[Network Administration] : OpenLDAP and SASL Passthrough

I needed to get the SASL passthrough working since I have some things that need to bind to the LDAP server. Specifically, I need to be able to authenticate to my Synology NAS with my LDAP account. Till now, I’ve just used NFS permissions to mount the shares to the system (mainly using the automounter getting the information from the LDAP server). If I need to allow clients to bind to the LDAP server as authentication, then I’ll need to have access to the password. I store my passwords in the Kerberos KDC, but I can have LDAP pass the authentication through to a SASL backend instead of storing the passwords locally in the directory.
Continue reading “[Network Administration] : OpenLDAP and SASL Passthrough”

Advertisements

[Network Administration] : Postfix and LDAP recipients

Given that I’ve already put my addresses into the LDAP directory, I’m going to use that to pull my recipients for local delivery. There is information on the Postfix website, here and here.

Appropriate section of /etc/postfix/main.cf

# DELIVERY CONFIGURATION
#
# all main to the domain is slated for local delivery
mydestination = $mydomain, $myhostname, localhost.$mydomain, localhost
# Set aliases to the postfix configuration directory
alias_maps = hash:${config_directory}/aliases
alias_database = hash:${config_directory}/aliases
# Local recipients are stored in ldap
# Alias maps also needs to be added here to accept mail for aliases locally
local_recipient_maps = ldap:${config_directory}/ldap-recipients.cf $alias_maps

The file ldap-recipients.cf file has the information to connect to the LDAP server.

server_host = <SERVER>
search_base = ou=users,dc=example,dc=com
version = 3
query_filter = mail=%s
result_attribute = uid
start_tls = yes
tls_require_cert = yes
tls_ca_cert_file = <CA certificate chain>

We require the verification of the LDAP certificate, so we need to specify the certificate chain.

[Network Administration] : Kerberized IMAP

To go with the Kerberized Postfix that I’ve put in place, I also added Kerberized IMAP to it as well. This will allow me to authenticate the IMAP server with my Kerberos tickets. This works similarly. I’m using Carnegie Mellon’s Cyrus IMAP server (although CMU has migrated all of it’s accounts over to Google since). The Cyrus server supports GSSAPI natively, and other mechanisms through their SASL implementation. Using GSSAPI, I can now connect from my mail client and access my IMAP mailbox using my already granted ticket.
Continue reading “[Network Administration] : Kerberized IMAP”

[Network Administration] : Kerberized Postfix

I updated my mail server and connected this into the kerberized system that was put in place earlier. Previously I had my mail accounts defined in a MYSQL database, which worked alright, but was really more of a hassle since any password changes needed to be done both in the system, and in the mysql database which was used by postfix. Either I had a single password, and needed to update both databases if it was changed, or I had to let them diverge. I’ll need an authentication mechanism so that I can submit mail from the mail client (MUA) for delivery. This time, I connected postfix, which I use as my MTA, to the Kerberos server to do the authentication. Postfix supports SASL mechanisms for authentication and can use it for both GSSAPI and PLAIN authentication against the Kerberos system. The postfix website has a whole page describing use of SASL with Postfix. I used Cyrus SASL from Carnegie Mellon University to do the authentication.
Continue reading “[Network Administration] : Kerberized Postfix”