Loading ...
Sorry, an error occurred while loading the content.

290875Postfix ldap_table authenticate to LDAP using GSSAPI or EXTERNAL

Expand Messages
  • Eric McCorkle
    Jan 21, 2013
    • 0 Attachment
      Hello,

      I am trying to set up an LDAP-based alias table, and I want postfix to
      authenticate to LDAP using a Kerberos service principal, or at least
      using the EXTERNAL method (SSL certificate authentication).

      The ldap-aliases.cf file looks like this (domains and realms changed):

      server_host = ldap://ldap.example.com/
      search_base = ou=people,dc=metricspace,dc=net
      version = 3
      bind = sasl
      sasl_mechs = EXTERNAL
      sasl_realm = EXAMPLE.COM
      scope = sub
      query_filter = mail=%s
      result_attribute = maildrop
      start_tls = yes
      tls_ca_cert_file = /etc/ssl/certs/ca-cert.pem
      tls_cert = /etc/ssl/certs/host-cert.pem
      tls_key = /etc/ssl/private/host-key.pem
      tls_require_cert = yes

      master.cf looks like this:

      smtp inet n - n - - smtpd
      smtps inet n - n - - smtpd -o
      smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o
      smtpd_client_restrictions=permit_sasl_authenticated,reject
      pickup fifo n - n 60 1 pickup
      cleanup unix n - n - 0 cleanup
      qmgr fifo n - n 300 1 qmgr
      tlsmgr unix - - n 1000? 1 tlsmgr
      rewrite unix - - n - - trivial-rewrite
      bounce unix - - n - 0 bounce
      defer unix - - n - 0 bounce
      trace unix - - n - 0 bounce
      verify unix - - n - 1 verify
      flush unix n - n 1000? 0 flush
      proxymap unix - - n - - proxymap
      proxywrite unix - - n - 1 proxymap
      smtp unix - - n - - smtp
      relay unix - - n - - smtp
      showq unix n - n - - showq
      error unix - - n - - error
      retry unix - - n - - error
      discard unix - - n - - discard
      local unix - n n - - local
      virtual unix - n n - - virtual
      lmtp unix - - n - - lmtp
      anvil unix - - n - 1 anvil
      scache unix - - n - 1 scache


      Interestingly, postalias works fine with this setup, but when I start
      postfix, it complains as follows:

      postfix/local[82350]: warning: dict_ldap_set_tls_options: Unable to
      allocate new TLS context -1: Can't contact LDAP server
      postfix/postmap[44248]: fatal: table
      ldap:/usr/local/etc/postfix/ldap/ldap-aliases.cf: query error: Bad file
      descriptor

      Interestingly, postalias run from the command line seems to work just
      fine. More interestingly, using an ldap-based local_recipients_maps
      seems to work just fine, but alias_maps fails as described.


      The keys and the keytables are both accessible by the postfix user.
      This leads me to believe that it's either something subtle wrong with
      the file permissions, or there's a bug in postfix.

      There is a new feature in MIT Kerberos which allows a client key table
      to be set (via the KRB5_CLIENT_KTNAME environment variable), which will
      be used to automatically update and refresh the credentials cache. When
      I set this to point to a key table and update ldap-aliases.cf to use
      GSSAPI, postalias works, and the credentials cache gets updated, but the
      postfix daemon fails in the same way.


      My version is 2.4.9, installed as a FreeBSD port, and I am using openSSL
      (ie *not* GNUTLS).


      Thanks,
      Eric
    • Show all 8 messages in this topic