[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldapdb and postfix

To: Paul Jacobson <pj@cutlerco.com.au>
Subject: Re: ldapdb and postfix
From: Igor Brezac <igor@ipass.net>
Date: Fri, 25 Jun 2004 10:43:22 -0400 (EDT)
Cc: openldap-software@OpenLDAP.org
In-reply-to: <p0611040dbd016726c036@[203.61.88.252]>
References: <p06110400bcffdff4211a@[203.61.193.86]> <200406232106.57600.dlucio@okay.com.mx> <p06110401bcffeb25c07c@[172.16.2.61]> <Pine.GSO.4.58.0406240043270.24465@pula.ypass.net> <p0611040dbd016726c036@[203.61.88.252]>


On Fri, 25 Jun 2004, Paul Jacobson wrote:

> ok... i've trimmed down the logs to a single authentication session.
> these are the relevant parts afaiks.
>
> I'm using  ldapdb.c,v 1.5.2.3 2003/12/01 with the following diffs
> between the version i'm using and the distribution version:
>
> 285c285
> < int ldapdb_auxprop_plug_init(const sasl_utils_t *utils,
> ---
> >  static int ldapdb_auxprop_plug_init(const sasl_utils_t *utils,
> 344a345
> >  SASL_AUXPROP_PLUG_INIT( ldapdb )
>

I've written a complete ldapdb patch (with documentation) for cyrus-sasl:
https://bugzilla.andrew.cmu.edu/show_bug.cgi?id=2406

Give this a try.

> I've had to remove 'static' so that slapd doesn't segfault with an
> error refering to unresolved symbol ldap-auxprop-plug-init. I have
> patched the makeinit.sh script so the SASL_AUXPROP_PLUG_INIT line is
> not needed in ldapdb.c.  In addition the cyrus-sasl source has
> patches from the openbsd ports tree to allow it to build shared libs.
>
> I have set the password to cleartext using  "userPassword: {CLEARTEXT}password"
>
> /var/log/authlog
> Jun 25 15:13:52 mail2 postfix/smtpd[3411]: No worthy mechs found
>
> /var/log/maillog
> Jun 25 15:13:51 mail2 postfix/smtpd[3411]: connect from unknown[172.16.2.61]
> Jun 25 15:13:51 mail2 postfix/smtpd[3411]: > unknown[172.16.2.61]:
> 220 mail2.cutlerco.com.au ESMTP Postfix
> Jun 25 15:13:51 mail2 postfix/smtpd[3411]: watchdog_pat: 0x3c028548
> Jun 25 15:13:51 mail2 postfix/smtpd[3411]: < unknown[172.16.2.61]:
> EHLO [203.61.88.252]
> Jun 25 15:13:51 mail2 postfix/smtpd[3411]: > unknown[172.16.2.61]:
> 250-mail2.cutlerco.com.au
> Jun 25 15:13:51 mail2 postfix/smtpd[3411]: > unknown[172.16.2.61]:
> 250-PIPELINING
> Jun 25 15:13:51 mail2 postfix/smtpd[3411]: > unknown[172.16.2.61]:
> 250-SIZE 10240000
> Jun 25 15:13:51 mail2 postfix/smtpd[3411]: > unknown[172.16.2.61]: 250-VRFY
> Jun 25 15:13:51 mail2 postfix/smtpd[3411]: > unknown[172.16.2.61]: 250-ETRN
> Jun 25 15:13:51 mail2 postfix/smtpd[3411]: > unknown[172.16.2.61]:
> 250-AUTH LOGIN PLAIN DIGEST-MD5 CRAM-MD5
> Jun 25 15:13:51 mail2 postfix/smtpd[3411]: > unknown[172.16.2.61]:
> 250-AUTH=LOGIN PLAIN DIGEST-MD5 CRAM-MD5
> Jun 25 15:13:51 mail2 postfix/smtpd[3411]: match_list_match: unknown: no match
> Jun 25 15:13:51 mail2 postfix/smtpd[3411]: match_list_match:
> 172.16.2.61: no match
> Jun 25 15:13:51 mail2 postfix/smtpd[3411]: > unknown[172.16.2.61]: 250 8BITMIME
> Jun 25 15:13:51 mail2 postfix/smtpd[3411]: watchdog_pat: 0x3c028548
> Jun 25 15:13:52 mail2 postfix/smtpd[3411]: < unknown[172.16.2.61]:
> auth CRAM-MD5
> Jun 25 15:13:52 mail2 postfix/smtpd[3411]: smtpd_sasl_authenticate:
> sasl_method CRAM-MD5
> Jun 25 15:13:52 mail2 postfix/smtpd[3411]: smtpd_sasl_authenticate:
> uncoded challenge: <1608008827.14398672@mail2.cutlerco.com.au>
> Jun 25 15:13:52 mail2 postfix/smtpd[3411]: > unknown[172.16.2.61]: 334 xxxx==
> Jun 25 15:13:52 mail2 postfix/smtpd[3411]: < unknown[172.16.2.61]: xxxxxxx=
> Jun 25 15:13:52 mail2 postfix/smtpd[3411]: smtpd_sasl_authenticate:
> decoded response: pj xxxxx
> Jun 25 15:13:52 mail2 postfix/smtpd[3411]: warning: SASL
> authentication failure: no secret in database
> Jun 25 15:13:52 mail2 postfix/smtpd[3411]: warning:
> unknown[172.16.2.61]: SASL CRAM-MD5 authentication failed
> Jun 25 15:13:52 mail2 postfix/smtpd[3411]: > unknown[172.16.2.61]:
> 535 Error: authentication failed
> Jun 25 15:13:52 mail2 postfix/smtpd[3411]: watchdog_pat: 0x3c028548
>
> /var/log/slapd
> Jun 25 15:13:52 mail2 slapd[27665]: daemon: activity on 1 descriptors
> Jun 25 15:13:52 mail2 slapd[27665]: daemon: new connection on 18
> Jun 25 15:13:52 mail2 slapd[27665]: conn=45 fd=18 ACCEPT from
> IP=127.0.0.1:48511 (IP=127.0.0.1:389)

This is not very useful.  Use loglevel 256

>
> /usr/lib/sasl2/smtpd.conf
> pwcheck_method: auxprop
> auxprop_plugin: ldapdb
> ldapdb_uri: ldap://127.0.0.1/
> ldapdb_id: ldapadmin
> ldapdb_pw: xxxxxxx
> ldapdb_mech: DIGEST-MD5
>

This looks good.  I'd also add the following to lib/sasl2/slapd.conf

pwcheck_method: auxprop
auxprop_plugin: slapd

Before you start messing with the postfix, make sure that ldap commands
work:
ldapwhoami -U ldapadmin -Y DIGEST-MD5 -X u:<postfixuser>

-- 
Igor

Follow-Ups:
- Re: ldapdb and postfix
  - From: Paul Jacobson <pj@cutlerco.com.au>

References:
- ldapdb and postfix
  - From: Paul Jacobson <pj@cutlerco.com.au>
- Re: ldapdb and postfix
  - From: Paul Jacobson <pj@cutlerco.com.au>
- Re: ldapdb and postfix
  - From: Igor Brezac <igor@ipass.net>
- Re: ldapdb and postfix
  - From: Paul Jacobson <pj@cutlerco.com.au>

Prev by Date: Re: solaris 8 client can't contact openldap server
Next by Date: Re: solaris 8 client can't contact openldap server
Index(es):
- Chronological
- Thread