Alternative SASL LDAP auxprop for cleartext passwords in configurable attribute =============================================================================== Version 1.2.1: You may use these replacements in the LDAP search string now: %s: username %r: user supplied realm %h: Server hostname requesting SASL auth. Version 1.2: gl_attribute removed Retrieve all attributes asked, including binary ones Version 1.1: Bugfix: syslog dumped core if config file not defined, added NULL checks. Version 1.0, initial version WARNING. When using userPassword (and not cmusaslsecret*), make sure you connect via SSL/TLS to your LDAP server as passwords are sent over the wire. To build this auxprop, you have to have: * a complete cyrus sasl 2.1.22 source tree, already configured with all Makefiles present * OpenLDAP libraries and include files with OpenSSL support * OpenSSL Unpack the source distribution and you will see these files: -rwxr-xr-x 1 root root 765 Jun 20 21:25 compile -rw-r--r-- 1 root root 5523 Jun 20 20:15 giengerldap.c -rw-r--r-- 1 root root 637 Jun 20 20:15 giengerldap_init.c -rw-r--r-- 1 root root 1447 Jun 20 21:25 Makefile -rw-r--r-- 1 root root 807 Jun 20 21:24 Makefile.tmpl Edit the shell script "compile": The first two lines are configurable: CYRUSSASLPATH=/var/home/pascal/src/cyrus-sasl-2.1.22 LDAPLIBS="-llber -lldap -lcrypto -lssl" CYRUSSASLPATH is the complete path to your cyrus sasl build tree. You have to have configured this source tree with "./configure" already and don't forget to set openldap-options. LDAPLIBS are the libraries needed to link OpenLDAP. Use "-lcrypto -ssl" if you have OpenSSL enabled OpenLDAP libraries. This is recommended as passwords are sent through the wire! After you did that, just type "./compile" or "sh compile". It should produce an output similar to that: # ./compile /var/home/pascal/src/cyrus-sasl-2.1.22/libtool --mode=compile gcc -Wall -W -g -O2 -c -I/var/home/pascal/src/cyrus-sasl-2.1.22/include -I/var/home/pascal/src/cyrus-sasl-2.1.22/lib -I/var/home/pascal/src/cyrus-sasl-2.1.22/sasldb -I/var/home/pascal/src/cyrus-sasl-2.1.22/plugins/include [... rest omitted ...] /var/home/pascal/src/cyrus-sasl-2.1.22/libtool --mode=link gcc -module -export-dynamic -rpath /usr/local/bastion/lib/sasl2 -L/usr/local/bastion/lib -R/usr/local/bastion/lib -L/usr/local/bastion/lib -L/usr/local/lib -L/usr/sfw/lib -R/usr/local/bastion/lib -R/usr/local/lib -R/usr/sfw/lib -llber -lldap -lcrypto -lssl -version-info 2:22:0 \ giengerldap.lo giengerldap_init.lo /var/home/pascal/src/cyrus-sasl-2.1.22/plugins/plugin_common.lo -o libgiengerldap.la mkdir .libs (cd . && ln -s giengerldap.lo giengerldap.o) (cd . && ln -s giengerldap_init.lo giengerldap_init.o) /usr/ccs/bin/ld -G -h libgiengerldap.so.2 -o .libs/libgiengerldap.so.2.0.22 giengerldap.lo giengerldap_init.lo /var/home/pascal/src/cyrus-sasl-2.1.22/plugins/plugin_common.lo -L/usr/local/bastion/lib -L/usr/local/lib -L/usr/sfw/lib -llber -lldap -lcrypto -lssl -lc (cd .libs && rm -f libgiengerldap.so.2 && ln -s libgiengerldap.so.2.0.22 libgiengerldap.so.2) (cd .libs && rm -f libgiengerldap.so && ln -s libgiengerldap.so.2.0.22 libgiengerldap.so) creating libgiengerldap.la (cd .libs && rm -f libgiengerldap.la && ln -s ../libgiengerldap.la libgiengerldap.la) Type "make install" to install the auxprop - it will put the plugin in your sasl2 plugins dir (you defined it by configuring your cyrus sasl source tree!). Example: -------- To use this plugin with Postfix, go to your sasl2 plugin directory (where all the sasl2 modules are located, as libcrammd5.so, libdigestmd5.so, and our new ldap auxprop plugin, ...) and set up a file named "smtpd.conf": auxprop_plugin: giengerldap gl_uri: ldaps://mycuteldapserver.mydomain gl_basedn: o=myorganization,c=DE gl_binddn: cn=smtpauth,o=myorganization,c=DE gl_bindpw: mysuperpassword gl_search: (|(uid=%s)(mail=%s@southbrain.com)) * gl_uri: The LDAP URI to your ldap server * gl_basedn: The base DN used for your search request * gl_binddn: The LDAP user you use to bind to the directory * gl_bindpw: the password for binding the user * gl_search: The RFC LDAP filter to select the approriate dn to get the password needed. Jokers: %s: username %r: user supplied realm %h: ServerFQDN hostname requesting SASL auth. Feel free to write your comments to: pascal@southbrain.com