[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Postfix 2.0.16 CRAM/DIGEST-MD5 SMTP AUTH

To: "'Tony Earnshaw'" <tonni@billy.demon.nl>, <openldap-software@OpenLDAP.org>
Subject: RE: Postfix 2.0.16 CRAM/DIGEST-MD5 SMTP AUTH
From: "Howard Chu" <hyc@symas.com>
Date: Thu, 9 Oct 2003 23:36:02 -0700
Importance: Normal
In-reply-to: <3F864822.3040109@billy.demon.nl>

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Tony Earnshaw

> Howard Chu wrote:
> > No..... The regexp is fine, your "admin" user doesn't have proxy
> > authorization privileges.
> >
> > Try using ldapwhoami, you'll see that your setup (without
> > the regexp $1) is now incorrect.
> >   ldapwhoami  -ZZ -Y digest-md5 -U admin -X u:tonni -H ldap:///
>
> Hmmm ... that admin proxy is one of two I've used since day one of
> Openldap, just about. He works for everything - pam_ldap, Exim, SASL
> 2.1.13, name it.

> with:
>
> sasl-regexp uid=(.*),cn=.*,cn=auth
> "ldap:///dc=billy,dc=demon,dc=nl??sub?uid=admin";
>
> SASL/DIGEST-MD5 authentication started
> Please enter your password:
> SASL username: u:tonni
> SASL SSF: 128
> SASL installing layers
> dn:cn=admin,dc=billy,dc=demon,dc=nl

Unless your user with username "uid=tonni" has the above "cn=admin" DN, that
response is wrong. Since you specified a proxy ID, that ID's DN is the name
that should have been returned. However, since your regexp ignores the uid
that was passed in, every user will be mapped to your admin account. No
matter how bizarre your internal organization may be, I'm quite certain this
is not what you want.

> with:
>
> sasl-regexp uid=(.*),cn=.*,cn=auth
> "ldap:///dc=billy,dc=demon,dc=nl??sub?uid=$1";
>
> SASL/DIGEST-MD5 authentication started
> Please enter your password:
> ldap_sasl_interactive_bind_s: Insufficient access (50)
> 	additional info: SASL(-14): authorization failure: not authorized

Exactly what I've been trying to tell you. Go back to the Admin Guide and
read section 10.3 about Proxy Authorization. You haven't set this up
properly, and without it you're getting bogus results. You need to configure
things such that the user "cn=admin,dc=billy,dc=demon,dc=nl" has the
privilege to authorize as every other user in your directory. (Or some
smaller subset, if you prefer. But for this example, it must at least have
the privilege to authorize itself as user "tonni" ...)

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

References:
- Re: Postfix 2.0.16 CRAM/DIGEST-MD5 SMTP AUTH
  - From: Tony Earnshaw <tonni@billy.demon.nl>

Prev by Date: Re: rewrite a login into a dn in simple bind
Next by Date: Re: rewrite a login into a dn in simple bind
Index(es):
- Chronological
- Thread