[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Proxy authorization fail with cyrus-sasl and postfix

To: "Julien Vehent" <julien@linuxwall.info>
Subject: Re: Proxy authorization fail with cyrus-sasl and postfix
From: masarati@aero.polimi.it
Date: Mon, 24 May 2010 15:37:48 +0200 (CEST)
Cc: Openldap technical <openldap-technical@openldap.org>
Importance: Normal
In-reply-to: <ce34cea3b00fde66100a5cfeb69f843f@localhost>
References: <eddade65fcbcb23e2ce269180c9608a2@localhost> <efd29027d826ca1582f1cdf08f5653b0.squirrel@www.aero.polimi.it> <ce34cea3b00fde66100a5cfeb69f843f@localhost>
User-agent: SquirrelMail/1.4.15

> On Sun, 23 May 2010 18:35:21 +0200 (CEST), masarati@aero.polimi.it wrote:
>> Can you check what exact operation is being attempted?  I mean: what
>> identity "cn=postfix
> administrator,ou=infrastructure,dc=linuxwall,dc=info"
>> is trying to authorize as during conn=109 op=2?  You should try to
>> reproduce the authorization part of it, e.g. using ldapwhoami as the
>> postfix administrator, and authorizing with exactly the same identity is
>> being used in that operation, using "stats,trace,args" log level to see
>> where it fails.
>>
>
> Sweet, thanks for your help at debugging, I found the issue !
>
> In the Slapd logs, when Postfix sends the UID of the user it wants to
> authenticate as, it sends the email address of the user, ie, for julien,
> it
> would send julien@linuxwall.info
> Therefore,slapd looks for a user that has julien@linuxwall.info in its
> UID, and obviously doesn't find it...
>
> I asked the folks at the postfix mailing if they know anything about that,
> and if they have a correction for me.
>
> ----
> May 24 11:55:30 samchiel slapd[13163]: => get_ctrls
> May 24 11:55:30 samchiel slapd[13163]: => get_ctrls:
> oid="2.16.840.1.113730.3.4.18" (critical)
> May 24 11:55:30 samchiel slapd[13163]: parseProxyAuthz: conn 3
> authzid="u:julien@linuxwall.info"
> May 24 11:55:30 samchiel slapd[13163]: slap_sasl_getdn: conn 3
>id=u:julien@linuxwall.info [len=23]
> May 24 11:55:30 samchiel slapd[13163]: slap_sasl_getdn: u:id converted to
> uid=julien@linuxwall.info,cn=DIGEST-MD5,cn=auth
> May 24 11:55:30 samchiel slapd[13163]: >>> dnNormalize:
> <uid=julien@linuxwall.info,cn=DIGEST-MD5,cn=auth>
> May 24 11:55:30 samchiel slapd[13163]: <<< dnNormalize:
> <uid=julien@linuxwall.info,cn=digest-md5,cn=auth>
> May 24 11:55:30 samchiel slapd[13163]: ==>slap_sasl2dn: converting SASL
> name uid=julien@linuxwall.info,cn=digest-md5,cn=auth to a DN
> May 24 11:55:30 samchiel slapd[13163]: [rw] authid:
> "uid=julien@linuxwall.info,cn=digest-md5,cn=auth" ->
> "ldap:///dc=linuxwall,dc=info??sub(uid=julien@linuxwall.info)"
> May 24 11:55:30 samchiel slapd[13163]: slap_parseURI: parsing
> ldap:///dc=linuxwall,dc=info??sub?(uid=julien@linuxwall.info)
> ----


Just change your authz-regexp line to

authz-regexp "^uid=([^,]+).*,cn=[^,]*,cn=auth$"
              "ldap:///dc=linuxwall,dc=info??sub?(|(uid=$1)(mail=$1))"


p.

Follow-Ups:
- Re: Proxy authorization fail with cyrus-sasl and postfix
  - From: Julien Vehent <julien@linuxwall.info>

References:
- Proxy authorization fail with cyrus-sasl and postfix
  - From: Julien Vehent <julien@linuxwall.info>
- Re: Proxy authorization fail with cyrus-sasl and postfix
  - From: masarati@aero.polimi.it
- Re: Proxy authorization fail with cyrus-sasl and postfix
  - From: Julien Vehent <julien@linuxwall.info>

Prev by Date: Re: Proxy authorization fail with cyrus-sasl and postfix
Next by Date: Re: Proxy authorization fail with cyrus-sasl and postfix
Index(es):
- Chronological
- Thread