Installation and Configuration
SUSE Linux Installation
eDirectory Installation (for stand-alone configuration)
Configuring saslauthd to Use LDAP Authentication
Configuring postfix to Use saslauthd
Testing saslauthd and postfix
Configuring IDM to Use your postfix MTA Service
As an IDM administrator deploying Novell Identity Manager, there are many times when you’ll want to have an e-mail server available for things such as events from IDM driver policies, password change notifications, or workflow events from the IDM user application. In many cases, however, whether the issue is political or technical, a company’s IS&T department may not allow access to the Enterprise mail server(s) by an outside entity.
Ideally, a secure mail relay should be available on the IDM server to allow authorized IDM UserApplication users to send e-mail when required. This AppNote describes how to install and configure the postfix smtpd mta agent as a secure e-mail relay with cyrus-sasl-saslauthd, using ldap authentication against eDirectory for smtp_auth.
This AppNote assumes a working knowledge of eDirectory and IDM. It also assumes that you have an existing IDM deployment that will be using the postfix mta service. If you want to configure a stand-alone postfix configuration that will not be doing ldap authentication against your IDM Identity Vault, you will have to install eDirectory on the system separately.
Install SLES 10 SP1 x86. For software pattern installation, be sure that cyrus-sasl, cyrus-sasl-saslauthd, and postfix are selected within the ‘Server Base System’ install pattern.
1. Download the eDirectory 8.8.2 iso from download.novell.com
2. su to root (‘su’ in console, enter root password)
3. Mount the eDirectory installation .iso as /media/cdrom (‘mount -t iso9660 -o loop eDir_882.iso /media/cdrom’)
4. cd into /media/cdrom (this may also be ?/media/cdrom/eDirectory/setup?, depending on the eDirectory version) (‘cd /media/cdrom’)
5. Run ‘./nds-install’. Select options 1 and 2 for full eDirectory installation.
eDirectory installation is now complete. You can now configure your eDirectory tree using the eDirectory ndsconfig utility.
1. Set your system PATH for the nds binaries/libraries by issuing this command in the console:
Note that the command starts with “dot-space”.
2. Configure your eDirectory tree from the command line using ndsconfig. For example:
ndsconfig new -t MYTREE -a cn=admin.o=novell -n o=novell -S myserver -i -e -D /var/opt/novell/instance0 -d /var/opt/novell/instance0/data/dib -w password --config-file /var/opt/novell/nds0.conf
The ‘-i’ option ignores duplicate tree lookup, and ‘-e’ enables ldap clear-text password. If you want to keep the default secure ldaps connection setting, omit the ‘-e’ switch and use either SSL to TLS to connect via LDAP.
You may also just use ‘ndsconfig new -i’ and enter options from the command line when prompted. The ‘-i’ option will skip the duplicate tree name lookup, which will fail if slp is not running. You may omit this option if you start the slpuasa service with ‘/etc/init.d/slpuasa start’.
3. Once eDirectory configuration is complete, you can verify that ndsd is up and running with ‘ndsstat’.
First, you need to set up saslauthd to authenticate against the LDAP server.
1. Enable postfix and saslauthd to start at boot (‘yast2 runlevel’)
2. Enable postfix and saslauthd (the default will start them in runlevels 3 and 5)
4. Back up the /etc/sysconfig/saslauthd file:
cp /etc/sysconfig/saslauthd /etc/sysconfig/saslauthd.bak
5. Edit the file (vi /etc/sysconfig/saslauthd)
6. Change the ‘mechanisms’ line to read ?SASLAUTHD_AUTHMECH=ldap?
7. Add the following entry: ‘ CONFIG_FILE=?/etc/saslauthd.conf? ‘
8. Write the changes and quit.
9. Edit the /etc/saslauthd.conf file (vi /etc/saslauthd.conf).
Unlike other, less secure LDAP servers, eDirectory requires TLS by default. No problem.
10. Add this entry: ‘ldap_servers: ldaps://your.ldap.server:636/’
This entry is the LDAP server that you want saslauthd to do LDAP authentication against. This could be your IDM Identity Vault or another stand-alone LDAP server. Clear text will also work with ‘ldap://your.ldap.server/’ (port number optional).
11. Add this entry ‘ldap_search_base: dc=example,dc=com’
This is the LDAP context where the users should exist for the ldap bind operation. An example might be ‘o=novell’ or ‘ou=users,o=novell’. Omit this entry if you would like saslauthd to search the entire tree from the root.
12. Restart saslauthd (/etc/init.d/saslauthd restart)
13. Verify that saslauthd is using LDAP by running ‘ps -ef | grep saslauthd’. You should see entries that look like ‘/usr/sbin/saslauthd -a ldap’.
To enable postfix to use saslauthd,
1. Edit the /etc/postfix/main.cf file.
2. Change the ‘smtpd_sasl_auth_enable’ line to read ‘smtpd_sasl_auth_enable = yes’
3. Change the line ‘smtpd_recipient_restrictions=’ to include ‘permit_sasl_authenticated’
With the default settings it would look like this:
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
4. Add the following lines:
smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = broken_sasl_auth_clients = yes
5. Save changes to postfix main.cf
6. Restart postfix (/etc/init.d/postfix restart).
1. To test saslauthd, use testsaslauthd:
testsaslauthd -u username -p password
If it’s working, you should see a message similar to this:
1.0: OK "Success."
2. To verify postfix is expecting smtp_auth, verify that postfix is running and has authentication enabled by telneting to port 25 on the mail server (telnet mail.example.edu 25).
You should see something like this:
Trying 10.0.0.17... Connected to mail. Escape character is '^]'. 220 mail.example.edu ESMTP Postfix
3. Once the connection is made, type ‘ehlo localhost’. You will see something similar to this:
250-mail.example.edu 250-PIPELINING 250-SIZE 31457280 250-VRFY 250-ETRN 250-AUTH NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5 250-AUTH=NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5 250 8BITMIME
The ‘AUTH’ lines contain ‘LOGIN’, which shows that postfix will require a login before forwarding mail. This will also be the authentication type if you are using a mail client.
To configure your IDM deployment to use the postfix MTA as its mail relay,
1. Log in to your IDM deployment via iManager.
2. Select ‘Workflow Administration’ => Email Server Options.
3. Enter your postfix server’s ip address or host name.
4. Enter the ‘from’ address for emails sent by IDM or the UserApplication Portal.
5. Check the “Authenticate to server using credentials” checkbox.
6. Enter the user (rdn) of a user that exists in the ‘ldap_search_base:’ configured in the saslauthd.conf file (an example might be ‘admin’)
7. Enter the user’s password.
8. Click OK to apply your changes.
IDM should now be able to send emails thru your postfix server.
If you would like to ‘see’ email being processed by the postfix mta, you can run this command:
'tail -f /var/log/mail.info'
You should now have a fairly secure postfix mta that your IDM deployment (or regular mail clients, for that matter) can now use to relay email messages.
Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.