Problem using saslauthd against ldap server ...

Dan White dwhite at olp.net
Tue Jun 5 17:23:08 EDT 2018 

On 06/05/18 20:19 +0000, Robert Werner wrote:
>I tried running the saslauthd with the flags you suggested and got the
>following output:
>
>lpmail01 01:09 PM ~ root (1031) : /usr/sbin/saslauthd -d -n 1 -m /run/saslauthd -a ldap -O /etc/saslauthd.conf
>saslauthd[4718] :main            : num_procs  : 1
>saslauthd[4718] :main            : mech_option: /etc/saslauthd.conf
>saslauthd[4718] :main            : run_path   : /run/saslauthd
>saslauthd[4718] :main            : auth_mech  : ldap
>saslauthd[4718] :ipc_init        : using accept lock file: /run/saslauthd/mux.accept
>saslauthd[4718] :detach_tty      : master pid is: 0
>saslauthd[4718] :ipc_init        : listening on socket: /run/saslauthd/mux
>saslauthd[4718] :main            : using process model
>saslauthd[4718] :get_accept_lock : acquired accept lock
>saslauthd[4718] :rel_accept_lock : released accept lock
>saslauthd[4718] :do_auth         : auth failure: [user=rwerner2] [service=smtp] [realm=] [mech=ldap] [reason=Unknown]
>saslauthd[4718] :do_request      : response: NO
>saslauthd[4718] :get_accept_lock : acquired accept lock
>
>The "debug: -1" flag didn't seem to affect the output .

I gave you the wrong option. It's 'ldap_debug: -1'.

>The problem doesn't seem to be username dependent.  I've used several
>different ones.  I'm mostly testing with my own which is "rwerner2" but
>I've also tested with "ucmit-mcp" .

Does using 'ldap_filter: uid=%u' make any difference?

To clarify, it is the user supplied password that is getting cut short, and
not the ldap_bind_pw password?

Are you using a password-hash/olcPasswordHash on the server side, e.g.
{CRYPT}?

>I'm seeing the same output from saslauthd in /var/log/secure after
>directing the auth.debug facility there (in rsyslog). 
>
>The only way I could tell that the saslauthd was sending out only 7 chars
>of the password was by looking at the tcpdump of the conversation with the
>ldap server.
>
>(as an FYI for anyone else messing with this on RHEL,  I had to disable
>selinux because the restrictions wouldn't let postfix talk to a saslauthd
>launched from the command line as root;  once this is resolved I'll
>re-enable selinux).
>
>________________________________
>From: Dan White <dwhite at olp.net>
>Sent: Tuesday, June 5, 2018 8:42 AM
>To: Robert Werner
>Cc: cyrus-sasl at lists.andrew.cmu.edu
>Subject: Re: Problem using saslauthd against ldap server ...
>
>On 06/04/18 22:42 +0000, Robert Werner wrote:
>>When saslauthd tries to bind with the credentials,  it is only sending 7
>>characters of the password.  I've validated this by using Wireshark to
>>examine the sasl communications.  The ldap search for the user is
>>successful and saslauthd is finding the correct user and binding as
>>desired.  But the auth fails,  obviously,  because the only 7 characters of
>>the actual (9 character) password is sent.
>>
>>ldap_bind_dn: <user>
>>ldap_bind_pw: <password>
>>ldap_servers: ldap://lplds.ucmerced.edu
>>ldap_search_base: dc=ucmerced,dc=edu
>>ldap_filter: uid=%U
>>ldap_version: 3
>>log_level: 7
>
>>log_level: 7
>>pwcheck_method: saslauthd
>>mech_list: plain login
>
>Is this problem reproducable with testsaslauthd and smtptest?
>
>Disable saslauthd caching (without -c) and run in debug (-d) mode for
>additional output. Set 'debug: -1' (man 3 ldap_set_option), in
>saslauthd.conf to increase libldap's output.
>
>Is this problem specific to a particular user name? If so, would you mind
>sharing what that username is?

-- 
Dan White

More information about the Cyrus-sasl mailing list