Hi, Is there a reason *not* to enable SASL binds in postfix-ldap? After all, dict_ldap.so is linked against libsasl and OpenLDAP's libldap, which does support SASL binds. Furthermore, ldap_table(5) and /usr/share/doc/postfix/LDAP_README.gz already mention SASL binds (OK it's written that their availability depends on Postfix being compiled with -DUSE_LDAP_SASL, but I guess I wasn't the only one confused by the manpage).
A neat use case for SASL binds is that it allows to easily restrict
access to the LDAP directory to the ‘postfix’ user only, without the
hassle inherent to passwords:
server_host = ldapi://%2Fprivate%2Fldapi/
bind = sasl
sasl_mechs = EXTERNAL
(Assuming a LDAPI socket in Postfix's chroot, and the proper
…,cn=peercred,cn=external,cn=auth ACLs on the LDAP directory.)
Would be great to have that available in jessie :-)
Thanks!
--
Guilhem.
signature.asc
Description: Digital signature
