Postfix, SASL and LDAPDB
in [Postfix]
|
From: Julien Vehent on 18 May 2010 11:44 Hey guys, I want to set up SASL authentication using LDAPDB, but it seems that postfix connects to LDAP but doesn't send anything to it... I try to authenticate using 'auth plain <base64>', and I receive : 535 5.7.8 Error: authentication failed: authentication failure Connection to LDAP works fine at the network level, but the only thing that postfix send to Slapd (sniffed using tcpdump) is a "UNBIND" request. Confirmed by the logs of slapd: ---- May 18 17:25:29 samchiel slapd[1431]: conn=35 fd=17 ACCEPT from IP=127.0.0.1:57368 (IP=127.0.0.1:389) May 18 17:25:29 samchiel slapd[1431]: conn=35 op=0 UNBIND May 18 17:25:29 samchiel slapd[1431]: conn=35 fd=17 closed ---- Postfix says the following: ---- May 18 17:25:29 samchiel postfix/smtpd[12094]: < localhost[127.0.0.1]: auth plain XXXXXXXXXXXXXXXXXXXXX May 18 17:25:29 samchiel postfix/smtpd[12094]: xsasl_cyrus_server_first: sasl_method plain, init_response XXXXXXXXXXXXXXXXXXXXX May 18 17:25:29 samchiel postfix/smtpd[12094]: xsasl_cyrus_server_first: decoded initial response May 18 17:25:29 samchiel postfix/smtpd[12094]: warning: SASL authentication failure: Password verification failed May 18 17:25:29 samchiel postfix/smtpd[12094]: warning: localhost[127.0.0.1]: SASL plain authentication failed: authentication failure May 18 17:25:29 samchiel postfix/smtpd[12094]: > localhost[127.0.0.1]: 535 5.7.8 Error: authentication failed: authentication failure ---- So, I assumed there might be something wrong with my configuration. Since I'm on Debian Squeeze (for testing purpose), I have a /etc/postfix/sasl/smtpd.conf that contains the configuration of ldapdb: ---- # cat /etc/postfix/sasl/smtpd.conf pwcheck_method: auxprop auxprop_plugin: ldapdb mech_list: PLAIN LOGIN ldapdb_uri: ldap://localhost ldapdb_id: postfix ldapdb_pw: ZZZZzzzzZZZZZZZ ldapdb_mech: DIGEST-MD5 PLAIN LOGIN ---- and sasl directives in main.conf ---- # grep smtpd_sasl main.cf smtpd_sasl_type = cyrus smtpd_sasl_auth_enable = yes smtpd_sasl_path = smtpd smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $mydomain smtpd_sasl_authenticated_header = yes ---- Did I miss anything ? Any clue on why postfix doesn't send anything but an UNBIND request to LDAP ? Thanks, Julien
From: Victor Duchovni on 18 May 2010 12:37 On Tue, May 18, 2010 at 05:44:43PM +0200, Julien Vehent wrote: > I want to set up SASL authentication using LDAPDB, but it seems that > postfix connects to LDAP but doesn't send anything to it... > > I try to authenticate using 'auth plain <base64>', and I receive : > > 535 5.7.8 Error: authentication failed: authentication failure Is the LDAP library linked into Postfix compiled with Cyrus SASL support? The "ldapdb" auxprop plugin needs an LDAP library that can do SASL binds. If your LDAP library is not SASL (rather than simple bind) enabled, this may not work. Take a look at the "Notes LDAPDB auxprop options" section of: http://www.sendmail.org/~ca/email/cyrus2/options.html for additional LDAP server-side requirements. -- Viktor. P.S. Morgan Stanley is looking for a New York City based, Senior Unix system/email administrator to architect and sustain our perimeter email environment. If you are interested, please drop me a note.
From: Julien Vehent on 18 May 2010 13:47 On Tue, 18 May 2010 12:37:47 -0400, Victor Duchovni <Victor.Duchovni(a)morganstanley.com> wrote: > On Tue, May 18, 2010 at 05:44:43PM +0200, Julien Vehent wrote: > >> I want to set up SASL authentication using LDAPDB, but it seems that >> postfix connects to LDAP but doesn't send anything to it... >> >> I try to authenticate using 'auth plain <base64>', and I receive : >> >> 535 5.7.8 Error: authentication failed: authentication failure > > Is the LDAP library linked into Postfix compiled with Cyrus SASL support? > The "ldapdb" auxprop plugin needs an LDAP library that can do SASL binds. > If your LDAP library is not SASL (rather than simple bind) enabled, this > may not work. I believe it is, since I see connexion to the LDAP server. ldd confirms it too: ---- # ldd /usr/sbin/postfix linux-gate.so.1 => (0xb7788000) libpostfix-global.so.1 => /usr/lib/libpostfix-global.so.1 (0xb774b000) libpostfix-util.so.1 => /usr/lib/libpostfix-util.so.1 (0xb771e000) libssl.so.0.9.8 => /usr/lib/i686/cmov/libssl.so.0.9.8 (0xb76d3000) libcrypto.so.0.9.8 => /usr/lib/i686/cmov/libcrypto.so.0.9.8 (0xb757b000) libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7564000) libdb-4.7.so => /usr/lib/libdb-4.7.so (0xb740c000) libnsl.so.1 => /lib/i686/cmov/libnsl.so.1 (0xb73f5000) libresolv.so.2 => /lib/i686/cmov/libresolv.so.2 (0xb73df000) libc.so.6 => /lib/i686/cmov/libc.so.6 (0xb7298000) libdl.so.2 => /lib/i686/cmov/libdl.so.2 (0xb7294000) libz.so.1 => /usr/lib/libz.so.1 (0xb7280000) libpthread.so.0 => /lib/i686/cmov/libpthread.so.0 (0xb7267000) /lib/ld-linux.so.2 (0xb7789000) ---- > > Take a look at the "Notes LDAPDB auxprop options" section of: > > http://www.sendmail.org/~ca/email/cyrus2/options.html > > for additional LDAP server-side requirements. The same directory is queried by cyrus-imapd using LDAPDB as well, and it works fine. So I assume the configuration/mistake is postfix specific and not in the LDAP conf. Julien
From: Victor Duchovni on 18 May 2010 13:54 On Tue, May 18, 2010 at 07:47:12PM +0200, Julien Vehent wrote: > > Is the LDAP library linked into Postfix compiled with Cyrus SASL support? > > The "ldapdb" auxprop plugin needs an LDAP library that can do SASL binds. > > If your LDAP library is not SASL (rather than simple bind) enabled, this > > may not work. > > I believe it is, since I see connexion to the LDAP server. ldd confirms it > too: > > ---- > # ldd /usr/sbin/postfix > linux-gate.so.1 => (0xb7788000) > libpostfix-global.so.1 => /usr/lib/libpostfix-global.so.1 > (0xb774b000) > libpostfix-util.so.1 => /usr/lib/libpostfix-util.so.1 (0xb771e000) > libssl.so.0.9.8 => /usr/lib/i686/cmov/libssl.so.0.9.8 (0xb76d3000) > libcrypto.so.0.9.8 => /usr/lib/i686/cmov/libcrypto.so.0.9.8 > (0xb757b000) > libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7564000) > libdb-4.7.so => /usr/lib/libdb-4.7.so (0xb740c000) > libnsl.so.1 => /lib/i686/cmov/libnsl.so.1 (0xb73f5000) > libresolv.so.2 => /lib/i686/cmov/libresolv.so.2 (0xb73df000) > libc.so.6 => /lib/i686/cmov/libc.so.6 (0xb7298000) > libdl.so.2 => /lib/i686/cmov/libdl.so.2 (0xb7294000) > libz.so.1 => /usr/lib/libz.so.1 (0xb7280000) > libpthread.so.0 => /lib/i686/cmov/libpthread.so.0 (0xb7267000) > /lib/ld-linux.so.2 (0xb7789000) 1. Your Postfix is not directly linked with LDAP at all, it looks like you are on a Debian system, and the LDAP table driver is dynamically loaded. So we don't know whether the LDAP library you are using has SASL support or not. 2. Mere TCP connection to the LDAP server does not prove support for LDAP SASL bind in the LDAP client. You need to determine whether your LDAP library supports SASL. Running "ldd" on Postfix binaries won't tell you that, you need to run "ldd" on the LDAP library used by the dynamically laoded Postfix LDAP table driver and also, on the SASL LDAP plugin. > > Take a look at the "Notes LDAPDB auxprop options" section of: > > > > http://www.sendmail.org/~ca/email/cyrus2/options.html > > > > for additional LDAP server-side requirements. > > The same directory is queried by cyrus-imapd using LDAPDB as well, and it > works fine. So I assume the configuration/mistake is postfix specific and > not in the LDAP conf. What is in the IMAP server SASL configuration file? -- Viktor. P.S. Morgan Stanley is looking for a New York City based, Senior Unix system/email administrator to architect and sustain our perimeter email environment. If you are interested, please drop me a note.
From: Julien Vehent on 19 May 2010 02:19 On Tue, 18 May 2010 13:54:51 -0400, Victor Duchovni <Victor.Duchovni(a)morganstanley.com> wrote: > On Tue, May 18, 2010 at 07:47:12PM +0200, Julien Vehent wrote: > > > 1. Your Postfix is not directly linked with LDAP at all, it looks like > you are on a Debian system, and the LDAP table driver is dynamically > loaded. So we don't know whether the LDAP library you are using has > SASL support or not. > > 2. Mere TCP connection to the LDAP server does not prove support for > LDAP SASL bind in the LDAP client. > > You need to determine whether your LDAP library supports SASL. Running > "ldd" on Postfix binaries won't tell you that, you need to run "ldd" > on the LDAP library used by the dynamically laoded Postfix LDAP table > driver > and also, on the SASL LDAP plugin. > Alright. So 'postfix-ldap' package installs '/usr/lib/postfix/dict_ldap.so', which is linked to libsasl2: ---- # ldd /usr/lib/postfix/dict_ldap.so [...] libldap_r-2.4.so.2 => /usr/lib/libldap_r-2.4.so.2 (0xb7879000) [...] libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb769a000) [...] ---- In '/usr/lib/sasl2' I also have 'libldapdb.so', which, I assume, is the ldapdb driver, and this one is also linked to sasl: ---- # ldd libldapdb.so [...] libldap_r-2.4.so.2 => /usr/lib/libldap_r-2.4.so.2 (0xb7833000) [...] libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb76b2000) [...] ---- I don't know what else could possibly be called by postfix. Any hint is most welcomed. > > What is in the IMAP server SASL configuration file? The following: ---- # grep -E "sasl|ldap" /etc/imapd.conf |grep -v "^#" sasl_pwcheck_method: auxprop sasl_auxprop_plugin: ldapdb sasl_auto_transition: no sasl_ldapdb_uri: ldap://localhost sasl_ldapdb_id: cyrus sasl_ldapdb_pw: zzzzZZZZZzzzzzZZZZ ---- Julien
|
Next
|
Last
Pages: 1 2 Prev: looking for an SMTP testing tool Next: postmaster problem with virtual and mysql |