ldapdb: error: invalid parameter supplied

Patrick Ben Koetter p at state-of-mind.de
Sat Apr 22 17:33:59 EDT 2006 

Dan,

* Dan Nicholson <dbn.lists at gmail.com>:
> On 4/21/06, Igor Brezac <igor at ipass.net> wrote:
> >
> > This looks ok.  What does debug of the ldap server show?  Did you setup
> > proxy correctly on the ldap server, ldapwhoami -Y DIGEST-MD5 -U proxyuser
> > -X u:user?
> 
> Hi,
> 
> Patrick, I'm going to assume that I have the same setup as you since I
> took mine entirely from the Book of Postfix.  I was having the same

right you are and it is a real shame since I am one of the authors of the book
and I should really know how to handle this. :/ But then it's been a while
since we wrote the book and I had time to exercise my LDAP and ldapdb skills.

> problems with openldap-2.3.x, but I think I've solved the problem. 
> The big thing was getting the regexp in /etc/openldap/slapd.conf to
> work correctly.  Now, ldapwhoami checks out as well as ldapdb
> authorization through the cyrus-sasl client/server utilities.

ACK.

I see you posted most of your config. I will do so as well as soon I have this
all setup and going, so others can make use of it.

> One thing to note is that the authorization settings have changed for
> openldap-2.3.  With 2.2, I was using saslAuthzTo, sasl-authz-policy
> and sasl-regexp.  Those have all now been changed to authzTo,
> authz-policy and authz-regexp (man slapd.conf).  Here is what I set in

Yep. It pays to RTFM. I was glad I did before I started.

> /etc/openldap/slapd.conf:
> 
> $ tail /etc/openldap/slapd.conf
> index   objectClass             eq
> index   cn                      eq
> index   mail,maildrop           pres
> index   mailbox,quota,uidNumber,gidNumber       eq
> 
> ## BINDING
> authz-policy                    to
> authz-regexp
>         uid=(.*),cn=.*,cn=auth
>         ldap:///dc=foo,dc=com??sub?(&(objectclass=inetOrgPerson)(uid=$1))
> 
> The important piece differing from the Book of Postfix is that the
> replacement could not be mail=$1 since the match was on uid.  Without
> this, ./server would give me
> 
> starting SASL negotiation: user not foundclosing connection

Hmmm, well it works here using (mail=$1).

> Also, I get the "invalid parameter" error even with successful
> authorization.  I also checked with my old openldap-2.2 system, and it

You get the same thing with the sql plugin even if you don't use it. Many
Postfix users ask this on the mailing list, because they think they have a
real error aka misconfigured something.

> happens there, too.  Here's the tail from a successful ./server,
> ./client login:
> 
> Apr 22 12:22:14 silky slapd[2265]: auxpropfunc error invalid parameter supplied
> Apr 22 12:22:14 silky slapd[2265]: _sasl_plugin_load failed on
> sasl_auxprop_plug_init for plugin: ldapdb
> Apr 22 12:22:26 silky lt-server: DIGEST-MD5 client step 2
> Apr 22 12:22:26 silky lt-server: DIGEST-MD5 client step 2
> Apr 22 12:22:26 silky lt-server: DIGEST-MD5 client step 3
> 
> For completeness, this is what I changed my auth user to, notice the authzTo:
> 
> dn: uid=proxy,ou=auth,dc=foo,dc=com
> uid: proxy
> objectClass: inetOrgPerson
> givenName: proxy
> sn: proxy
> cn: proxy
> userPassword: XXXXXXXXX
> mail: proxy
> authzTo: ldap:///ou=people,dc=foo,dc=com??sub?(objectclass=inetOrgPerson)
> 
> Hope that helps.

Yes, it did. Thanks!

p at rick

-- 
The Book of Postfix
<http://www.postfix-book.com>
saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>

More information about the Cyrus-sasl mailing list