Sentinare    

Getting Postfix+Cyrus-sasl2 to use LDAP for the authentication mechanism
by Chris Paul
  1. Install & configure postfix-2.0.13p0.tls0.8.14-pcre-sasl2-ldap-tls.tgz
  2. Install & configure openldap-server-2.0.27.tgz. Must include the "misc.schema"
  3. Modify the CONFIGURE_ARGS & CFLAGS parameters in /usr/ports/security/cyrus-sasl2/Makefile:
    CONFIGURE_ARGS+=        --with-saslauthd="/var/sasl2" \
                            --with-staticsasl \
                            --with-dblib=ndbm \
                            --without-bdb-libdir \
                            --without-bdb-incdir \
                            --enable-login \
                            --with-ldap \
                            --disable-sample
    CFLAGS+=                -I/usr/local/include
  4. Remove these two lines from the file: /usr/ports/security/cyrus-sasl2/pkg/PFRAG.shared:
    lib/sasl2/libgssapiv2.so.2.13
    lib/sasl2/libanonymous.so.2.13
  5. Remove these lines from the file: /usr/ports/security/cyrus-sasl2/pkg/PLIST:
    lib/sasl2/libanonymous.a
    lib/sasl2/libanonymous.la
    lib/sasl2/libgssapiv2.a
    lib/sasl2/libgssapiv2.la
  6. Make the package:
    $ make
    $ make install
  7. Create a file: /etc/saslauthd.conf with the following contents:
    ldap_servers: ldap://ldap.sentinare.net/
    ldap_auth_method: custom
    ldap_bind_dn: cn=Manager,dc=sentinare,dc=net
    ldap_bind_pw: test123
    ldap_search_base: ou=People,dc=sentinare,dc=net
  8. Create a file:  /usr/local/lib/sasl2/smtpd.conf:
    pwcheck_method:saslauthd
    mech_list: plain login
  9. Configure your users in LDAP with uid and userPassword attributes.
  10. Start saslauthd:
    # /usr/local/sbin/saslauthd -a ldap -O /etc/saslauthd.conf
  11. Create the socket link:
    # ln -f /var/sasl2/mux /var/spool/postfix/var/sasl2/mux
  12. Settings needed in /etc/postfix/main.cf:
    smtpd_recipient_restrictions = permit_sasl_authenticated
    smtpd_sasl_auth_enable = yes  
    smtpd_sasl_security_options = noanonymous
    smtpd_sasl_local_domain =
    broken_sasl_auth_clients = yes
    smtpd_sender_login_maps = hash:/etc/postfix/smtpd_sender_login_maps
  13. Edit the /etc/postfix/smtpd_sender_login_maps file (one line per address/user pair):
    chris.paul@sentinare.net        cpaul
    cp@teamrci.net  		cpaul
  14. Make sender map database:
    # postmap /etc/postfix/smtpd_sender_login_maps
    (NOTE: It is possible to move this map to LDAP as well. There was a recent thread on the Postfix users list detailing how.)
  15. Refresh Postfix:
    # postfix reload