|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Postifix LDAP SASL with proxy user.
From: Jari Huuskonen (jshuuskonen
gmail.com)
Date: Wed May 03 2006 - 06:32:55 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 29/04/06, Andreas Winkelmann <mlawinkelmann.de> wrote:
>
> Am Friday 28 April 2006 07:07 schrieb Jari Huuskonen:
>
> > Help needed.
> >
> > I have following packages installed
> > openldap-2.3.21
> > postfix-2.3-20060418
> > cyrus-sasl-2.1.21
> >
> > supportedSASLMechanisms: DIGEST-MD5
> >
> > testsaslauthd -u mailtestdomain.com -p secret
> > 0: OK "Success."
>
> If you want to use ldapdb, saslauthd is not invoked. So testing and
> configuring is senseless.
I'am using ldapdb. So above test is needles. Misunderstood something in
manuals
thanks for information.
> Problem:
> >
> > postfix queries from ldap with bind user successfully and works.
> > But when i try to use postfix with sasl proxy user, authentication
> process
> > hangs for ever and never ends, here is my configuration and logs.
> > Note: users will be authenticated with their email addresses.
> > emailAddr=username.
> >
> > /etc/saslauthd.conf
>
> ...
>
> >
> > /usr/lib/sasl2/smtpd.conf
> >
> > pwcheck_method: auxprop
> > auxprop_plugin: ldapdb
> > mech_list: LOGIN PLAIN DIGEST-MD5 CRAM-MD5
> > ldapdb_uri: ldap://127.0.0.1
> > ldapdb_id: proxyuser
> > ldapdb_pw: secret
> > ldapdb_mech: DIGEST-MD5
> > log_level: 7
> >
> > postfix ldap local recipients
>
> [...]
>
> > slapd.conf
> >
> > authz-policy to
> >
> > authz-regexp
> > uid=(.*),cn=.*,cn=auth
> > ldap:///dc=domain,dc=com??sub?(mail=$1)
> > authz-regexp
> > uid=(.*),cn=.*,cn=auth
> > uid=$1,ou=users,dc=domain,dc=com
> >
> > first regexp match to ldapdb user, second match to users
> > which will be authenticated through ldadb proxy user.
> > If i understand to manual correctly.
>
> I don't see a diffrence between the two Patterns above. If they are equal,
> only the first that matches is used.
That's correct, removed second regexp.
> and i have proxyuser in ldap database with.
> >
> > authzTo:
> ldap:///ou=users,dc=domain,dc=com??sub?(objectClass=posixAccount)
>
> Hmm, I'm missing the Policy in your slapd.conf. Check out for the right
> Option
> (I have no 2.3.x installed). Maybe "authz-policy" must be set to "to" at
> least.
>
> > Here is what logs shows when trying to send mail from outlook.
>
> [...]
>
> > Apr 28 08:04:25 mymachine slapd[10827]: slap_sasl_getdn: u:id converted
> to
> > uid=proxyuser,cn=DIGEST-MD5,cn=auth
> > Apr 28 08:04:25 mymachine slapd[10827]: >>> dnNormalize:
> > <uid=proxyuser,cn=DIGEST-MD5,cn=auth>
> > Apr 28 08:04:25 mymachine slapd[10827]: <<< dnNormalize:
> > <uid=proxyuser,cn=digest-md5,cn=auth>
> > Apr 28 08:04:25 mymachine slapd[10827]: ==>slap_sasl2dn: converting SASL
> > name uid=proxyuser,cn=digest-md5,cn=auth to a DN
> > Apr 28 08:04:25 mymachine slapd[10827]: slap_authz_regexp: converting
> SASL
> > name uid=proxyuser,cn=digest-md5,cn=auth
> > Apr 28 08:04:25 mymachine slapd[10827]: slap_authz_regexp: converted
> SASL
> > name to ldap:///dc=domain,dc=com??sub?(mail=proxyuser)
> > Apr 28 08:04:25 mymachine slapd[10827]: slap_parseURI: parsing
> > ldap:///dc=domain,dc=com??sub?(mail=proxyuser)
> > Apr 28 08:04:25 mymachine slapd[10827]: >>> dnNormalize:
> <dc=domain,dc=com>
> > Apr 28 08:04:25 mymachine slapd[10827]: <<< dnNormalize:
> <dc=domain,dc=com>
> > Apr 28 08:04:25 mymachine slapd[10827]: slap_sasl2dn: performing
> internal
> > search (base=dc=domain,dc=com, scope=2)
> > Apr 28 08:04:25 mymachine slapd[10827]: => bdb_search
> > Apr 28 08:04:25 mymachine slapd[10827]: bdb_dn2entry("dc=domain,dc=com")
> > Apr 28 08:04:25 mymachine slapd[10827]: search_candidates:
> > base="dc=domain,dc=com" (0x00000001) scope=2
> > Apr 28 08:04:25 mymachine slapd[10827]: =>
> bdb_dn2idl("dc=domain,dc=com")
> > Apr 28 08:04:25 mymachine slapd[10827]: => bdb_equality_candidates
> > (objectClass)
> > Apr 28 08:04:25 mymachine slapd[10827]: => key_read
> > Apr 28 08:04:25 mymachine slapd[10827]: <= bdb_index_read: failed
> (-30990)
> > Apr 28 08:04:25 mymachine slapd[10827]: <= bdb_equality_candidates:
> id=0,
> > first=0, last=0
> > Apr 28 08:04:25 mymachine slapd[10827]: => bdb_equality_candidates
> (mail)
> > Apr 28 08:04:25 mymachine slapd[10827]: => key_read
> > Apr 28 08:04:25 mymachine slapd[10827]: <= bdb_index_read 1 candidates
> > Apr 28 08:04:25 mymachine slapd[10827]: <= bdb_equality_candidates:
> id=1,
> > first=11, last=11
> > Apr 28 08:04:25 mymachine slapd[10827]: bdb_search_candidates: id=1
> > first=11 last=11
> > Apr 28 08:04:25 mymachine slapd[10827]: send_ldap_result: conn=3 op=1
> p=3
> > Apr 28 08:04:25 mymachine slapd[10827]: <==slap_sasl2dn: Converted SASL
> > name to uid=proxyuser,ou=auth,dc=domain,dc=com
> > Apr 28 08:04:25 mymachine slapd[10827]: slap_sasl_getdn: dn:id converted
> to
> > uid=proxyuser,ou=auth,dc=domain,dc=com
> >
> > Seems that authzTo is never called, regexp works but authorization
> through
> > proxy user never starts.
> > can someone help me with this.
>
> Check for the Policy-Option in your slapd.conf.
Yep, i have authz-policy to
in my slapd.conf, before regexp, still having same problem,
i can't figure out why authzTo is no called.
Here is my proxy user ldif.
n: uid=ldapdb,ou=auth,dc=domain,dc=com
sn: ldapdb
cn: ldapdb
givenName: ldapdb
uid: ldapdb
mail: ldapdb
homeDirectory: /home/ldapdb
maildrop: ldapdb
description: Mail Bind Proxy User
objectClass: inetOrgPerson
objectClass: CourierMailAccount
objectClass: CourierMailAlias
userPassword: secret
authzTo: ldap:///ou=users,dc=domain,dc=com??sub?(objectClass=posixAccount)
/Jari Huuskonen
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]