On 18/07/10 21:08 +0600, OSHIM wrote:

Hi,

I need a help from you guys.

Anyone know how to customize Squid, Dansguardian, Postfix, Samba to use OpenLDAP and let OpenLDAP authenticate the username/password with MS-AD?

When performing SASL binds against OpenLDAP, you can configure
/usr/lib/sasl2/slapd.conf with:

pwcheck_method: saslauthd
mech_list: plain login

and configure /etc/saslauthd.conf with:

ldap_servers: ldap://192.0.2.1/ ldap_use_sasl: yes ldap_mech: DIGEST-MD5
and consequently you would configure your /etc/postfix/sasl/smtpd.conf
with:

pwcheck_method: saslauthd
mech_list: plain login

Configuring identical contents for /etc/saslauthd.conf on your Postfix
server would authenticate directly to the MS-AD server. If you really do
wish to authenticate to the OpenLDAP server and have it re-authenticate to
AD, configure your /etc/saslauthd.conf with:

ldap_servers: ldap://192.0.2.2/
ldap_use_sasl: yes
ldap_mech: PLAIN

Where 192.0.2.2 is the address of your slapd server. You would also want to
configure an SSL/TLS protection layer to protect the transmission of your
passwords to the slapd server.

See Chapter 15 (Using SASL) of the OpenLDAP administrator's guide for
authz-regexp configuration that should be necessary to complete this
approach. Also, see saslauthd/LDAP_SASLAUTHD within the cyrus sasl source
tree for saslauthd.conf documentation. For trouble shooting, see
'testsaslauthd', 'smtptest', and 'saslfinger'. The first two are
distributed with cyrus sasl, and the last is distributed by Patrick
Koetter.

I'm not familiar with configuring Squid, Dansguardian, and Samba in a
scenario like this, but I would imagine doing what you want (proxying
authentication via slapd) is going to get exponentially complex. It may
make more sense to have those applications authenticate directly to the AD
server.

--
Dan White