[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Proxy authorization fail with cyrus-sasl and postfix
> Hello list,
>
> I am trying to authenticate my mail users against my ldap directory (slapd
> 2.4.17, debian squeeze). I have setup proxy authorization for user postfix
> as follow:
>
> in slapd.conf
> ----
> # SASL proxy authorization rewrite rule
> authz-regexp "^uid=([^,]+).*,cn=[^,]*,cn=auth$"
> "ldap:///dc=linuxwall,dc=info??sub?(uid=$1)"
>
> authz-policy to
> ----
>
> ldif of user postfix
> ----
> dn: cn=Postfix Administrator,ou=infrastructure,dc=linuxwall,dc=info
> authzto: ldap:///dc=linuxwall,dc=info??sub?(objectClass=inetOrgPerson)
> cn: Postfix Administrator
> [...]
> ----
>
> I have a similar user with cyrus for cyrus-imapd.
>
> My user postfix seem to have the authorization to act on behalf of other
> user.
>
> ----
> # ldapwhoami -Y DIGEST-MD5 -U postfix -H ldap://localhost -R
> linuxwall.info -X u:julien
>
> SASL/DIGEST-MD5 authentication started
> Please enter your password:
> SASL username: u:julien
> SASL SSF: 128
> SASL data security layer installed.
> dn:cn=julien vehent,ou=people,dc=linuxwall,dc=info
> ----
>
> Thus, I set up the ldapdb driver from the sasl library in the chroot of
> postfix. I see connections from postfix to slapd, postfix user is properly
> authenticated, but then I have the following message (see trace below):
>
> ----
> May 23 12:57:04 samchiel slapd[1431]: conn=109 fd=17 ACCEPT from
> IP=127.0.0.1:58349 (IP=127.0.0.1:389)
> May 23 12:57:04 samchiel slapd[1431]: conn=109 op=0 BIND dn="" method=163
> May 23 12:57:04 samchiel slapd[1431]: conn=109 op=0 RESULT tag=97 err=14
> text=SASL(0): successful result:
> May 23 12:57:04 samchiel slapd[1431]: conn=109 op=1 BIND dn="" method=163
> May 23 12:57:04 samchiel slapd[1431]: conn=109 op=1 BIND authcid="postfix"
> authzid="postfix"
> May 23 12:57:04 samchiel slapd[1431]: conn=109 op=1 BIND dn="cn=postfix
> administrator,ou=infrastructure,dc=linuxwall,dc=info" mech=DIGEST-MD5
> sasl_ssf=128 ssf=128
> May 23 12:57:04 samchiel slapd[1431]: conn=109 op=1 RESULT tag=97 err=0
> text=
> May 23 12:57:04 samchiel slapd[1431]: conn=109 op=2 RESULT tag=120 err=123
> text=not authorized to assume identity
> May 23 12:57:04 samchiel slapd[1431]: conn=109 op=2 do_extended: get_ctrls
> failed
> May 23 12:57:04 samchiel slapd[1431]: conn=109 op=3 UNBIND
> May 23 12:57:04 samchiel slapd[1431]: conn=109 fd=17 closed
> May 23 12:57:04 samchiel slapd[1431]: connection_read(17): no connection!
> ----
>
> I don't understand this error 'not authorized to assume identity'... Since
> proxy authorization works fine when I test it with ldapwhoami.
> Also, on the same machine, I have a cyrus-imapd server that authenticates
> on the same slapd using the same ldapdriver. Thus, I don't think either
> slapd or cyrus-sasl are the problem, but since I don't understand the
> error.....
>
>
> Can you guys give me a hand here ?
Can you check what exact operation is being attempted? I mean: what
identity "cn=postfix administrator,ou=infrastructure,dc=linuxwall,dc=info"
is trying to authorize as during conn=109 op=2? You should try to
reproduce the authorization part of it, e.g. using ldapwhoami as the
postfix administrator, and authorizing with exactly the same identity is
being used in that operation, using "stats,trace,args" log level to see
where it fails.
p.