[Network Administration] : OpenLDAP and SASL Passthrough

I needed to get the SASL passthrough working since I have some things that need to bind to the LDAP server. Specifically, I need to be able to authenticate to my Synology NAS with my LDAP account. Till now, I’ve just used NFS permissions to mount the shares to the system (mainly using the automounter getting the information from the LDAP server). If I need to allow clients to bind to the LDAP server as authentication, then I’ll need to have access to the password. I store my passwords in the Kerberos KDC, but I can have LDAP pass the authentication through to a SASL backend instead of storing the passwords locally in the directory.
Continue reading “[Network Administration] : OpenLDAP and SASL Passthrough”


[Network Administration] : Kerberized IMAP

To go with the Kerberized Postfix that I’ve put in place, I also added Kerberized IMAP to it as well. This will allow me to authenticate the IMAP server with my Kerberos tickets. This works similarly. I’m using Carnegie Mellon’s Cyrus IMAP server (although CMU has migrated all of it’s accounts over to Google since). The Cyrus server supports GSSAPI natively, and other mechanisms through their SASL implementation. Using GSSAPI, I can now connect from my mail client and access my IMAP mailbox using my already granted ticket.
Continue reading “[Network Administration] : Kerberized IMAP”

[Network Administration] : Kerberized Postfix

I updated my mail server and connected this into the kerberized system that was put in place earlier. Previously I had my mail accounts defined in a MYSQL database, which worked alright, but was really more of a hassle since any password changes needed to be done both in the system, and in the mysql database which was used by postfix. Either I had a single password, and needed to update both databases if it was changed, or I had to let them diverge. I’ll need an authentication mechanism so that I can submit mail from the mail client (MUA) for delivery. This time, I connected postfix, which I use as my MTA, to the Kerberos server to do the authentication. Postfix supports SASL mechanisms for authentication and can use it for both GSSAPI and PLAIN authentication against the Kerberos system. The postfix website has a whole page describing use of SASL with Postfix. I used Cyrus SASL from Carnegie Mellon University to do the authentication.
Continue reading “[Network Administration] : Kerberized Postfix”