Date: Tue, 4 Oct 2005 18:54:39 +0200 From: Stanislav <owl@...e.org> To: owl-users@...ts.openwall.com, owl@...e.org, popa3d-users@...ts.openwall.com Subject: Re: [owl-users] ldap / pam / tcb / popa3d / maildir On Tue, 04 Oct 2005 20:08:03 +0400 Michael Tokarev <mjt@....msk.ru> wrote: > > - recompile glibc to include nscd and attach an init script. > > Why do you need nscd? Hello Michael, for cacheing - just in case the directory service isn't up. To keep a small time window where mail services still work. Well, its my intention. Extensive tests will follow. > > > So far, all went OK. My users are all on a directory server. For > > that i build openldap and nss/pam stuff for ldap. > > Are you sure you want your users to be system accounts? > I mean, instead of tweaking system-wide settings (nsswitch.conf > etc) and enabling ldap there, you can use ldap for email only, > tweaking postfix and pop3 configs. Mind you, almost every > network-aware user storage (ldap, sql, etc) is inherently > insecure - it's very difficult to set it up properly so that > security level will be acceptable. Don't misunderstand me, i'm aware of that. They exists a lot of ways for mailsetups. Especially in conjunction with ldap services. Indeed i agree with you. > > My primary focus is popa3d and not suing. For that i didn't > > try to customize pam.d/su for ldap users (cause i also think its > > to entangled with tcb) but i compiled popa3d with Maildir support > > and > > > > #define AUTH_SHADOW 1 > > #define AUTH_PAM_USERPASS 0 > > #define USE_LIBPAM_USERPASS 0 > > #undef MAIL_SPOOL_PATH > > #define HOME_MAILBOX_NAME "Maildir" > > ... > > I tried a couple different configuration of pop3ad > > but no one works. I have no more ideas. What do you say ? > > Yes. > At least, don't use nsswitch for auth. Use pam. Thats the point. popa3d compiled with AUTH_PAM and pam.d/popa3d like this auth required /lib/security/pam_ldap.so account required /lib/security/pam_ldap.so password required /lib/security/pam_deny.so session required /lib/security/pam_deny.so don't want to work. Maybe some one in popa3d list had some experiences ? > > And, don't use system accounts for your mail users. > Postfix's virtual(8) delivery agent together with > virtual_mailbox_maps out of ldap (with single uid > or single uid per mail address), plus something > similar for popd using pam. May work. YMMV. Many thanks for your suggestions. Stanislav
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.