resurrecting this old thread to see if anyone has experience using Open Directory via LDAP. I’d love any tips about the below.
I’ve made a lot of progress in getting my MacPorts mail-server postfix+dovecot+etc up and running. I have it working with PAM. But I can’t get CRAM-MD5 auth that way. I have a number of users on my mail server already that have enforced CRAM-MD5 via their config profile. And I don’t know all my users’ passwords to generate the CRAM-MD5 database. Ideally I’d be able to upgrade the mail server without giving them all new config profiles... so.
Supposedly LDAP auth with access to userPassword allows dovecot to just do CRAM-MD5 calculations from the crypt data available.
I got Open Directory server up and running its own Local Network Directory, which is accessible via LDAP and I can query it via a special dovecot user I set up. But `userPassword` only exists for my directory administrator. No other users. I can do other Mac - Open Directory things via these users, including logging in, just fine.
I thought the issue was just getting /etc/openldap/slapd.conf ACLs set up correctly. But any changes to those ACLs don’t actually seem to impact my LDAP queries, strangely. All the documentation I find online seems to indicate that they should, even for Open Directory-LDAP.
But the ACLs don’t seem to be the issue anyway. I’m beginning to suspect that Open Directory never serves `userPassword` for its users and is behind-the-scenes doing sneakier things with auth’ing against Kerberos automatically without disclosing `userPassword` crypt via LDAP ever.
I... just want to replace this server inline without having to reconfigure everyone who uses it. So I want CRAM-MD5. If there are other ways I can get there from here, I’m all ears.
[automerge]1595265034[/automerge]
And by the way, sssandess, thank you so much for all the work on this. It really helped me get started. It’s definitely a lot of work to get it right.
Another bit of feedback is a lot of your config files seem to be set up for auth’ing against comcast to relay mail out, which was a red herring for my use case in a number of places. I ended up comparing most of my config files against my original Server ones rather than the macports-provided ones.
I’ve made a lot of progress in getting my MacPorts mail-server postfix+dovecot+etc up and running. I have it working with PAM. But I can’t get CRAM-MD5 auth that way. I have a number of users on my mail server already that have enforced CRAM-MD5 via their config profile. And I don’t know all my users’ passwords to generate the CRAM-MD5 database. Ideally I’d be able to upgrade the mail server without giving them all new config profiles... so.
Supposedly LDAP auth with access to userPassword allows dovecot to just do CRAM-MD5 calculations from the crypt data available.
I got Open Directory server up and running its own Local Network Directory, which is accessible via LDAP and I can query it via a special dovecot user I set up. But `userPassword` only exists for my directory administrator. No other users. I can do other Mac - Open Directory things via these users, including logging in, just fine.
I thought the issue was just getting /etc/openldap/slapd.conf ACLs set up correctly. But any changes to those ACLs don’t actually seem to impact my LDAP queries, strangely. All the documentation I find online seems to indicate that they should, even for Open Directory-LDAP.
But the ACLs don’t seem to be the issue anyway. I’m beginning to suspect that Open Directory never serves `userPassword` for its users and is behind-the-scenes doing sneakier things with auth’ing against Kerberos automatically without disclosing `userPassword` crypt via LDAP ever.
I... just want to replace this server inline without having to reconfigure everyone who uses it. So I want CRAM-MD5. If there are other ways I can get there from here, I’m all ears.
[automerge]1595265034[/automerge]
And by the way, sssandess, thank you so much for all the work on this. It really helped me get started. It’s definitely a lot of work to get it right.
Another bit of feedback is a lot of your config files seem to be set up for auth’ing against comcast to relay mail out, which was a red herring for my use case in a number of places. I ended up comparing most of my config files against my original Server ones rather than the macports-provided ones.
Last edited: