From: Julien Vehent on
Hey guys,

I want to set up SASL authentication using LDAPDB, but it seems that
postfix connects to LDAP but doesn't send anything to it...

I try to authenticate using 'auth plain <base64>', and I receive :

535 5.7.8 Error: authentication failed: authentication failure

Connection to LDAP works fine at the network level, but the only thing
that postfix send to Slapd (sniffed using tcpdump) is a "UNBIND" request.
Confirmed by the logs of slapd:

----
May 18 17:25:29 samchiel slapd[1431]: conn=35 fd=17 ACCEPT from
IP=127.0.0.1:57368 (IP=127.0.0.1:389)
May 18 17:25:29 samchiel slapd[1431]: conn=35 op=0 UNBIND
May 18 17:25:29 samchiel slapd[1431]: conn=35 fd=17 closed
----

Postfix says the following:

----
May 18 17:25:29 samchiel postfix/smtpd[12094]: < localhost[127.0.0.1]:
auth plain XXXXXXXXXXXXXXXXXXXXX
May 18 17:25:29 samchiel postfix/smtpd[12094]: xsasl_cyrus_server_first:
sasl_method plain, init_response XXXXXXXXXXXXXXXXXXXXX
May 18 17:25:29 samchiel postfix/smtpd[12094]: xsasl_cyrus_server_first:
decoded initial response
May 18 17:25:29 samchiel postfix/smtpd[12094]: warning: SASL
authentication failure: Password verification failed
May 18 17:25:29 samchiel postfix/smtpd[12094]: warning:
localhost[127.0.0.1]: SASL plain authentication failed: authentication
failure
May 18 17:25:29 samchiel postfix/smtpd[12094]: > localhost[127.0.0.1]: 535
5.7.8 Error: authentication failed: authentication failure
----

So, I assumed there might be something wrong with my configuration. Since
I'm on Debian Squeeze (for testing purpose), I have a
/etc/postfix/sasl/smtpd.conf that contains the configuration of ldapdb:

----
# cat /etc/postfix/sasl/smtpd.conf
pwcheck_method: auxprop
auxprop_plugin: ldapdb
mech_list: PLAIN LOGIN
ldapdb_uri: ldap://localhost
ldapdb_id: postfix
ldapdb_pw: ZZZZzzzzZZZZZZZ
ldapdb_mech: DIGEST-MD5 PLAIN LOGIN
----

and sasl directives in main.conf

----
# grep smtpd_sasl main.cf
smtpd_sasl_type = cyrus
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_authenticated_header = yes
----


Did I miss anything ? Any clue on why postfix doesn't send anything but an
UNBIND request to LDAP ?



Thanks,
Julien

From: Victor Duchovni on
On Tue, May 18, 2010 at 05:44:43PM +0200, Julien Vehent wrote:

> I want to set up SASL authentication using LDAPDB, but it seems that
> postfix connects to LDAP but doesn't send anything to it...
>
> I try to authenticate using 'auth plain <base64>', and I receive :
>
> 535 5.7.8 Error: authentication failed: authentication failure

Is the LDAP library linked into Postfix compiled with Cyrus SASL support?
The "ldapdb" auxprop plugin needs an LDAP library that can do SASL binds.
If your LDAP library is not SASL (rather than simple bind) enabled, this
may not work.

Take a look at the "Notes LDAPDB auxprop options" section of:

http://www.sendmail.org/~ca/email/cyrus2/options.html

for additional LDAP server-side requirements.

--
Viktor.

P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment. If you are interested, please drop me a note.

From: Julien Vehent on
On Tue, 18 May 2010 12:37:47 -0400, Victor Duchovni
<Victor.Duchovni(a)morganstanley.com> wrote:
> On Tue, May 18, 2010 at 05:44:43PM +0200, Julien Vehent wrote:
>
>> I want to set up SASL authentication using LDAPDB, but it seems that
>> postfix connects to LDAP but doesn't send anything to it...
>>
>> I try to authenticate using 'auth plain <base64>', and I receive :
>>
>> 535 5.7.8 Error: authentication failed: authentication failure
>
> Is the LDAP library linked into Postfix compiled with Cyrus SASL
support?
> The "ldapdb" auxprop plugin needs an LDAP library that can do SASL
binds.
> If your LDAP library is not SASL (rather than simple bind) enabled, this
> may not work.

I believe it is, since I see connexion to the LDAP server. ldd confirms it
too:

----
# ldd /usr/sbin/postfix
linux-gate.so.1 => (0xb7788000)
libpostfix-global.so.1 => /usr/lib/libpostfix-global.so.1
(0xb774b000)
libpostfix-util.so.1 => /usr/lib/libpostfix-util.so.1 (0xb771e000)
libssl.so.0.9.8 => /usr/lib/i686/cmov/libssl.so.0.9.8 (0xb76d3000)
libcrypto.so.0.9.8 => /usr/lib/i686/cmov/libcrypto.so.0.9.8
(0xb757b000)
libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7564000)
libdb-4.7.so => /usr/lib/libdb-4.7.so (0xb740c000)
libnsl.so.1 => /lib/i686/cmov/libnsl.so.1 (0xb73f5000)
libresolv.so.2 => /lib/i686/cmov/libresolv.so.2 (0xb73df000)
libc.so.6 => /lib/i686/cmov/libc.so.6 (0xb7298000)
libdl.so.2 => /lib/i686/cmov/libdl.so.2 (0xb7294000)
libz.so.1 => /usr/lib/libz.so.1 (0xb7280000)
libpthread.so.0 => /lib/i686/cmov/libpthread.so.0 (0xb7267000)
/lib/ld-linux.so.2 (0xb7789000)
----

>
> Take a look at the "Notes LDAPDB auxprop options" section of:
>
> http://www.sendmail.org/~ca/email/cyrus2/options.html
>
> for additional LDAP server-side requirements.

The same directory is queried by cyrus-imapd using LDAPDB as well, and it
works fine. So I assume the configuration/mistake is postfix specific and
not in the LDAP conf.


Julien

From: Victor Duchovni on
On Tue, May 18, 2010 at 07:47:12PM +0200, Julien Vehent wrote:

> > Is the LDAP library linked into Postfix compiled with Cyrus SASL support?
> > The "ldapdb" auxprop plugin needs an LDAP library that can do SASL binds.
> > If your LDAP library is not SASL (rather than simple bind) enabled, this
> > may not work.
>
> I believe it is, since I see connexion to the LDAP server. ldd confirms it
> too:
>
> ----
> # ldd /usr/sbin/postfix
> linux-gate.so.1 => (0xb7788000)
> libpostfix-global.so.1 => /usr/lib/libpostfix-global.so.1
> (0xb774b000)
> libpostfix-util.so.1 => /usr/lib/libpostfix-util.so.1 (0xb771e000)
> libssl.so.0.9.8 => /usr/lib/i686/cmov/libssl.so.0.9.8 (0xb76d3000)
> libcrypto.so.0.9.8 => /usr/lib/i686/cmov/libcrypto.so.0.9.8
> (0xb757b000)
> libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7564000)
> libdb-4.7.so => /usr/lib/libdb-4.7.so (0xb740c000)
> libnsl.so.1 => /lib/i686/cmov/libnsl.so.1 (0xb73f5000)
> libresolv.so.2 => /lib/i686/cmov/libresolv.so.2 (0xb73df000)
> libc.so.6 => /lib/i686/cmov/libc.so.6 (0xb7298000)
> libdl.so.2 => /lib/i686/cmov/libdl.so.2 (0xb7294000)
> libz.so.1 => /usr/lib/libz.so.1 (0xb7280000)
> libpthread.so.0 => /lib/i686/cmov/libpthread.so.0 (0xb7267000)
> /lib/ld-linux.so.2 (0xb7789000)

1. Your Postfix is not directly linked with LDAP at all, it looks like
you are on a Debian system, and the LDAP table driver is dynamically
loaded. So we don't know whether the LDAP library you are using has
SASL support or not.

2. Mere TCP connection to the LDAP server does not prove support for
LDAP SASL bind in the LDAP client.

You need to determine whether your LDAP library supports SASL. Running
"ldd" on Postfix binaries won't tell you that, you need to run "ldd"
on the LDAP library used by the dynamically laoded Postfix LDAP table driver
and also, on the SASL LDAP plugin.

> > Take a look at the "Notes LDAPDB auxprop options" section of:
> >
> > http://www.sendmail.org/~ca/email/cyrus2/options.html
> >
> > for additional LDAP server-side requirements.
>
> The same directory is queried by cyrus-imapd using LDAPDB as well, and it
> works fine. So I assume the configuration/mistake is postfix specific and
> not in the LDAP conf.

What is in the IMAP server SASL configuration file?

--
Viktor.

P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment. If you are interested, please drop me a note.

From: Julien Vehent on
On Tue, 18 May 2010 13:54:51 -0400, Victor Duchovni
<Victor.Duchovni(a)morganstanley.com> wrote:
> On Tue, May 18, 2010 at 07:47:12PM +0200, Julien Vehent wrote:
>
>
> 1. Your Postfix is not directly linked with LDAP at all, it looks like
> you are on a Debian system, and the LDAP table driver is dynamically
> loaded. So we don't know whether the LDAP library you are using has
> SASL support or not.
>
> 2. Mere TCP connection to the LDAP server does not prove support for
> LDAP SASL bind in the LDAP client.
>
> You need to determine whether your LDAP library supports SASL. Running
> "ldd" on Postfix binaries won't tell you that, you need to run "ldd"
> on the LDAP library used by the dynamically laoded Postfix LDAP table
> driver
> and also, on the SASL LDAP plugin.
>

Alright. So 'postfix-ldap' package installs
'/usr/lib/postfix/dict_ldap.so', which is linked to libsasl2:

----
# ldd /usr/lib/postfix/dict_ldap.so
[...]
libldap_r-2.4.so.2 => /usr/lib/libldap_r-2.4.so.2 (0xb7879000)
[...]
libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb769a000)
[...]
----

In '/usr/lib/sasl2' I also have 'libldapdb.so', which, I assume, is the
ldapdb driver, and this one is also linked to sasl:

----
# ldd libldapdb.so
[...]
libldap_r-2.4.so.2 => /usr/lib/libldap_r-2.4.so.2 (0xb7833000)
[...]
libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb76b2000)
[...]
----


I don't know what else could possibly be called by postfix. Any hint is
most welcomed.

>
> What is in the IMAP server SASL configuration file?

The following:

----
# grep -E "sasl|ldap" /etc/imapd.conf |grep -v "^#"
sasl_pwcheck_method: auxprop
sasl_auxprop_plugin: ldapdb
sasl_auto_transition: no
sasl_ldapdb_uri: ldap://localhost
sasl_ldapdb_id: cyrus
sasl_ldapdb_pw: zzzzZZZZZzzzzzZZZZ

----


Julien