Re: Virtual domains, SASL, PAM, LDAP
Thanks to all for your help. I finally downloaded the correct patch, and applied it to sasl. Everything is working like a charm - 8 cyrus servers running on 1 machine, all using the -C config option with 8 different config files, all configs pointing to a different basedn in the ldap tree. It doesn't get any better than this... My next hurdle to overcome is whether to use sendmail or postfix, and which mailer will require the least hassle to support multiple domains...I will save this for another time. -John "Scot W. Hetzel" wrote: > From: "John C. Amodeo" <[EMAIL PROTECTED]> > > One other question to add to my previous e-mail. Are you supposed to use > the "Cyrus LDAP > > auth patch" or the "Cyrus SASL 1.5.24 LDAP auth and mysql patch"? > > > Use the LDAP + MySQL patch. > > > If you have to use the "Cyrus SASL 1.5.24 LDAP auth and mysql patch" do > you have a > > modified version minus the mysql stuff, or is it simple enough to remove? > > > > I created the LDAP + MySQL auth patch found on www.surf.org.uk to use > compile time options [LDAP (--with-ldap), MySQL (--with-mysql)]. > > Just compile Cyrus-SASL with "--with-ldap=/path/to/ldap --without-mysql" to > exclude the MySQL support from being compiled into the SASL library. > > Scot W. Hetzel
Re: Virtual domains, SASL, PAM, LDAP
From: "John C. Amodeo" <[EMAIL PROTECTED]> > One other question to add to my previous e-mail. Are you supposed to use the "Cyrus LDAP > auth patch" or the "Cyrus SASL 1.5.24 LDAP auth and mysql patch"? > Use the LDAP + MySQL patch. > If you have to use the "Cyrus SASL 1.5.24 LDAP auth and mysql patch" do you have a > modified version minus the mysql stuff, or is it simple enough to remove? > I created the LDAP + MySQL auth patch found on www.surf.org.uk to use compile time options [LDAP (--with-ldap), MySQL (--with-mysql)]. Just compile Cyrus-SASL with "--with-ldap=/path/to/ldap --without-mysql" to exclude the MySQL support from being compiled into the SASL library. Scot W. Hetzel
Re: Virtual domains, SASL, PAM, LDAP
Sorry, One other question to add to my previous e-mail. Are you supposed to use the "Cyrus LDAP auth patch" or the "Cyrus SASL 1.5.24 LDAP auth and mysql patch"? If you have to use the "Cyrus SASL 1.5.24 LDAP auth and mysql patch" do you have a modified version minus the mysql stuff, or is it simple enough to remove? Thanks, -John "Kevin M. Myer" wrote: > On Thu, 12 Apr 2001, John C. Amodeo wrote: > > > A quick question... > > > > We downloaded the patches form Openldap.org, but looking at the source, there are >no > > provisions to pass ldap_server or ldap_basedn. Am I missing something here? The > > code in the pwcheck_ldap.c suggests that you need to hard-code the ldap information > > in, then compile. > > > > We are using the latest CVS, with the -C config option, and patches found at > > http://www.surf.org.uk/patches/index.html > > > > Is the the correct patch to use? Does anyone have any advise on how to get this > > going? The e-mail below suggests it is pretty effortless, but all attempts we have > > made have failed. > > > > Thanks, > > -John > > I have it running here, although I backed out the mysql stuff from the > surf patches. > > In your /etc/imapd.conf, replace > sasl_pwcheck_method: PAM > > with > sasl_pwcheck_method: ldap > > and add: > > sasl_ldap_server: > sasl_ldap_basedn: > > Then create a separate /etc/otherimapd.conf in which you have different > sasl_ldap_server and sasl_ldap_basedn configs. > > Then in /etc/cyrus.conf, for each IP address you want to listen to, > create the following entries (replacing with the IP address, > although you needn't necessarily name your config files with IP > addresses - just use something meaningful, like maybe the hostname): > > imap- cmd="imapd -C /etc/imap.conf" > listen=":imap" prefork=0 > > pop3- cmd="pop3 -C /etc/imap.conf" > listen=":pop3" prefork=0 > > I tested this with sendmail 11.2 and found that I also had to create > separate lmtp sockets for each address I wanted to receive mail for - I > simply generated two sendmail.cf files that only bound sendmail to a > particular IP address and I hard coded the lmtp socket into the > sendmail.mc file I used to generate the .cf file. > > I have this working here - two IP addresses on the same box, with one imap > and pop3 processing listening on each. > > Both IP addresses use SASL for authenticatiom and I can use multiple LDAP > servers and multiple basedns very nicely. Mail is stored in separate > spools for each IP address and I can have identical uids for multipe > addresses (i.e [EMAIL PROTECTED] and > [EMAIL PROTECTED] both work but are separate mail boxes). > > Thanks much to Michael Clark for pointing out the sasl_ldap patches. That > definitely allows me to use Cyrus the way I want to (although I'd much > prefer to specify multiple trees/servers in the pam_ldap config so that > _all_ services can take advantage of this, not just cyrus and sendmail). > Very cool. > > The only problem I've run into is that I probably should generate a new > directory for sendmail's config files and databases for each instance of > sendmail I've run but I should easily be able to create a template > sendmail.mc and modify that for each instance. > > Kevin > > -- > Kevin M. Myer > Systems Administrator > Lancaster-Lebanon Intermediate Unit 13 > (717)-560-6140
Re: Virtual domains, SASL, PAM, LDAP
On Thu, 12 Apr 2001, John C. Amodeo wrote: > A quick question... > > We downloaded the patches form Openldap.org, but looking at the source, there are no > provisions to pass ldap_server or ldap_basedn. Am I missing something here? The > code in the pwcheck_ldap.c suggests that you need to hard-code the ldap information > in, then compile. > > We are using the latest CVS, with the -C config option, and patches found at > http://www.surf.org.uk/patches/index.html > > Is the the correct patch to use? Does anyone have any advise on how to get this > going? The e-mail below suggests it is pretty effortless, but all attempts we have > made have failed. > > Thanks, > -John I have it running here, although I backed out the mysql stuff from the surf patches. In your /etc/imapd.conf, replace sasl_pwcheck_method: PAM with sasl_pwcheck_method: ldap and add: sasl_ldap_server: sasl_ldap_basedn: Then create a separate /etc/otherimapd.conf in which you have different sasl_ldap_server and sasl_ldap_basedn configs. Then in /etc/cyrus.conf, for each IP address you want to listen to, create the following entries (replacing with the IP address, although you needn't necessarily name your config files with IP addresses - just use something meaningful, like maybe the hostname): imap- cmd="imapd -C /etc/imap.conf" listen=":imap" prefork=0 pop3- cmd="pop3 -C /etc/imap.conf" listen=":pop3" prefork=0 I tested this with sendmail 11.2 and found that I also had to create separate lmtp sockets for each address I wanted to receive mail for - I simply generated two sendmail.cf files that only bound sendmail to a particular IP address and I hard coded the lmtp socket into the sendmail.mc file I used to generate the .cf file. I have this working here - two IP addresses on the same box, with one imap and pop3 processing listening on each. Both IP addresses use SASL for authenticatiom and I can use multiple LDAP servers and multiple basedns very nicely. Mail is stored in separate spools for each IP address and I can have identical uids for multipe addresses (i.e [EMAIL PROTECTED] and [EMAIL PROTECTED] both work but are separate mail boxes). Thanks much to Michael Clark for pointing out the sasl_ldap patches. That definitely allows me to use Cyrus the way I want to (although I'd much prefer to specify multiple trees/servers in the pam_ldap config so that _all_ services can take advantage of this, not just cyrus and sendmail). Very cool. The only problem I've run into is that I probably should generate a new directory for sendmail's config files and databases for each instance of sendmail I've run but I should easily be able to create a template sendmail.mc and modify that for each instance. Kevin -- Kevin M. Myer Systems Administrator Lancaster-Lebanon Intermediate Unit 13 (717)-560-6140
Re: Virtual domains, SASL, PAM, LDAP
A quick question... We downloaded the patches form Openldap.org, but looking at the source, there are no provisions to pass ldap_server or ldap_basedn. Am I missing something here? The code in the pwcheck_ldap.c suggests that you need to hard-code the ldap information in, then compile. We are using the latest CVS, with the -C config option, and patches found at http://www.surf.org.uk/patches/index.html Is the the correct patch to use? Does anyone have any advise on how to get this going? The e-mail below suggests it is pretty effortless, but all attempts we have made have failed. Thanks, -John > you could always use the sasl_ldap patches and assuming each of your imapd's has > a seperate imapd.conf (the link is somewhere in the openldap.org faq-o-matic) > > in the imapd.conf for someplace.com > > sasl_pwcheck_method: ldap > sasl_ldap_server: ldap.ofs.edu.sg > sasl_ldap_basedn: ou=people,dc=someplace,dc=com > > in the imapd.conf for someotherplace.com > > sasl_pwcheck_method: ldap > sasl_ldap_server: ldap.ofs.edu.sg > sasl_ldap_basedn: ou=people,dc=someotherplace,dc=com > > etc, etc. > > I have this working successfully with cyrus-imapd 2.0.12
RE: Virtual domains, SASL, PAM, LDAP
> But with Cyrus, I need to somehow pass information up the stack pertaining > to the IP address the request came from. In turn, with a pam_ldap module > that is IP-address aware, I can switch directory trees based on IP-address > and I think my problem will be solved. > > In other words, say I have two imap sockets listening: 172.0.0.1:143 and > 172.0.0.2:143, both for different domains. A request comes in on > 172.20.0.1. SASL would grab the IP address of the local end of the > connection and pass that to PAM, along with the user id and password. > Then, the pam_ldap module would first check its config file to see what > LDAP tree to use for that IP address, then do it search and return. > Currently, the config file for pam_ldap is /etc/ldap.conf and it has > directives like: you could always use the sasl_ldap patches and assuming each of your imapd's has a seperate imapd.conf (the link is somewhere in the openldap.org faq-o-matic) in the imapd.conf for someplace.com sasl_pwcheck_method: ldap sasl_ldap_server: ldap.ofs.edu.sg sasl_ldap_basedn: ou=people,dc=someplace,dc=com in the imapd.conf for someotherplace.com sasl_pwcheck_method: ldap sasl_ldap_server: ldap.ofs.edu.sg sasl_ldap_basedn: ou=people,dc=someotherplace,dc=com etc, etc. I have this working successfully with cyrus-imapd 2.0.12
