NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2006-05

Re: Postifix LDAP SASL with proxy user.

From: Jari Huuskonen (jshuuskonengmail.com)
Date: Wed May 03 2006 - 06:38:44 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 03/05/06, Jari Huuskonen <jshuuskonengmail.com> wrote:
>
>
>
> On 29/04/06, Andreas Winkelmann <mlawinkelmann.de> wrote:
> >
> > Am Friday 28 April 2006 07:07 schrieb Jari Huuskonen:
> >
> > > Help needed.
> > >
> > > I have following packages installed
> > > openldap-2.3.21
> > > postfix-2.3-20060418
> > > cyrus-sasl-2.1.21
> > >
> > > supportedSASLMechanisms: DIGEST-MD5
> > >
> > > testsaslauthd -u mailtestdomain.com -p secret
> > > 0: OK "Success."
> >
> > If you want to use ldapdb, saslauthd is not invoked. So testing and
> > configuring is senseless.
>
>
> I'am using ldapdb. So above test is needles. Misunderstood something in
> manuals
> thanks for information.
>
>
>
> > Problem:
> > >
> > > postfix queries from ldap with bind user successfully and works.
> > > But when i try to use postfix with sasl proxy user, authentication
> > process
> > > hangs for ever and never ends, here is my configuration and logs.
> > > Note: users will be authenticated with their email addresses.
> > > emailAddr=username.
> > >
> > > /etc/saslauthd.conf
> >
> > ...
> >
> > >
> > > /usr/lib/sasl2/smtpd.conf
> > >
> > > pwcheck_method: auxprop
> > > auxprop_plugin: ldapdb
> > > mech_list: LOGIN PLAIN DIGEST-MD5 CRAM-MD5
> > > ldapdb_uri: ldap://127.0.0.1
> > > ldapdb_id: proxyuser
> > > ldapdb_pw: secret
> > > ldapdb_mech: DIGEST-MD5
> > > log_level: 7
> > >
> > > postfix ldap local recipients
> >
> > [...]
> >
> > > slapd.conf
> > >
> > > authz-policy to
> > >
> > > authz-regexp
> > > uid=(.*),cn=.*,cn=auth
> > > ldap:///dc=domain,dc=com??sub?(mail=$1)
> > > authz-regexp
> > > uid=(.*),cn=.*,cn=auth
> > > uid=$1,ou=users,dc=domain,dc=com
> > >
> > > first regexp match to ldapdb user, second match to users
> > > which will be authenticated through ldadb proxy user.
> > > If i understand to manual correctly.
> >
> > I don't see a diffrence between the two Patterns above. If they are
> > equal,
> > only the first that matches is used.
>
>
> That's correct, removed second regexp.
>
>
> > and i have proxyuser in ldap database with.
> > >
> > > authzTo:
> > ldap:///ou=users,dc=domain,dc=com??sub?(objectClass=posixAccount)
> >
> > Hmm, I'm missing the Policy in your slapd.conf. Check out for the right
> > Option
> > (I have no 2.3.x installed). Maybe "authz-policy" must be set to "to" at
> > least.
> >
> > > Here is what logs shows when trying to send mail from outlook.
> >
> > [...]
> >
> > > Apr 28 08:04:25 mymachine slapd[10827]: slap_sasl_getdn: u:id
> > converted to
> > > uid=proxyuser,cn=DIGEST-MD5,cn=auth
> > > Apr 28 08:04:25 mymachine slapd[10827]: >>> dnNormalize:
> > > <uid=proxyuser,cn=DIGEST-MD5,cn=auth>
> > > Apr 28 08:04:25 mymachine slapd[10827]: <<< dnNormalize:
> > > <uid=proxyuser,cn=digest-md5,cn=auth>
> > > Apr 28 08:04:25 mymachine slapd[10827]: ==>slap_sasl2dn: converting
> > SASL
> > > name uid=proxyuser,cn=digest-md5,cn=auth to a DN
> > > Apr 28 08:04:25 mymachine slapd[10827]: slap_authz_regexp: converting
> > SASL
> > > name uid=proxyuser,cn=digest-md5,cn=auth
> > > Apr 28 08:04:25 mymachine slapd[10827]: slap_authz_regexp: converted
> > SASL
> > > name to ldap:///dc=domain,dc=com??sub?(mail=proxyuser)
> > > Apr 28 08:04:25 mymachine slapd[10827]: slap_parseURI: parsing
> > > ldap:///dc=domain,dc=com??sub?(mail=proxyuser)
> > > Apr 28 08:04:25 mymachine slapd[10827]: >>> dnNormalize:
> > <dc=domain,dc=com>
> > > Apr 28 08:04:25 mymachine slapd[10827]: <<< dnNormalize:
> > <dc=domain,dc=com>
> > > Apr 28 08:04:25 mymachine slapd[10827]: slap_sasl2dn: performing
> > internal
> > > search (base=dc=domain,dc=com, scope=2)
> > > Apr 28 08:04:25 mymachine slapd[10827]: => bdb_search
> > > Apr 28 08:04:25 mymachine slapd[10827]:
> > bdb_dn2entry("dc=domain,dc=com")
> > > Apr 28 08:04:25 mymachine slapd[10827]: search_candidates:
> > > base="dc=domain,dc=com" (0x00000001) scope=2
> > > Apr 28 08:04:25 mymachine slapd[10827]: =>
> > bdb_dn2idl("dc=domain,dc=com")
> > > Apr 28 08:04:25 mymachine slapd[10827]: => bdb_equality_candidates
> > > (objectClass)
> > > Apr 28 08:04:25 mymachine slapd[10827]: => key_read
> > > Apr 28 08:04:25 mymachine slapd[10827]: <= bdb_index_read: failed
> > (-30990)
> > > Apr 28 08:04:25 mymachine slapd[10827]: <= bdb_equality_candidates:
> > id=0,
> > > first=0, last=0
> > > Apr 28 08:04:25 mymachine slapd[10827]: => bdb_equality_candidates
> > (mail)
> > > Apr 28 08:04:25 mymachine slapd[10827]: => key_read
> > > Apr 28 08:04:25 mymachine slapd[10827]: <= bdb_index_read 1 candidates
> >
> > > Apr 28 08:04:25 mymachine slapd[10827]: <= bdb_equality_candidates:
> > id=1,
> > > first=11, last=11
> > > Apr 28 08:04:25 mymachine slapd[10827]: bdb_search_candidates: id=1
> > > first=11 last=11
> > > Apr 28 08:04:25 mymachine slapd[10827]: send_ldap_result: conn=3 op=1
> > p=3
> > > Apr 28 08:04:25 mymachine slapd[10827]: <==slap_sasl2dn: Converted
> > SASL
> > > name to uid=proxyuser,ou=auth,dc=domain,dc=com
> > > Apr 28 08:04:25 mymachine slapd[10827]: slap_sasl_getdn: dn:id
> > converted to
> > > uid=proxyuser,ou=auth,dc=domain,dc=com
> > >
> > > Seems that authzTo is never called, regexp works but authorization
> > through
> > > proxy user never starts.
> > > can someone help me with this.
> >
> > Check for the Policy-Option in your slapd.conf.
>
>
> Yep, i have authz-policy to
> in my slapd.conf, before regexp, still having same problem,
> i can't figure out why authzTo is no called.
> Here is my proxy user ldif.
>
> n: uid=ldapdb,ou=auth,dc=domain,dc=com
> sn: ldapdb
> cn: ldapdb
> givenName: ldapdb
> uid: ldapdb
> mail: ldapdb
> homeDirectory: /home/ldapdb
> maildrop: ldapdb
> description: Mail Bind Proxy User
> objectClass: inetOrgPerson
> objectClass: CourierMailAccount
> objectClass: CourierMailAlias
> userPassword: secret
>
> authzTo: ldap:///ou=users,dc=domain,dc=com??sub?(objectClass=posixAccount)
>
> /Jari Huuskonen
>

Sorry correct one is below, no difference except different proxyuser name.

dn: uid=proxyuser,ou=auth,dc=domain,dc=com
> sn: proxyuser
> cn: proxyuser
> givenName: proxyuser
> uid: proxyuser
> mail: proxyuser
> homeDirectory: /home/proxyuser
> maildrop: proxyuser
> description: Mail Bind Proxy User
> objectClass: inetOrgPerson
> objectClass: CourierMailAccount
> objectClass: CourierMailAlias
> userPassword: secret
> authzTo: ldap:///ou=users,dc=domain,dc=com??sub?(objectClass=posixAccount)
>

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]