Re: Odd postfix LDAP behavior

Wed, 26 Oct 2011 16:45:34 -0700 



--On October 26, 2011 6:08:56 AM +0000 Viktor Dukhovni 
<postfix-us...@dukhovni.org> wrote:



On Tue, Oct 25, 2011 at 10:14:39PM -0700, Quanah Gibson-Mount wrote:


Ok, logs were still on the server I was using earlier.  Here's part
of one of the connections in question.


LDAP server logs are no way to report a suspected Postfix issue to
this list. They are for LDAP administrators, not Postfix experts.



Generally I would agree with you.  However the fact that postfix clearly 
continues its session after receiving error from the LDAP server clearly 
indicates a bug in the postfix code.



To report a Postfix LDAP issue, post the output of:

        postmap -v -q lookup-key ldap:/some/table.cf

Naturally also post the Postfix table definition, which will indicate
whether you're using simple or SASL binds. If possible try both,
and report any difference in behaviour, since as you know the SASL
bind code is relatively new, perhaps there are subtleties in the
LDAP API that were not taken into account, but I prefer to not
speculate on the likelihood of such an issue with no usable
information.



I'm using simple binds as I have since postfix 2.3.  I actually was not 
aware the code for using SASL mechanism binds had been added to postfix. 
Very happy to know that. ;)  I have my own test server set up now so I can 
better get the information you're asking for.



First, a normal postmap -q when the user exists and it has a working 
password:



zimbra@zre-ldap002:~$ postmap -q testus...@zre-ldap002.eng.vmware.com 
ldap:/opt/zimbra/conf/ldap-transport.cf

lmtp:zre-ldap002.eng.vmware.com:7025


Now, I change the password to something else entirely.  postmap reports 
"success" binding and proceeds with the query, when in fact it did not bind 
successfully.


postmap: dict_ldap_lookup: In dict_ldap_lookup

postmap: dict_ldap_lookup: No existing connection for LDAP source 
/opt/zimbra/conf/ldap-transport.cf, reopening
postmap: dict_ldap_connect: Connecting to server 
ldap://zre-ldap002.eng.vmware.com:389

postmap: dict_ldap_connect: Actual Protocol version used is 3.

postmap: dict_ldap_connect: Binding to server 
ldap://zre-ldap002.eng.vmware.com:389 with dn 
uid=zmpostfix,cn=appaccts,cn=zimbra
postmap: dict_ldap_connect: Successful bind to server 
ldap://zre-ldap002.eng.vmware.com:389 with dn 
uid=zmpostfix,cn=appaccts,cn=zimbra
postmap: dict_ldap_connect: Cached connection handle for LDAP source 
/opt/zimbra/conf/ldap-transport.cf
postmap: dict_ldap_lookup: /opt/zimbra/conf/ldap-transport.cf: Searching 
with filter 
(&(|(zimbraMailDeliveryAddress=testus...@zre-ldap002.eng.vmware.com)(zimbraDomainName=testus...@zre-ldap002.eng.vmware.com))(zimbraMailStatus=enabled))

postmap: dict_ldap_get_values[1]: Search found 0 match(es)
postmap: dict_ldap_get_values[1]: Leaving dict_ldap_get_values
postmap: dict_ldap_lookup: Search returned nothing

postmap: dict_ldap_close: Closed connection handle for LDAP source 
/opt/zimbra/conf/ldap-transport.cf


        

Please also try to report results from ldapsearch(1) performing the
same query with identical authentication/connection settings.



zimbra@zre-ldap002:~$ ldapsearch -LLL -H ldap://zre-ldap002.eng.vmware.com 
-x -D "uid=zmpostfix,cn=appaccts,cn=zimbra" -w zimbra 
"(&(|(zimbraMailDeliveryAddress=testus...@zre-ldap002.eng.vmware.com)(zimbraDomainName=testus...@zre-ldap002.eng.vmware.com))(zimbraMailStatus=enabled))"

ldap_bind: Invalid credentials (49)

(and disconnect)

With valid credentials, it returns the correct results:


zimbra@zre-ldap002:~$ ldapsearch -LLL -H ldap://zre-ldap002.eng.vmware.com 
-x -D "uid=zmpostfix,cn=appaccts,cn=zimbra" -w zimbra123 
"(&(|(zimbraMailDeliveryAddress=testus...@zre-ldap002.eng.vmware.com)(zimbraDomainName=testus...@zre-ldap002.eng.vmware.com))(zimbraMailStatus=enabled))"

dn: uid=testuser1,ou=people,dc=zre-ldap002,dc=eng,dc=vmware,dc=com
objectClass: inetOrgPerson
objectClass: zimbraAccount
objectClass: amavisAccount
zimbraId: 6d672aa4-dc4c-48b2-bc6f-95009014dd6f
zimbraMailHost: zre-ldap002.eng.vmware.com
zimbraMailTransport: lmtp:zre-ldap002.eng.vmware.com:7025
zimbraMailStatus: enabled
zimbraMailDeliveryAddress: testus...@zre-ldap002.eng.vmware.com
mail: testus...@zre-ldap002.eng.vmware.com
cn: testuser1
sn: testuser1
uid: testuser1

--Quanah

--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration























					Reply via email to