /usr/lib/sasl/smtpd.conf) the line pwcheck_method:pam but that's going to work only if postfix has enough privileges to access the required files (for example, it wouldn't work if it had to access /etc/shadow). Configure /etc/pam.d/smtp to use ldap and it should work. It does for me (under 8.2) with pam_smb. Oh, under 9.1 postfix is chrooted, so it's possible that the correct sasl configuration file is /var/spool/postfix/etc/sasl/smtpd.conf instead. Bye And beware, if you want to use pam with the shadow password, you have to copy /etc/shadow in your chroot (to /var/spool/postfix/etc/shadow). And again, the nss stuff seems to be a little bit broken in the chroot environment of postfix. So if you use nss_ldap you possibly have to copy the nss lib files manualy to /var/spool/postfix. So the best for testing is to disable the chroot stuff in postfix. If you don't run a mailserver on the internet you don't need chroot. The smtpd.conf file needs no copying to /var/spool/postfix. This file usualy is loaded before changing into the chroot dir. Oh, and if you need (or want) to authenticate against ldap, I can give you a patch for sasl v1 with ldap and running ssl enabled. BTW: you nee a sasl v1 mechanism to authenticate (all the libsasl7-plug-* rpms). without these you can not authenticate (the missing authentication mechanism error massage is from missing installed plugs). Martin -- H E L I X Gesellschaft für Software Engineering mbH Hanauer Landstrasse 52 Telefon (069) 4789 35-30 D-60314 Frankfurt am Main Telefax (069) 4789 35-44 http://www.helix-gmbh.net[EMAIL PROTECTED] pgp0.pgp Description: signature