[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Postfix 2.0.16 CRAM/DIGEST-MD5 SMTP AUTH

To: Tony Earnshaw <tonni@billy.demon.nl>
Subject: Re: Postfix 2.0.16 CRAM/DIGEST-MD5 SMTP AUTH
From: Igor Brezac <igor@ipass.net>
Date: Thu, 9 Oct 2003 11:28:08 -0400 (EDT)
Cc: openldap-software@OpenLDAP.org
In-reply-to: <3F856C68.8090904@billy.demon.nl>
References: <3F856C68.8090904@billy.demon.nl>

On Thu, 9 Oct 2003, Tony Earnshaw wrote:

> postfix-2.0.16-20030921 linked against Cyrus SASL
> Cyrus SASL 2.1.15
> Openldap 2.1.22 linked against Cyrus SASL
> ldapdb auxprop 1.9
>
> Aim: Openldap-based CRAM/DIGEST smtp AUTH using 100% Openldap/Cyrus SASL
> stuff.
>
> Problem: Can't authenticate with ldapdb auxprop 1.9, *can* authenticate
> with the ldapdb auxprop ldapdb.c in the contrib directory of the
> Openldap 2.1.22 source tarball. But, the advice was to use the latest
> CVS code for the ldapdb auxprop, which also includes the starttls code
> (thanks, Howard :).
>
> Anyone any idea why?
>
> --Tonni
> ________________________________________________________________________
>
> /usr/lib/sasl2/smtpd.conf:
>
> ldapdb_uri: ldap://
> ldapdb_id: admin
> ldapdb_pw: adminpassword
> ldapdb_starttls: demand
> ldapdb_mech: cram-md5

You cannot use cram-md5, it does not support proxy authorization.  Use
PLAIN or DIGEST-MD5.

>
> Tail -f /var/log/slapd.log (relevant lines):
>
> Oct  9 15:36:42 billy slapd[28787]: conn=2 fd=21 ACCEPT from
> IP=127.0.0.1:40661 (IP=0.0.0.0:389)
> Oct  9 15:36:42 billy slapd[28792]: conn=2 op=1 BIND dn="" method=163
> Oct  9 15:36:42 billy slapd[28792]: conn=2 op=2 BIND dn="" method=163
> Oct  9 15:36:42 billy slapd[28792]: conn=2 op=2 BIND authcid="admin"
> Oct  9 15:36:42 billy slapd[28792]: conn=2 op=2 BIND
> dn="cn=admin,dc=billy,dc=demon,dc=nl" mech=CRAM-MD5 ssf=0
> Oct  9 15:36:42 billy slapd[28792]: conn=2 op=3 RESULT tag=120 err=47
> text=not authorized to assume identity
> Oct  9 15:36:42 billy slapd[28792]: do_extended: get_ctrls failed
> Oct  9 15:36:42 billy slapd[28792]: conn=2 op=4 UNBIND
>
> /usr/local/etc/openldap/slapd.conf:
>
> sasl-regexp uid=(.*),cn=cram-md5,cn=auth
> "ldap:///dc=billy,dc=demon,dc=nl??sub?uid=$1";
> sasl-regexp uid=(.*),cn=digest-md5,cn=auth
> "ldap:///dc=billy,dc=demon,dc=nl??sub?uid=$1";
>

You can make this one regex

sasl-regexp uid=(.*),cn=.*,cn=auth
  "ldap:///dc=billy,dc=demon,dc=nl??sub?uid=$1";

> ldapsearch  -ZZ -Y cram-md5 -U admin -H ldap:/// -w adminpassword
> 'uid=tonni'
>

make sure the follwing works:

ldapsearch  -ZZ -Y digest-md5 -U admin -X u:tonni -H ldap:/// -w
adminpassword 'objectclass=*' dn


> Tail -f /var/log/slapd.log (relevant lines):
>
> Oct  9 15:52:40 billy slapd[28899]: conn=5 fd=13 ACCEPT from
> IP=127.0.0.1:40677 (IP=0.0.0.0:389)
> Oct  9 15:52:40 billy slapd[28905]: conn=5 op=1 BIND dn="" method=163
> Oct  9 15:52:40 billy slapd[28905]: conn=5 op=2 BIND dn="" method=163
> Oct  9 15:52:40 billy slapd[28905]: conn=5 op=2 BIND authcid="admin"
> Oct  9 15:52:40 billy slapd[28905]: conn=5 op=2 BIND
> dn="cn=admin,dc=billy,dc=demon,dc=nl" mech=CRAM-MD5 ssf=0
> Oct  9 15:52:40 billy slapd[28905]: conn=5 op=3 SRCH
> base="dc=billy,dc=demon,dc=nl" scope=2 filter="(uid=tonni)"
> Oct  9 15:52:40 billy slapd[28905]: conn=5 op=3 SEARCH RESULT tag=101
> err=0 nentries=1 text=
> Oct  9 15:52:40 billy slapd[28905]: conn=5 op=4 UNBIND
>
> --Tonni
>
>

-- 
Igor

Follow-Ups:
- Re: Postfix 2.0.16 CRAM/DIGEST-MD5 SMTP AUTH
  - From: Tony Earnshaw <tonni@billy.demon.nl>

References:
- Postfix 2.0.16 CRAM/DIGEST-MD5 SMTP AUTH
  - From: Tony Earnshaw <tonni@billy.demon.nl>

Prev by Date: Re: Managing documents
Next by Date: Re: Replication/ Clients update slave
Index(es):
- Chronological
- Thread