> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Paul Cocker
> Sent: Thursday, 9 October 2008 12:38 AM
> To: postfix-users@postfix.org
> Subject: LDAP_STRONG_AUTH_REQUIRED
>
> The postfix HOWTO links to
> http://www-personal.umich.edu/~malth/gaptuning/postfix/ which
> has a script for contacting Active Directory and grabbing an
> up to date list of e-mail addresses. Very handy.
>
> Alas, upon attempting to use it I receive the error
> LDAP_STRONG_AUTH_REQUIRED, due to Active Directory at our
> site being setup to require LDAP signing. Changing the script
> is outside my abilities, so I'm hoping someone else might
> have followed the same process and hit this stumbling block first.
>
> Any advice beyond reducing LDAP signing to 'Negotiate' is welcome.
>
> Paul Cocker
>
It might be easier to do it the other way round (exporting from the
Windows domain to Postfix) with that configuration. But I'll put some
info here in case anyone is bored one day.
Net::LDAP actually does have a SASL authentication mechanism built in. I
can't be bothered seeing how to plug it into the script, but the
connection string could be changed to something similar to what follows:
$ldap = Net::LDAP->new("ldap.example.com", port => 389,
version => 3);
$sasl = Authen::SASL->new(
mechanism => "DIGEST-MD5",
callback => {
pass => "secret",
user => "[EMAIL PROTECTED]",
}
);
$res = $ldap->bind(sasl => $sasl);
DIGEST-MD5 only works on 2003 and up AD domains. If you have a 2000
domain, you can try running ldapsearch to verify the auth methods:
ldapsearch -h <DC> -s base -b "" supportedSASLMechanisms
