Loading ...
Sorry, an error occurred while loading the content.

290877Re: Postfix ldap_table authenticate to LDAP using GSSAPI or EXTERNAL

Expand Messages
  • Viktor Dukhovni
    Jan 22, 2013
      On Mon, Jan 21, 2013 at 09:05:33PM -0500, Eric McCorkle wrote:

      > I am trying to set up an LDAP-based alias table, and I want postfix to
      > authenticate to LDAP using a Kerberos service principal, or at least
      > using the EXTERNAL method (SSL certificate authentication).

      I would recommend GSSAPI (Kerberos) if that's an option, over
      EXTERNAL, key management is easier.

      To use GSSAPI, arrange for a cron job that runs once an hour or so,
      and executes

      $ kinit -k -t FILE:/some/keytab -c FILE:/some/cred-cache principal

      as Wietse points out: make sure the cred-cache is readable by the
      "postfix" user ($mail_owner). Then make sure that the KRB5CCNAME
      environment variable is set to point at the above credential cache
      in the Postfix delivery agent, by setting:

      import_environment =
      ... default value ...
      KRB5CCNAME=FILE:/some/cred-cache

      Unfortunately, Postfix does not yet support a "+= syntax" in main.cf.

      --
      Viktor.
    • Show all 8 messages in this topic