* Julien Vehent <jul...@linuxwall.info>: > Final solution provided by the Openldap mailing list: > > > Just change your authz-regexp line to > > > > authz-regexp "^uid=([^,]+).*,cn=[^,]*,cn=auth$" > > "ldap:///dc=linuxwall,dc=info??sub?(|(uid=$1)(mail=$1))" > > > And the authentication works. > I think it's worth a line in the sasl howto to explain that postfix will > use the email value to authenticate the user, and therefore the authz-regex > should take it into account...
Postfix does not use the email value to authenticate the user. If it would, it would be documented. Instead Postfix takes whatever your client sends for authentication and passes it, along with other information to libsasl and it is completely up to libsasl to the authentication. Here's what I believe went wrong and what makes you think Postfix uses an email address: libsasl expects an authenticating application (read: Postfix smtpd daemon) to provide not only an authentication ID (the identity string of the user that wants to authenticate), but also an application name, a service name and ... and a realm. If the client does not send an authentication ID with a realm, Postfix may append that as default value. The parameter to do this would be $smtpd_sasl_local_domain. If neither the client nor Postfix provide a realm libsasl might deduct it from the systems hostname. I am nor sure if it will always do it or only upon request. Either way, here's my theory what went wrong, you end up with an authentication ID and a realm. Both are sent as one string, separated by an "@", which - tadaaa - looks like an email address e.g. jul...@linuxwall.info. This was passed to ldapdb and ... the rest is known. p...@rick -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
