Note on Postfix and SASL EXTERNAL binds on UNIX sockets.

author: Guilhem Moulin <guilhem.moulin@fripost.org> 2012-05-10 10:03:47 +0200
committer: Guilhem Moulin <guilhem.moulin@fripost.org> 2012-05-10 16:34:10 +0200
commit: 2e41eb3c10282d87eab6b3a2f9fa9d16ed3b480a (patch)
tree: c56c9532804cfa6454bbe5e2f426bef891f14db3
parent: 25866f7509da2b024ba2f50d4b44c895c3974fc7 (diff)
1 files changed, 59 insertions, 35 deletions
diff --git a/fripost-docs.org b/fripost-docs.org
index f3fecc3..7c58c19 100644
--- a/fripost-docs.org
+++ b/fripost-docs.org
@@ -773,7 +773,7 @@ and add with `ldapadd -Y EXTERNAL -H ldapi:/// -f <file.ldif>'.
 The default indexes below are not enough for our purpose, since we will heavily
 be looking for e.g., the `uid' attribute.
 
- :: ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=config "(olcDatabase={1}hdb)"
+ :: ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config "(olcDatabase={1}hdb)"
     [...]
     olcDbIndex: objectClass eq
 
@@ -813,10 +813,10 @@ be looking for e.g., the `uid' attribute.
     add: olcDbIndex
     olcDbIndex: owner eq
 
-ldapmodify -QY EXTERNAL -H ldapi:/// -f /etc/ldap/fripost/indexes.ldif
+ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/fripost/indexes.ldif
 
 
- :: ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=config "(olcDatabase={1}hdb)"
+ :: ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config "(olcDatabase={1}hdb)"
     [...]
     olcDbIndex: entryUUID eq
     olcDbIndex: objectClass pres,eq
@@ -844,7 +844,7 @@ We are using the so-called "Sets" to let the users manage their domain themselve
 See section 8.5 "Sets - Granting rights based on relationships" in LDAP's manual
 http://www.openldap.org/doc/admin24/access-control.html for details.
 
- :: ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=config "(olcDatabase={1}hdb)"
+ :: ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config "(olcDatabase={1}hdb)"
     [...]
     olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=fripost,dc=org" write by * none
     olcAccess: {1}to dn.base="" by * read
@@ -900,10 +900,10 @@ http://www.openldap.org/doc/admin24/access-control.html for details.
         by dn.exact="cn=SASLauth,ou=services,o=mailHosting,dc=fripost,dc=org" read
         by * search
 
-ldapmodify -QY EXTERNAL -H ldapi:/// -f /etc/ldap/fripost/acl.ldif
+ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/fripost/acl.ldif
 
 
- :: ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=config "(olcDatabase={1}hdb)"
+ :: ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config "(olcDatabase={1}hdb)"
     [...]
     olcAccess: {0}to dn.one="ou=services,o=mailHosting,dc=fripost,dc=org" attrs=userPassword by self read by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write   by anonymous auth
     olcAccess: {1}to dn.children="o=mailHosting,dc=fripost,dc=org" attrs=userPassword by self write by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write by anonymous auth
@@ -941,11 +941,11 @@ a new ACL with writable [ou=virtual,...]/children, and [dc=...,ou=virtual,...]/e
     objectClass: organizationalUnit
     description: E-mail services
 
-ldapadd -cxWD cn=admin,dc=fripost,dc=org -f /etc/ldap/fripost/base.ldif
+ldapadd -xWD cn=admin,dc=fripost,dc=org -f /etc/ldap/fripost/base.ldif
 
 
 To delete a leaf (`-r' to delete the whole sub-tree):
-    ldapdelete -r -D cn=admin,dc=fripost,dc=org 'dc=example.org,ou=virtual,o=mailHosting,dc=fripost,dc=org' -W
+    ldapdelete -r -xWD cn=admin,dc=fripost,dc=org 'dc=example.org,ou=virtual,o=mailHosting,dc=fripost,dc=org'
 
 **** Populate the tree
 
@@ -997,7 +997,7 @@ To delete a leaf (`-r' to delete the whole sub-tree):
     mailLocalAddress: user-alias
     isActive: TRUE
 
-ldapadd -cxWD cn=admin,dc=fripost,dc=org -f /tmp/populate.ldif
+ldapadd -xWD cn=admin,dc=fripost,dc=org -f /tmp/populate.ldif
 
 
 Note: This should obviously be wrapped in a script; `ldapadd' reads the standard
@@ -1012,7 +1012,7 @@ the rights of user@fripost.org on the domain example.org, we can run:
 
 We can also check ACLs with concrete examples:
 
-ldapwhoami -xD "uid=user,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org" -W
+ldapwhoami -xWD "uid=user,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org"
 
 should return the whole dn:
 
@@ -1025,26 +1025,26 @@ should return the whole dn:
 `slpacat' (run as root) dumps everything in the tree, including the (hashed)
 passwords. So should
 
-    ldapsearch -xLLL -D "cn=admin,dc=fripost,dc=org" -b 'ou=virtual,o=mailHosting,dc=fripost,dc=org' -W
+    ldapsearch -xWD "cn=admin,dc=fripost,dc=org" -b 'ou=virtual,o=mailHosting,dc=fripost,dc=org'
 
 and
 
-    ldapsearch -xLLL -D "cn=admin1,ou=managers,o=mailHosting,dc=fripost,dc=org" -b 'ou=virtual,o=mailHosting,dc=fripost,dc=org' -W
+    ldapsearch -xWD "cn=admin1,ou=managers,o=mailHosting,dc=fripost,dc=org" -b 'ou=virtual,o=mailHosting,dc=fripost,dc=org'
 
 ***** Anonymous user
 
-`ldapsearch -xLLL -b "ou=virtual,o=mailHosting,dc=fripost,dc=org"' should exit
+`ldapsearch -x -b "ou=virtual,o=mailHosting,dc=fripost,dc=org"' should exit
 with return status 0, but shouldn't print anything.
 
 ***** Services
 
-ldapsearch -xLLL -D "cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org" -b 'ou=virtual,o=mailHosting,dc=fripost,dc=org' -W
+ldapsearch -xWD "cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org" -b 'ou=virtual,o=mailHosting,dc=fripost,dc=org'
 
 should not disclose the passwords.
 
 ***** Self
 
-ldapsearch -xLLL -D "uid=user,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org" -b 'ou=virtual,o=mailHosting,dc=fripost,dc=org' -W
+ldapsearch -xWD "uid=user,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org" -b 'ou=virtual,o=mailHosting,dc=fripost,dc=org'
 
 should return all the information for this very user, but not e.g., the password of the other users.
 
@@ -1063,7 +1063,7 @@ The user should be able to change his/her password, and aliases in his/her own d
     add: mailLocalAddress
     mailLocalAddress: user-alias2@example.org
 
-ldapmodify -D "uid=user,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org" -W -f /tmp/usermod.ldif
+ldapmodify -xWD "uid=user,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org" -f /tmp/usermod.ldif
 
 [Note: Still that should be wrapped up in a script, and there is no need to write on
 disk since the data is read from the standard input.]
@@ -1094,15 +1094,6 @@ Documentation: http://www.openldap.org/doc/admin22/syncrepl.html
 Cf. installation of the master LDAP server.
 (We also need to install fripost's schema and indexes.)
 
-The slave may only listen on the UNIX socket; To specify that, in
-`/etc/default/slapd', change `SLAPD_SERVICES' to
-
-SLAPD_SERVICES="ldapi:///"
-
-[TODO: *Ideally*, Postfix's should perform the LDAP lookups on a UNIX socket. However,
-while it `postmap -q' worked fine, Postfix itself couldn't query the LDAP server.
-A quick fix was to query the network instead: SLAPD_SERVICES="ldapi:///127.0.0.1:389/".]
-
 In the rest of this section, we assume there is a tunnel from the master
 LDAP server to the slave (i.e., ldap://127.0.0.1:3890 on the slaves actually
 speaks to the master).
@@ -1121,7 +1112,7 @@ We first need to load the module `syncprov.la'.
     add: olcModuleLoad
     olcModuleLoad: syncprov.la
 
-ldapmodify -QY EXTERNAL -H ldapi:/// -f modules.ldif
+ldapmodify -Y EXTERNAL -H ldapi:/// -f modules.ldif
 
 The master can now define itself as the provider.
 
@@ -1155,7 +1146,7 @@ ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif
     binddn="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org"
     credentials="xxxxxx"
 
-ldapmodify -QY EXTERNAL -H ldapi:/// -f /etc/ldap/fripost/syncrepl.ldif
+ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/fripost/syncrepl.ldif
 
 (Since we in our case we have several slaves, we may want to increment the
 rid.)
@@ -1241,8 +1232,41 @@ http://wiki.dovecot.org/LDA/Postfix
 http://www.tehinterweb.co.uk/roundcube/#pisieverules
 
 
+On the MX's, the slave (a partial replicate of the main LDAP server server)
+may only listen on a UNIX socket in Postfix's chroot jail; To specify that,
+in `/etc/default/slapd', change `SLAPD_SERVICES' to
+
+SLAPD_SERVICES="ldapi://%2Fvar%2Fspool%2Fpostfix%2Fvar%2Frun%2Fldapi/????x-mod=0777"
+
+Note that in the configuration files below, the `server_host' is relative
+to Postfix's jail, hence one should drop the prefix "%2Fvar%2Fspool%2Fpostfix".
+On the other hand, to test the files with `postmap' one has to put back
+the prefix.
+
+
+TODO: Postfix 2.7 does not support SASL binds. Hence one cannot SASL bind on
+the socket with the EXTERNAL mechanism, which leads to a flood of warnings
+"connection_read(XX): no connection!" in the syslog. One can also reproduce the
+flood with
+    ldapsearch -H 'ldapi://%2Fvar%2Fspool%2Fpostfix%2Fvar%2Frun%2Fldapi/' -x -WD 'cn=guilhem,ou=managers,o=mailHosting,dc=fripost,dc=org' -b 'o=mailHosting,dc=fripost.org,dc=org'
+instead of
+    ldapsearch -H 'ldapi://%2Fvar%2Fspool%2Fpostfix%2Fvar%2Frun%2Fldapi/' -Y EXTERNAL -WD 'cn=guilhem,ou=managers,o=mailHosting,dc=fripost,dc=org' -b 'o=mailHosting,dc=fripost.org,dc=org'
+(The first one performs a simple bind and does not unbind properly, while
+the second one is safe and performs a SASL bind with the EXTERNAL mechanism.)
+
+TODO: With Postfix 2.8, one could do [Not tested]
+    bind = sasl
+    sasl_mechs = EXTERNAL
+
+See also
+    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=643970
+    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=660223
+    http://www.openldap.org/lists/openldap-software/200811/msg00078.html
+
+
 :: /etc/postfix/ldap/ldap_virtual_mailbox_domains.cf
 
+    #server_host = ldapi://%2Fvar%2Frun%2Fldapi/
     server_host = ldap://127.0.0.1:389/
     version = 3
     search_base = dc=%s,ou=virtual,o=mailHosting,dc=fripost,dc=org
@@ -1261,8 +1285,10 @@ Test it:
 
 :: /etc/postfix/ldap/ldap_virtual_mailbox_maps.cf
 
+    #server_host = ldapi://%2Fvar%2Frun%2Fldapi/
     server_host = ldap://127.0.0.1:389/
     version = 3
+    version = 3
     search_base = uid=%u,dc=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org
     scope = base
     bind = yes
@@ -1278,6 +1304,7 @@ Test it:
 
 :: /etc/postfix/ldap/ldap_virtual_alias_maps.cf
 
+    #server_host = ldapi://%2Fvar%2Frun%2Fldapi/
     server_host = ldap://127.0.0.1:389/
     version = 3
     search_base = dc=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org
@@ -1292,9 +1319,6 @@ Test it:
     postmap -q user-alias@fripost.org ldap:/etc/postfix/ldap/ldap_virtual_alias_maps.cf
     postmap -q user@example.org ldap:/etc/postfix/ldap/ldap_virtual_alias_maps.cf
 
-
-(The main LDAP server is partly replicated on a UNIX socket on the MX's.)
-
 **** Test delivery
 
 sudo mkdir -p /home/mail/virtual/fripost.org/
@@ -1464,7 +1488,7 @@ this machine actually speaks to the master).
     OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -O /etc/saslauthd.conf"
     [...]
 
-(Note: The socket has to be readable by postfix.)
+(Note: The socket has to be in Postfix's chroot jail.)
 
  :: /etc/saslauthd.conf
 
@@ -1482,11 +1506,11 @@ before binding to the user (unlike Dovecot). Hence it needs to have read access
 on the user's entry (except his/her password, of course).
 
 After restarting saslauthd (`/etc/init.d/saslauthd restart'), we can test the
-authentication: `testsaslauthd -u user@fripost.org -p password'. (The password
-cannot be prompted, so you may want to create a dummy user.)
+authentication:
+
+    testsaslauthd -f /var/spool/postfix/var/run/saslauthd/mux -u user@fripost.org -p password
 
-[Note: for `testsaslauthd' to work, you have to set OPTIONS="-c -m /var/run/saslauthd"
-in `/etc/default/saslauthd'.]
+(The password cannot be prompted, so you may want to create a dummy user.)
 
 **** Configure Postfix
author	Guilhem Moulin <guilhem.moulin@fripost.org>	2012-05-10 10:03:47 +0200
committer	Guilhem Moulin <guilhem.moulin@fripost.org>	2012-05-10 16:34:10 +0200
commit	2e41eb3c10282d87eab6b3a2f9fa9d16ed3b480a (patch)
tree	c56c9532804cfa6454bbe5e2f426bef891f14db3
parent	25866f7509da2b024ba2f50d4b44c895c3974fc7 (diff)