Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

saslauthd methods ldap and pam missing #132

Open
Tipsmark opened this issue Jul 25, 2023 · 4 comments
Open

saslauthd methods ldap and pam missing #132

Tipsmark opened this issue Jul 25, 2023 · 4 comments

Comments

@Tipsmark
Copy link

hi - is it possible to add ldap and pam auth methods for saslauthd?

saslauthd 2.1.28
authentication mechanisms: sasldb getpwent kerberos5 rimap shadow httpform

see: https://linux.die.net/man/8/saslauthd
@bokysan
Copy link
Owner

bokysan commented Oct 27, 2023

Most likely, yes.

Can you explain your use case a bit more, so I know how to test? Or even share a pull request?

@thielj
Copy link

thielj commented Apr 17, 2024
edited
Loading

For the Debian image, saslauthd already comes with support for PAM and LDAP.

For PAM (the default), it would pass the plaintext password for further verification. For LDAP, it can retrieve hashed passwords to verify plaintext logins. The Postfix SASL_README was probably updated 20+ years ago. See saslauthd LDAP setup and options instead.

Note that saslauthd expects LDAP options in /etc/saslauthd.conf and maybe some extra considerations for a chroot jail.

To verify:

# cat /etc/debian_version
12.5
# saslauthd -v
saslauthd 2.1.28
authentication mechanisms: sasldb getpwent kerberos5 pam rimap shadow ldap
# grep ^MECHANISMS= /etc/default/saslauthd
MECHANISMS="pam"
# cat /etc/saslauthd.conf
cat: /etc/saslauthd.conf: No such file or directory

There is also a separate ldapdb.c auxprop plugin (libsasl2-modules-ldap, 75kB).

You could also add the sql.c auxprop plugin to verify plaintext passwords against MySql/MariaDB, PostgreSQL and SQLite (libsasl2-modules-sql, 1602kB).

See also https://www.cyrusimap.org/sasl/sasl/options.html#sasl-library

For Alpine, the most sensible approach would be building saslauthd from scratch. Although, my guess is, someone wanting to use LDAP (or SQL) for authentication is probably not fuzzed about the few extra bytes of the Debian image.

For setting up a simple test, have a look at https://github.com/glauth/glauth

@bokysan
Copy link
Owner

bokysan commented Apr 17, 2024

@thielj Thank you so much for this explanation.

Frankly I'm torn if adding this to alpine image would even be worth the effort. If you're authenticating against a third-party system, that sounds like a big stretch over what this project was initially designed to do.

I might be willing to consider a pull request if it doesn't increase build time of the Alpine image considerably.

@thielj
Copy link

thielj commented Apr 17, 2024

I stopped maintaining a full postfix with LDAP support 15+ years ago - and I don't plan to go back. You might want to add the two plugins to the Debian image though. It wouldn't make a big difference in size.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@thielj @bokysan @Tipsmark