New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
integration with samba AD DC for user authentication - SASL Authentication? #121
Comments
Hi Mauro,
OpenLDAP here, maybe this might help.
ldap_default_servers = ldap.example.com::389
ldap_login:
driver = plaintext
public_name = LOGIN
server_prompts = Username:: : Password::
server_condition = ${if and {{ \
!eq{}{$auth1} }{ \
ldapauth{user="uid=${quote_ldap_dn:$auth1},ou=Users,dc=example,dc=com" \
pass=${quote:$auth2} \
ldap://ldap.example.com} }} }
server_set_id = uid=$auth1
Regards,
Alan
…On 21/05/2021 13:50, Mauro Mozzarelli wrote:
Has anyone managed to configure dbmail to authenticate users through
samba AD DC, either kerberos or LDAP? This is because I can have users
authenticated via SASL integration with samba AD for postfix/SMTP
(sending emails), but the password must be manually synchronised for
IMAP access.
I would be a lot better if we could authenticate users via samba AD too.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#121>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABLPRYZW2DNIOZ6ACEVHWGTTOZJIPANCNFSM45JC57IQ>.
|
Thanks Alan, I followed that example for openLDAP, but it does not work with Samba AD. |
Salve,
It would be fun task to include sasl, I took a look ever GNU SASL Library
( https://www.gnu.org/software/gsasl/ ). Due to it's licensing and low
foot print I believe it would be possible to add it as a feature.
What do you think? Do you have something else in mind?
Have a nice day
…On Sat, 22 May 2021 13:12:48 +0300, Mauro Mozzarelli ***@***.***> wrote:
Thanks Alan, I followed that example for openLDAP, but it does not work
with Samba AD.
We would need dbmail to support SASL authentication, like postfix does.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.
--
Cosmin Cioranu
|
Hi,
Fun and useful perhaps, but I wouldn't underestimate the amount of work
involved, it's straightforward but non trivial.
I've written an article on implementing subversion with ldap and
svnserve. and can conform it's reliable once set up.
https://p-o.co.uk/tech-articles/howto-svn-and-ldap-with-svnserve-sasl/
I would advise anyone interested in implementing sasl to review the code
in exim and perhaps something like https://subversion.apache.org/ where
it's implemented as both client and server. One of the benefits of open
source is sharing code.
I note that exim says it implements rfc2222 but that has been superseded
by rfc4422.
Alas I don't have a Samba AD server to test. As the OP asked about
kerberos, there would probably be a need for documentation on the link
between dbmail and kerberos identities as dbmail only uses ldap for
authentication, there is also no link between ldap and email aliases.
As you say a useful and fun project for someone interested in C and
authentication. I estimate it'll be about a weeks work for Sambd AD,
kerberos would likely be longer though I have little experience in that
domain. Wonder if there's any sponsorship.
Alan
https://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_cyrussasl_authenticator.html
https://datatracker.ietf.org/doc/html/rfc4422
https://datatracker.ietf.org/doc/html/rfc2222
https://www.cyrusimap.org/sasl/sasl/components.html
https://www.iana.org/assignments/sasl-mechanisms/sasl-mechanisms.xhtml
…On 25/05/2021 09:24, Cosmin Cioranu wrote:
Salve,
It would be fun task to include sasl, I took a look ever GNU SASL Library
( https://www.gnu.org/software/gsasl/ ). Due to it's licensing and low
foot print I believe it would be possible to add it as a feature.
What do you think? Do you have something else in mind?
Have a nice day
On Sat, 22 May 2021 13:12:48 +0300, Mauro Mozzarelli
***@***.***> wrote:
>
> Thanks Alan, I followed that example for openLDAP, but it does not work
> with Samba AD.
> We would need dbmail to support SASL authentication, like postfix does.
>
> —
> You are receiving this because you are subscribed to this thread.
> Reply to this email directly, view it on GitHub, or unsubscribe.
--
Cosmin Cioranu
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#121 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABLPRYY5R3EBTBYYNQNIMY3TPNNELANCNFSM45JC57IQ>.
|
I think it would be great if SASL authentication could be added to dbmail. It will deliver a fully integrated Single Sign On solution with Samba/Microsoft AD. I use Postfix as MTA which already supports SASL. All users would benefit greatly if also dbmail supported it. I would not aim to a full Samba 4 / Kerberos solution however since this can require lots of work. |
Has anyone managed to configure dbmail to authenticate users through samba AD DC, either kerberos or LDAP? This is because I can have users authenticated via SASL integration with samba AD for postfix/SMTP (sending emails), but the password must be manually synchronised for IMAP access.
It would be a lot better if we could authenticate dbmail users via samba AD too.
The text was updated successfully, but these errors were encountered: