Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 4 Oct 2005 18:54:39 +0200
From: Stanislav <owl@...e.org>
To: owl-users@...ts.openwall.com, owl@...e.org,
 popa3d-users@...ts.openwall.com
Subject: Re: [owl-users] ldap / pam / tcb / popa3d / maildir

On Tue, 04 Oct 2005 20:08:03 +0400
Michael Tokarev <mjt@....msk.ru> wrote:
 
> > - recompile glibc to include nscd and attach an init script.
> 
> Why do you need nscd?

Hello Michael,

for cacheing - just in case the directory service isn't up. 
To keep a small time window where mail services still work.
Well, its my intention. Extensive tests will follow.

> 
> > So far, all went OK. My users are all on a directory server. For 
> > that i build openldap and nss/pam stuff for ldap.
> 
> Are you sure you want your users to be system accounts?
> I mean, instead of tweaking system-wide settings (nsswitch.conf
> etc) and enabling ldap there, you can use ldap for email only,
> tweaking postfix and pop3 configs.  Mind you, almost every
> network-aware user storage (ldap, sql, etc) is inherently
> insecure - it's very difficult to set it up properly so that
> security level will be acceptable.

Don't misunderstand me, i'm aware of that. They exists a lot of
ways for mailsetups. Especially in conjunction with ldap services.
Indeed i agree with you.

> > My primary focus is popa3d and not suing. For that i didn't 
> > try to customize pam.d/su for ldap users (cause i also think its 
> > to entangled with tcb) but i compiled popa3d with Maildir support
> > and 
> > 
> > #define AUTH_SHADOW                   1
> > #define AUTH_PAM_USERPASS             0
> > #define USE_LIBPAM_USERPASS           0
> > #undef MAIL_SPOOL_PATH
> > #define HOME_MAILBOX_NAME             "Maildir"
> > 
...
> > I tried a couple different configuration of pop3ad 
> > but no one works. I have no more ideas. What do you say ?
> 
> Yes.
> At least, don't use nsswitch for auth. Use pam.

Thats the point. popa3d compiled with AUTH_PAM and pam.d/popa3d
like this 

auth       required     /lib/security/pam_ldap.so
account    required     /lib/security/pam_ldap.so
password   required     /lib/security/pam_deny.so
session    required     /lib/security/pam_deny.so

don't want to work. Maybe some one in popa3d list
had some experiences ?

> 
> And, don't use system accounts for your mail users.
> Postfix's virtual(8) delivery agent together with
> virtual_mailbox_maps out of ldap (with single uid
> or single uid per mail address), plus something
> similar for popd using pam.  May work.  YMMV.

Many thanks for your suggestions.

Stanislav

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ