On Mon, 24 May 2010 14:04:45 -0400, Victor Duchovni
<victor.ducho...@morganstanley.com> wrote:
> On Mon, May 24, 2010 at 07:30:56PM +0200, Julien Vehent wrote:
>
>> Final solution provided by the Openldap mailing list:
>>
>> > Just change your authz-regexp line to
>> >
>> > authz-regexp "^uid=([^,]+).*,cn=[^,]*,cn=auth$"
>> >
"ldap:///dc=linuxwall,dc=info??sub?(|(uid=$1)(mail=$1))"
>>
>>
>> And the authentication works.
>> I think it's worth a line in the sasl howto to explain that postfix
will
>> use the email value to authenticate the user, and therefore the
>> authz-regex
>> should take it into account...
>
> This looks wrong. As Patrick points out you are likely confusing
> authentication realms (u...@realm principals) with email addresses.
> DON'T. Rather configure Postfix with an empty or other correct setting
> of the realm that will work correctly without matching u...@mail again
> email addresses.
Alright, I have 2 tests results. The problem seems to come from
smtpd_sasl_local_domain that modifies the uid value.
What I don't understand is why does the smtpd_sasl_local_domain modifies
the uid value, when there is a 'realm' field for that in the sasl uri ?
=== case 1: authentification fails ======================================
smtpd_sasl_local_domain set to mydomain (linuxwall.info)
----
# postconf |grep "smtpd_sasl"
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_exceptions_networks =
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_type = cyrus
----
authz-regex doesn't match the 'mail' field
----
authz-regexp "^uid=([^,]+).*,cn=[^,]*,cn=auth$"
"ldap:///dc=linuxwall,dc=info??sub?(uid=$1)"
----
Authentication fails
----
# smtptest -a julien -m digest-md5 localhost -r linuxwall.info
S: 220 samchiel.linuxwall.info ESMTP Postfix (Debian/GNU)
C: EHLO example.com
S: 250-samchiel.linuxwall.info
S: 250-PIPELINING
S: 250-SIZE 10240000
S: 250-VRFY
S: 250-ETRN
S: 250-AUTH LOGIN PLAIN DIGEST-MD5
S: 250-ENHANCEDSTATUSCODES
S: 250-8BITMIME
S: 250 DSN
C: AUTH DIGEST-MD5
S: 334
bm9uY2U9IjRpNjh4RURzRVFVOTU5YWZzTWxuYmplUnBwZU80M1VKUTJ6ZWJ3WlAycFU9IixyZWFsbT0ibGludXh3YWxsLmluZm8iLHFvcD0iYXV0aCIsY2hhcnNldD11dGYtOCxhbGdvcml0aG09bWQ1LXNlc3M=
Please enter your password:
C:
dXNlcm5hbWU9Imp1bGllbiIscmVhbG09ImxpbnV4d2FsbC5pbmZvIixub25jZT0iNGk2OHhFRHNFUVU5NTlhZnNNbG5iamVScHBlTzQzVUpRMnplYndaUDJwVT0iLGNub25jZT0iMzJ3SzQ4WjV0MkF6bUN0cEUvSlFZOENtRWJwWXpWdnNzY0xpTXFCbGxmdz0iLG5jPTAwMDAwMDAxLHFvcD1hdXRoLG1heGJ1Zj0xMDI0LGRpZ2VzdC11cmk9InNtdHAvbG9jYWxob3N0IixyZXNwb25zZT05NTZlNjNlMTQ1ZDVmNjQzMzdlMjczMjE4N2FmNzZjMA==
S: 535 5.7.8 Error: authentication failed: authentication failure
Authentication failed. generic failure
Security strength factor: 0
quit
221 2.0.0 Bye
Connection closed.
----
And slapd says:
----
May 24 21:18:59 samchiel slapd[17234]: parseProxyAuthz: conn 2
authzid="u:jul...@linuxwall.info"
May 24 21:18:59 samchiel slapd[17234]: slap_sasl_getdn: conn 2
id=u:jul...@linuxwall.info [len=23]
May 24 21:18:59 samchiel slapd[17234]: slap_sasl_getdn: u:id converted to
uid=jul...@linuxwall.info,cn=DIGEST-MD5,cn=auth
----
=== case 2: authentification succeeds ===================================
Same authz-regex in slapd, same smtpclient command, I just removed the
smtpd_sasl_local_domain value:
----
# postconf |grep "smtpd_sasl"
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_exceptions_networks =
smtpd_sasl_local_domain =
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_type = cyrus
----
Authentication works:
----
# smtptest -a julien -m digest-md5 localhost -r linuxwall.info
S: 220 samchiel.linuxwall.info ESMTP Postfix (Debian/GNU)
C: EHLO example.com
S: 250-samchiel.linuxwall.info
S: 250-PIPELINING
S: 250-SIZE 10240000
S: 250-VRFY
S: 250-ETRN
S: 250-AUTH LOGIN PLAIN DIGEST-MD5
S: 250-ENHANCEDSTATUSCODES
S: 250-8BITMIME
S: 250 DSN
C: AUTH DIGEST-MD5
S: 334
bm9uY2U9Ilp3TkJ5KzZkcFpFSU1ZeEY1YUNSa2FndjB3eUdHZVJQZk9vS2N2ZGRYejg9IixyZWFsbT0ic2FtY2hpZWwubGludXh3YWxsLmluZm8iLHFvcD0iYXV0aCIsY2hhcnNldD11dGYtOCxhbGdvcml0aG09bWQ1LXNlc3M=
Please enter your password:
C:
dXNlcm5hbWU9Imp1bGllbiIscmVhbG09InNhbWNoaWVsLmxpbnV4d2FsbC5pbmZvIixub25jZT0iWndOQnkrNmRwWkVJTVl4RjVhQ1JrYWd2MHd5R0dlUlBmT29LY3ZkZFh6OD0iLGNub25jZT0iOE52ZUhuQ1NTbVc2ZjljdEVPV3BFSC9hTnlGWHJNZllwZkcyd2s4KzArWT0iLG5jPTAwMDAwMDAxLHFvcD1hdXRoLG1heGJ1Zj0xMDI0LGRpZ2VzdC11cmk9InNtdHAvbG9jYWxob3N0IixyZXNwb25zZT0xMGVkNDk4OTdhYzMwYTY3ZGNkZTE1YTcyMzI4ZmQzYg==
S: 334 cnNwYXV0aD0zMTAwY2Y1NTNjOTVhNmQ3ZWNkMzE4ZDM3YTQzZDM1YQ==
C:
S: 235 2.7.0 Authentication successful
Authenticated.
Security strength factor: 0
quit
221 2.0.0 Bye
Connection closed.
----
And slapd says:
----
May 24 21:15:08 samchiel slapd[17234]: parseProxyAuthz: conn 1
authzid="u:julien"
May 24 21:15:08 samchiel slapd[17234]: slap_sasl_getdn: conn 1 id=u:julien
[len=8]
May 24 21:15:08 samchiel slapd[17234]: slap_sasl_getdn: u:id converted to
uid=julien,cn=DIGEST-MD5,cn=auth
----
