<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif;" dir="ltr">
<p style="margin-top:0;margin-bottom:0">Dan, thank you so much for your suggestions:</p>
<p style="margin-top:0;margin-bottom:0"><br>
</p>
<p style="margin-top:0;margin-bottom:0">I tried running the saslauthd with the flags you suggested and got the following output:</p>
<p style="margin-top:0;margin-bottom:0"></p>
<div>lpmail01 01:09 PM ~ root (1031) : /usr/sbin/saslauthd -d -n 1 -m /run/saslauthd -a ldap -O /etc/saslauthd.conf<br>
saslauthd[4718] :main : num_procs : 1<br>
saslauthd[4718] :main : mech_option: /etc/saslauthd.conf<br>
saslauthd[4718] :main : run_path : /run/saslauthd<br>
saslauthd[4718] :main : auth_mech : ldap<br>
saslauthd[4718] :ipc_init : using accept lock file: /run/saslauthd/mux.accept<br>
saslauthd[4718] :detach_tty : master pid is: 0<br>
saslauthd[4718] :ipc_init : listening on socket: /run/saslauthd/mux<br>
saslauthd[4718] :main : using process model<br>
saslauthd[4718] :get_accept_lock : acquired accept lock<br>
saslauthd[4718] :rel_accept_lock : released accept lock<br>
saslauthd[4718] :do_auth : auth failure: [user=rwerner2] [service=smtp] [realm=] [mech=ldap] [reason=Unknown]<br>
saslauthd[4718] :do_request : response: NO<br>
saslauthd[4718] :get_accept_lock : acquired accept lock<br>
<br>
</div>
The "debug: -1" flag didn't seem to affect the output .
<p></p>
<p style="margin-top:0;margin-bottom:0"><br>
</p>
<p style="margin-top:0;margin-bottom:0">The problem doesn't seem to be username dependent. I've used several different ones. I'm mostly testing with my own which is "rwerner2" but I've also tested with "ucmit-mcp" .</p>
<p style="margin-top:0;margin-bottom:0"><br>
</p>
<p style="margin-top:0;margin-bottom:0">I'm seeing the same output from saslauthd in /var/log/secure after directing the auth.debug facility there (in rsyslog).</p>
<p style="margin-top:0;margin-bottom:0"><br>
</p>
<p style="margin-top:0;margin-bottom:0">The only way I could tell that the saslauthd was sending out only 7 chars of the password was by looking at the tcpdump of the conversation with the ldap server.<br>
</p>
<p style="margin-top:0;margin-bottom:0"><br>
</p>
<p style="margin-top:0;margin-bottom:0">(as an FYI for anyone else messing with this on RHEL, I had to disable selinux because the restrictions wouldn't let postfix talk to a saslauthd launched from the command line as root; once this is resolved I'll re-enable
selinux).<br>
</p>
<div id="Signature">
<div id="divtagdefaultwrapper" dir="ltr" style="font-size: 12pt; color: rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica, sans-serif, "EmojiFont", "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols;">
<p></p>
<div><span style="font-size:11pt">--</span><span style="font-size:11pt"> </span>
<div><span style="font-size:11pt"></span>
<p class="MsoAutoSig"></p>
<span style="font-size:11pt"></span>
<div><span style="font-size:11pt"></span>
<p class="MsoAutoSig"><b style=""><span style="font-size:11pt">Robert G. Werner</span></b></p>
<span style="font-size:11pt"></span>
<p class="MsoAutoSig"><span style="font-size:11pt">Systems Administrator</span></p>
<span style="font-size:11pt"></span>
<p class="MsoAutoSig"><span style="font-size:14.0pt"><span style="font-size:11pt">University of California Merced,</span><span style="font-size:11pt">
</span><span style="font-size:11pt">Office of Information Technology</span></span></p>
<span style="font-size:11pt"></span><span style="font-size:14.0pt; font-family:"Calibri",sans-serif"><a href="mailto:rwerner2@ucmerced.edu" id="LPNoLP"><span style="font-size:11pt">rwerner2@ucmerced.edu</span></a><span style="font-size:11pt"> |
</span><a href="https://it.ucmerced.edu/" title="Ctrl+Click or tap to follow the link" id="LPNoLP"><span style="font-size:11pt">it.ucmerced.edu</span></a><span style="font-size:11pt"> | 209.201.4368</span></span><span style="font-size:12pt">
</span></div>
<span style="font-size:12pt"></span><br>
<p></p>
</div>
<p></p>
</div>
<p></p>
</div>
</div>
<br>
<br>
<div style="color: rgb(0, 0, 0);">
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" face="Calibri, sans-serif" color="#000000"><b>From:</b> Dan White <dwhite@olp.net><br>
<b>Sent:</b> Tuesday, June 5, 2018 8:42 AM<br>
<b>To:</b> Robert Werner<br>
<b>Cc:</b> cyrus-sasl@lists.andrew.cmu.edu<br>
<b>Subject:</b> Re: Problem using saslauthd against ldap server ...</font>
<div> </div>
</div>
<div class="BodyFragment"><font size="2"><span style="font-size:11pt;">
<div class="PlainText">On 06/04/18 22:42 +0000, Robert Werner wrote:<br>
>I'm trying to use saslauthd to test "auth plain" and "auth login"<br>
>authentication against our LDAP data store using the "MECH=ldap"<br>
>configuration. <br>
><br>
>When saslauthd tries to bind with the credentials, it is only sending 7<br>
>characters of the password. I've validated this by using Wireshark to<br>
>examine the sasl communications. The ldap search for the user is<br>
>successful and saslauthd is finding the correct user and binding as<br>
>desired. But the auth fails, obviously, because the only 7 characters of<br>
>the actual (9 character) password is sent.<br>
><br>
>If I use the "MECH=pam" and authenticate against a valid user (also with a<br>
>password that is 9 charcaters) on the local server, the authentication is<br>
>successful.<br>
><br>
>I'm running this on RHEL 7.5 with cyrus-sasl* packages that are version<br>
>"2.1.26-23.el7.x86_64", ie: <br>
><br>
>cyrus-sasl-plain-2.1.26-23.el7.x86_64<br>
>cyrus-sasl-2.1.26-23.el7.x86_64<br>
>cyrus-sasl-gssapi-2.1.26-23.el7.x86_64<br>
>cyrus-sasl-lib-2.1.26-23.el7.x86_64<br>
><br>
>I've attached my smtp.conf, saslauthd and saslauthd.conf files (with<br>
>passwords redacted). <br>
><br>
>Is there a configuration I'm missing or have I found a bug? Any<br>
>suggestions as to how to get around this problem?<br>
<br>
>ldap_bind_dn: <user><br>
>ldap_bind_pw: <password><br>
>ldap_servers: ldap://lplds.ucmerced.edu<br>
>ldap_search_base: dc=ucmerced,dc=edu<br>
>ldap_filter: uid=%U<br>
>ldap_version: 3<br>
>log_level: 7<br>
<br>
>log_level: 7<br>
>pwcheck_method: saslauthd<br>
>mech_list: plain login<br>
<br>
Is this problem reproducable with testsaslauthd and smtptest?<br>
<br>
Disable saslauthd caching (without -c) and run in debug (-d) mode for<br>
additional output. Set 'debug: -1' (man 3 ldap_set_option), in<br>
saslauthd.conf to increase libldap's output.<br>
<br>
Is this problem specific to a particular user name? If so, would you mind<br>
sharing what that username is?<br>
<br>
-- <br>
Dan White<br>
</div>
</span></font></div>
</div>
</div>
</body>
</html>