Unable to load the ldapdb plugin -- during SMTP AUTH against LDAP server .

Dan White whitehse at gmail.com
Tue Apr 28 11:21:17 EDT 2020 

Hi Vamsi,

Comments are inline below.

>From: Cyrus-sasl <cyrus-sasl-bounces+bandaru.v=pg.com at lists.andrew.cmu.edu> On Behalf Of Bandaru, Vamsi
>Sent: Tuesday, April 28, 2020 12:37 AM
>
>Hi all ,
>
>( This is my first post here ) ,
>
>I am trying to use Cyrus SASL for SMTP authentication against my organization's LDAP server .
>
>I have two major issues I noticed :
>
>The auth.log under /var/log reads :
>
>Apr 27 14:57:36 postfix-in-1/submission/smtpd[42282]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb
>Apr 27 14:57:36 postfix-in-1/submission/smtpd[42282]: _sasl_plugin_load failed on sasl_canonuser_init for plugin: ldapdb
>
>The message logs read :
>
>saslauthd[85790]: detach_tty      : could not lock pid file /run/saslauthd/saslauthd.pid: Resource temporarily unavailable
>saslauthd[85789]: detach_tty      : Cannot start saslauthd
>saslauthd[85789]: detach_tty      : Another instance of saslauthd is currently running

As Alexander mentioned, there are two different concepts getting mixed up here. See:

https://www.cyrusimap.org/sasl/sasl/sysadmin.html

The ldapdb auxprop plugin essentially requires that you have a clear text
password stored within your ldap directory. It allows you to make use of a
wider range of mechanisms, such as digest-md5.

The ldapdb plugin is configured using the following options, in this case
within your /etc/sasl2/smtpd.conf:

ldapdb_uri
ldapdb_id
ldapdb_mech
ldapdb_pw
ldapdb_rc
ldapdb_starttls
auxprop_plugin
canon_user_plugin

See:

https://www.sendmail.org/~ca/email/cyrus2/options.html

If you don't intend to use the ldapdb plugin, you can shut the log messages
up with:

ldapdb_uri: ldapi:///

or

auxprop_plugin: sasldb
canon_user_plugin: sasldb

The saslauthd daemon is a password verification daemon. It accepts
authentication data from the user in clear text, and can authenticate the
crendials using a wide range of methods (pam, ldap, etc).  saslauthd only
supports the plain and login authentication mechanisms.

These two methods *can* be mixed - saslauthd for plain/login, and ldapdb
for other mechanisms, to give you an idea of how they interoperate, but
that makes no sense here.

For documentation on the ldap saslauthd backend, see:

https://github.com/cyrusimap/cyrus-sasl/blob/master/saslauthd/LDAP_SASLAUTHD

The saslauthd ldap backend can work with a wider range of LDAP servers than
the ldapdb plugin.

>These are the files , and their locations I am trying to configure . ( am I missing any other files to configure )
>
>
>  1.  /etc/saslauthd.conf
>  2.  /etc/sasl2/smtpd.conf

This is a common location, but depending on your libsasl compile options,
and your smtp server configuration, your server may look elsewhere.

>My  /etc/saslauthd.conf , is configured in the following way :
>
>ldap_servers: ldaps://< hostname >:636
>ldap_bind_dn: uid=xxx,ou=xx,ou=xx,o=xx
>ldap_bind_pw: xxxx
>
>ldap_version: 3
>ldap_auth_method: bind
>ldap_search_base: ou=xx,ou=ss,o=xx
>ldap_scope: sub
>ldap_filter: ShortName=%U
>
>***********************************************************************
>
>The  /etc/sasl2/smtpd.conf   is configured as :
>
>pwcheck_method: auxprop
>auxprop_plugin: ldapdb
>
>mech_list: PLAIN LOGIN NTLM CRAM-MD5 DIGEST-MD5
>
>****************************************************************
>
>#ldapdb_mech: LOGIN   ( I am not sure if this parameter should be configured under smtpd.conf or under saslauthd.conf )

This would go in your smtpd.conf, if you are using the ldapdb plugin.

>Output of : saslauthd -a ldap -O /etc/saslauthd.conf
>
># saslauthd -a ldap -O /etc/saslauthd.conf
>saslauthd[91048] :detach_tty      : Cannot start saslauthd
>saslauthd[91048] :detach_tty      : Another instance of saslauthd is currently running

Presumably you are running postfix chrooted, and need to run a second
instance of saslauthd with a mux located in a location that postfix can
find. If that's the case, you'll need to specific a different location for
the mux (-m) in a location postfix can access.

If you don't need to be running two instances (the first is started by an
init script?), then modify your saslauthd startup script to include your -O
option, and the proper location for the mux.

>  *   # ps aux | grep saslauthd
>  *   root      84395  0.0  0.0  74456   956 ?        Ss   18:25   0:00 /usr/sbin/saslauthd -m /run/saslauthd -a ldap -r
>  *   root      84396  0.0  0.0  74456   732 ?        S    18:25   0:00 /usr/sbin/saslauthd -m /run/saslauthd -a ldap -r
>  *   root      84397  0.0  0.0  74456   732 ?        S    18:25   0:00 /usr/sbin/saslauthd -m /run/saslauthd -a ldap -r
>  *   root      84398  0.0  0.0  74456   732 ?        S    18:25   0:00 /usr/sbin/saslauthd -m /run/saslauthd -a ldap -r
>  *   root      84399  0.0  0.0  74456   732 ?        S    18:25   0:00 /usr/sbin/saslauthd -m /run/saslauthd -a ldap -r

At this point, if saslauthd is properly configured and your saslauthd.conf
is correct, testsaslathd will succeed, and successfully authenticate
against your ldap server. Also test it in a shell, as the postfix user, to
verify all system persmissions are correct.

You would want to have this working before you move on to your postfix and
smtpd.conf configuration.

>SASL related configuration under postfix / main.cf file .
>
>smtpd_sasl_auth_enable = yes
>smtpd_sasl_type = cyrus
>
>smtpd_sasl_path = /run/saslauthd/mux
>#smtpd_sasl_path = /usr/lib64/sasl2

This isn't correct. If I understand the config option, it should point to
the location of your sasl smtpd.conf config file (/etc/sasl2).

>smtpd_sasl_security_options = noanonymous
>smtpd_tls_auth_only = yes
>smtpd_sasl_tls_security_options = noanonymous

On 04/27/20 20:22 +0000, Bandaru, Vamsi wrote:
>Adding the output of pluginviewer : ldapdb is not listed as a one of the auxprop mechanisms :
>
># /usr/sbin/pluginviewer -a
>
>Installed and properly configured auxprop mechanisms are:
>sasldb
>List of auxprop plugins follows
>Plugin "sasldb" ,       API version: 8
>        supports store: yes
>
>and I don't have a pluginviewer.conf on my system , another conf file I have is : /etc/sasl2/slapd.conf

pluginviewer will fail, because it requires, at least, the ldapdb_uri
option be configured. You would need to create a pluginviewer.conf, such as
in /etc/sasl2, for this command to list ldapdb.

># cat /etc/sasl2/slapd.conf
>mech_list: plain
>pwcheck_method: saslauthd
>saslauthd_path: /var/run/saslauthd/mux
>
>
>( this doesn't look right )

This looks fine, unless you're running postfix smtpd chrooted, in which
case you'll want to have the saslauthd mux located somewhere within the
postfix chroot.

More information about the Cyrus-sasl mailing list