question about migration user from ldap t mysql

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

question about migration user from ldap t mysql

natan
Hi
I have all users in openldap. In openldap I have password crypt+base64

after decoding base64 :
{CRYPT}$1$AvMW4io/$DDq..................

In postfix auth via saslauthd:

cat /etc/saslauthd.conf
....
ldap_auth_method: custom
ldap_filter:
(&(objectClass=qMailUser)(|(mail=%u%R)(mailAlternateAddress=%u%R)))
....

cat /etc/sasl2/smtpd.conf
....
pwcheck_method: saslauthd
saslauthd_path: /run/saslauthd/mux
mech_list: plain login
log_level: 1
...

all works fine

I must migrate all from openldap to mysql 1:1 ant I have a questions:

What I must use "type auth" in mysqldb if i have use this same rekord in
"password" ?

i thinking:
|user                                |
password                                       |
|[hidden email] | {CRYPT}$1$AvMW4io/$DDq  ....  |

maby:
|user                                |
password                                       |
|[hidden email] | $1$AvMW4io/$DDq  ....                |

or other ?

I cannot change password - I must moved all from openldap to mysql

--

Reply | Threaded
Open this post in threaded view
|

Re: question about migration user from ldap t mysql

John Fawcett
On 12/10/2020 13:02, natan wrote:

> Hi
> I have all users in openldap. In openldap I have password crypt+base64
>
> after decoding base64 :
> {CRYPT}$1$AvMW4io/$DDq..................
>
> In postfix auth via saslauthd:
>
> cat /etc/saslauthd.conf
> ....
> ldap_auth_method: custom
> ldap_filter:
> (&(objectClass=qMailUser)(|(mail=%u%R)(mailAlternateAddress=%u%R)))
> ....
>
> cat /etc/sasl2/smtpd.conf
> ....
> pwcheck_method: saslauthd
> saslauthd_path: /run/saslauthd/mux
> mech_list: plain login
> log_level: 1
> ...
>
> all works fine
>
> I must migrate all from openldap to mysql 1:1 ant I have a questions:
>
> What I must use "type auth" in mysqldb if i have use this same rekord in
> "password" ?
>
> i thinking:
> |user                                |
> password                                       |
> |[hidden email] | {CRYPT}$1$AvMW4io/$DDq  ....  |
>
> maby:
> |user                                |
> password                                       |
> |[hidden email] | $1$AvMW4io/$DDq  ....                |
>
> or other ?
>
> I cannot change password - I must moved all from openldap to mysql
>
> --
>
Natan

If you want to continue using saslauthd you will need further
configuration to point it at mysql (for example pam_mysql) which has
it's own set of configuration parameters for indicating the password
format. I can't tell you whether in that case you need to prefix the
passwords with the encryption type, but I guess not since there's a
parameter for selecting it.

You could also evaluate replacing saslauthd, which is an extra daemon
that needs to be running and use the auxprop sasl method with sql
plugin. In this case you'll need to put the encryption mechanism prefix,
for example {MD5-CRYPT}$1$AvMW4io/$DDq if those are indeed MD5 crypts as
I suspect.

John


Reply | Threaded
Open this post in threaded view
|

Re: question about migration user from ldap t mysql

natan
Hi
Thanks for replay John - maybe better is change saslauthd to dovecot-auth ?



Wysłano z mojego Mi MIX 2
John Fawcett <[hidden email]> 12 paź 2020 17:41 napisał(a):

On 12/10/2020 13:02, natan wrote:
> Hi
> I have all users in openldap. In openldap I have password crypt+base64
>
> after decoding base64 :
> {CRYPT}$1$AvMW4io/$DDq..................
>
> In postfix auth via saslauthd:
>
> cat /etc/saslauthd.conf
> ....
> ldap_auth_method: custom
> ldap_filter:
> (&(objectClass=qMailUser)(|(mail=%u%R)(mailAlternateAddress=%u%R)))
> ....
>
> cat /etc/sasl2/smtpd.conf
> ....
> pwcheck_method: saslauthd
> saslauthd_path: /run/saslauthd/mux
> mech_list: plain login
> log_level: 1
> ...
>
> all works fine
>
> I must migrate all from openldap to mysql 1:1 ant I have a questions:
>
> What I must use "type auth" in mysqldb if i have use this same rekord in
> "password" ?
>
> i thinking:
> |user                                |
> password                                       |
> |[hidden email] | {CRYPT}$1$AvMW4io/$DDq  ....  |
>
> maby:
> |user                                |
> password                                       |
> |[hidden email] | $1$AvMW4io/$DDq  ....                |
>
> or other ?
>
> I cannot change password - I must moved all from openldap to mysql
>
> --
>
Natan

If you want to continue using saslauthd you will need further
configuration to point it at mysql (for example pam_mysql) which has
it's own set of configuration parameters for indicating the password
format. I can't tell you whether in that case you need to prefix the
passwords with the encryption type, but I guess not since there's a
parameter for selecting it.

You could also evaluate replacing saslauthd, which is an extra daemon
that needs to be running and use the auxprop sasl method with sql
plugin. In this case you'll need to put the encryption mechanism prefix,
for example {MD5-CRYPT}$1$AvMW4io/$DDq if those are indeed MD5 crypts as
I suspect.

John


Reply | Threaded
Open this post in threaded view
|

Re: question about migration user from ldap t mysql

John Fawcett
On 12/10/2020 18:07, natan wrote:
> Hi
> Thanks for replay John - maybe better is change saslauthd to
> dovecot-auth ?
>
>
For authenticating against dovecot you can use the saslauthd to
authenticate against an imap server - can't say much about that as I've
never used it. Or you can have postfix authenticate against dovecot via
dovecot sasl. That has some advantages in reducing the amount of library
code brought in through cyrus sasl, so long as you don't have to use
cyrus sasl anyway for smtp client authentication to remote servers.

John