Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4342A8E3.8060105@tls.msk.ru>
Date: Tue, 04 Oct 2005 20:08:03 +0400
From: Michael Tokarev <mjt@....msk.ru>
To:  owl-users@...ts.openwall.com
Subject: Re: ldap / pam / tcb / popa3d / maildir

Stanislav wrote:
> Dear Openwall User, 
> 
> i am trying to setting up a mail server with owl stable as base
> system. First my experiences, 
> 
> - postfix setup with Maildir support works fine.
> 
> - recompile glibc to include nscd and attach an init script.

Why do you need nscd?

> So far, all went OK. My users are all on a directory server. For 
> that i build openldap and nss/pam stuff for ldap.

Are you sure you want your users to be system accounts?
I mean, instead of tweaking system-wide settings (nsswitch.conf
etc) and enabling ldap there, you can use ldap for email only,
tweaking postfix and pop3 configs.  Mind you, almost every
network-aware user storage (ldap, sql, etc) is inherently
insecure - it's very difficult to set it up properly so that
security level will be acceptable.

Ofcourse, if you will not use system accounts, you may have some
troubles enabling such features like maildir quotas (which are
implemented using filesystem quotas when your mail users are
system users as well).

> - postfix works now fine with that ldap users. (i recompiled
>  for alias queries to ldap, not necessary for ldap users)
> 
>  $ getent passwd/groups 
> 
> shows me that what i want to see.
> 
> Now my interferences:
> 
> Doing an 'su' to a ldap user works of course for root but showing:

Should you users have shell access to the box?

>  Account management:- Insufficient credentials 
>  to access authentication data
> 
> My primary focus is popa3d and not suing. For that i didn't 
> try to customize pam.d/su for ldap users (cause i also think its 
> to entangled with tcb) but i compiled popa3d with Maildir support
> and 
> 
> #define AUTH_SHADOW                   1
> #define AUTH_PAM_USERPASS             0
> #define USE_LIBPAM_USERPASS           0
> #undef MAIL_SPOOL_PATH
> #define HOME_MAILBOX_NAME             "Maildir"
> 
> for local users this works but not for my ldap users.
> 
> syslog: "Oct  4 14:19:39 reserved6 popa3d[.]: 
>          Authentication failed for ldapuser"
> 
> My nsswitch looks like: 
> 
>  passwd: files ldap
>  shadow: tcb ldap
>  group:  files ldap
> 
> I tried a couple different configuration of pop3ad 
> but no one works. I have no more ideas. What do you say ?

Yes.
At least, don't use nsswitch for auth. Use pam.

And, don't use system accounts for your mail users.
Postfix's virtual(8) delivery agent together with
virtual_mailbox_maps out of ldap (with single uid
or single uid per mail address), plus something
similar for popd using pam.  May work.  YMMV.

/mjt

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.