ldapdb smtpd.conf postfix sends unbind to ldap

Dennis Matotek dennis at utiba.com
Mon Jan 16 00:47:56 EST 2006


Hi,

Can someone just confirm the basics for me?

set up /etc/postfix/sasl/smtpd.conf
	ldapdb_uri
	ldapdb_id
	ldapdb_pw
	ldapdb_mech
	
set in /etc/postfix/main.cf

smtpd_sasl_auth_enable = yes

smtpd_client_restrictions = 
permit_mynetworks,permit_sasl_authenticated,check_client_access 
hash:/etc/postfix/access

smtpd_recipient_restrictions = 
permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination

smtpd_sasl_path = /etc/postfix/sasl:/usr/lib/sasl2

smtp_sasl_password_maps = /etc/postfix/sasl/smtpd.conf

smtpd_sasl_security_options = noanonymous

In one post I saw to add:
auxprop_plugin: slapd
to /usr/lib/sasl2/slapd.conf (doesn't make a big difference anyway).

Is there anything else that needs to be config'd?

further to that I better add some more details:
cyrus-sasl-2.1.21-1
cyrus-sasl-digestmd5-2.1.21-1
cyrus-sasl-ldapdb-2.1.21-1
postfix-2.1.5-6mdk
postfix-ldap-2.1.5-6mdk
openldap-servers-2.2.23-5mdk

I have been messing around with the ldapdb.c and can confirm it reads 
the smtpd.conf file but just doesn't do the search or ldapwhoami. What 
have I missed?

Regards,

Den

Dennis Matotek wrote:

> Hi List,
>
> I've read through the mail list archive and get similar but different 
> problems to people using ldapdb, smtp auth via sasl.
>
> I have confirmed using ldapsearch, ldapwhoami that ldap and digest-m5 
> authentication is working properly.  courier-imap uses the same 
> authentication to the same ldap server and experiences no problems.  I 
> cannot get smtps to authenticate to the ldap server.  According to 
> ethereal trace the smtps server makes a connection then sends unbind 
> request.  Ldap logs the incoming connection but nothing else.  Is 
> there a way of debugging what is happening that I can look at?  
> Someone a previous ldapdb problem in the list said to use smtptest 
> supplied by cyrus-imap-utils.  Since I'm running courier-imap on the 
> same server I didn't want to load it in case it caused more problems.  
> Is there something I am missing? I am not really a C programmer so 
> messing with code is problematic.
>
> Any help is greatly appreciated.
>
> Regards,
>
> Dennis
>
> ldapwhoami -U xxxxx -X u:xxxx -Y DIGEST-MD5 -H ldap://ser3 -ZZ
> dn:uid=xxxxxx,ou=utiba,ou=people,dc=xxxx
> Result: Success (0)
>
> ldapsearch -H ldap://ser3 -U xxxx -W  -X u:xxxx -Y DIGEST-MD5 -s base -b
> uid=xxxxx,ou=xxxx,ou=people,dc=xxxx '(objectclass=*)' userPassword -ZZ
> dn: uid=xxxxxx,ou=xxxx,ou=People,dc=xxxx
> userPassword:: ########
>
> /etc/postfix/sasl/smtpd.conf
> pwcheck_method: auxprop (toggle on/off makes no difference)
> auxprop_plugin: ldapdb
> ldapdb_uri: ldap://192.168.0.3
> ldapdb_id: xxxxx
> ldapdb_pw: ******
> #ldapdb_starttls: demand (toggle on/off makes no difference)
> ldapdb_mech: digest-md5
> log_level: 1 (this doesn't seem to do anything)
>
> log mail/info: (where it pass off to sasl)
> postfix/smtpd[6687]:  SASL authentication misc: DIGEST-MD5 server step 2
> postfix/smtpd[6687]: > unknown[192.168.1.30]: 535 Error: 
> authentication failed
> postfix/smtpd[6687]: watchdog_pat: 0x8084be8
> postfix/smtpd[6687]: smtp_get: EOF
>
> log ldap.log (level 255)
> Jan 15 14:00:20 ser3 slapd[29914]: daemon: activity on 1 descriptors
> Jan 15 14:00:20 ser3 slapd[29914]: daemon: new connection on 30
> Jan 15 14:00:20 ser3 slapd[29914]: daemon: added 30r
> Jan 15 14:00:20 ser3 slapd[29914]: daemon: activity on:
> Jan 15 14:00:20 ser3 slapd[29914]:
> Jan 15 14:00:20 ser3 slapd[29914]: daemon: select: listen=6 
> active_threads=0 tvp=NULL
> Jan 15 14:00:20 ser3 slapd[29914]: daemon: select: listen=7 
> active_threads=0 tvp=NULL
> Jan 15 14:00:20 ser3 slapd[29914]: daemon: select: listen=8 
> active_threads=0 tvp=NULL
> Jan 15 14:00:20 ser3 slapd[29914]: daemon: select: listen=9 
> active_threads=0 tvp=NULL
> Jan 15 14:00:20 ser3 slapd[29914]: daemon: activity on 1 descriptors
> Jan 15 14:00:20 ser3 slapd[29914]: daemon: activity on:
> Jan 15 14:00:20 ser3 slapd[29914]:  30r
> Jan 15 14:00:20 ser3 slapd[29914]:
> Jan 15 14:00:20 ser3 slapd[29914]: daemon: read activity on 30
> Jan 15 14:00:20 ser3 slapd[29914]: connection_get(30)
> Jan 15 14:00:20 ser3 slapd[29914]: connection_get(30): got connid=66
> Jan 15 14:00:20 ser3 slapd[29914]: connection_read(30): checking for 
> input on id=66
> Jan 15 14:00:20 ser3 slapd[29914]: ber_get_next on fd 30 failed 
> errno=0 (Success)
> Jan 15 14:00:20 ser3 slapd[29914]: connection_read(30): input error=-2 
> id=66, closing.
> Jan 15 14:00:20 ser3 slapd[29914]: connection_closing: readying 
> conn=66 sd=30 for close
> Jan 15 14:00:20 ser3 slapd[29914]: connection_close: deferring conn=66 
> sd=30
> Jan 15 14:00:20 ser3 slapd[29914]: daemon: select: listen=6 
> active_threads=0 tvp=NULL
> Jan 15 14:00:20 ser3 slapd[29914]: daemon: select: listen=7 
> active_threads=0 tvp=NULL
> Jan 15 14:00:20 ser3 slapd[29914]: daemon: select: listen=8 
> active_threads=0 tvp=NULL
> Jan 15 14:00:20 ser3 slapd[29914]: daemon: select: listen=9 
> active_threads=0 tvp=NULL
> Jan 15 14:00:20 ser3 slapd[29914]: daemon: activity on 1 descriptors
> Jan 15 14:00:20 ser3 slapd[29914]: daemon: select: listen=6 
> active_threads=0 tvp=NULL
> Jan 15 14:00:20 ser3 slapd[29914]: daemon: select: listen=7 
> active_threads=0 tvp=NULL
> Jan 15 14:00:20 ser3 slapd[29914]: daemon: select: listen=8 
> active_threads=0 tvp=NULL
> Jan 15 14:00:20 ser3 slapd[29914]: daemon: select: listen=9 
> active_threads=0 tvp=NULL
> Jan 15 14:00:20 ser3 slapd[29914]: do_unbind
> Jan 15 14:00:20 ser3 slapd[29914]: connection_resched: attempting 
> closing conn=66 sd=30
> Jan 15 14:00:20 ser3 slapd[29914]: connection_close: conn=66 sd=30
> Jan 15 14:00:20 ser3 slapd[29914]: daemon: removing 30
>
> ethereal log:
> as attachment scan1.ethereal
>
>
>
> -----------------
> Utiba Pty Ltd This message has been scanned for viruses and
> dangerous content by Utiba mail server and is believed to be clean.
>
>------------------------------------------------------------------------
>
>No.     Time        Source                Destination           Protocol Info
>    451 9.029311    192.168.1.1           192.168.0.3           TCP      1935 > ldap [SYN] Seq=0 Ack=0 Win=5840 Len=0 MSS=1460 TSV=253310147 TSER=0 WS=2
>
>Frame 451 (74 bytes on wire, 74 bytes captured)
>Ethernet II, Src: 192.168.1.1 (00:02:a5:dd:2a:8c), Dst: 192.168.1.254 (00:11:95:c7:12:b1)
>Internet Protocol, Src: 192.168.1.1 (192.168.1.1), Dst: 192.168.0.3 (192.168.0.3)
>Transmission Control Protocol, Src Port: 1935 (1935), Dst Port: ldap (389), Seq: 0, Ack: 0, Len: 0
>    Source port: 1935 (1935)
>    Destination port: ldap (389)
>    Sequence number: 0    (relative sequence number)
>    Header length: 40 bytes
>    Flags: 0x0002 (SYN)
>    Window size: 5840
>    Checksum: 0xf2df [correct]
>    Options: (20 bytes)
>
>No.     Time        Source                Destination           Protocol Info
>    452 9.030349    192.168.0.3           192.168.1.1           TCP      ldap > 1935 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=3629615146 TSER=253310147 WS=2
>
>Frame 452 (74 bytes on wire, 74 bytes captured)
>Ethernet II, Src: 192.168.1.254 (00:11:95:c7:12:b1), Dst: 192.168.1.1 (00:02:a5:dd:2a:8c)
>Internet Protocol, Src: 192.168.0.3 (192.168.0.3), Dst: 192.168.1.1 (192.168.1.1)
>Transmission Control Protocol, Src Port: ldap (389), Dst Port: 1935 (1935), Seq: 0, Ack: 1, Len: 0
>    Source port: ldap (389)
>    Destination port: 1935 (1935)
>    Sequence number: 0    (relative sequence number)
>    Acknowledgement number: 1    (relative ack number)
>    Header length: 40 bytes
>    Flags: 0x0012 (SYN, ACK)
>    Window size: 5792
>    Checksum: 0xb895 [correct]
>    Options: (20 bytes)
>    SEQ/ACK analysis
>
>No.     Time        Source                Destination           Protocol Info
>    453 9.030465    192.168.1.1           192.168.0.3           TCP      1935 > ldap [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSV=253310149 TSER=3629615146
>
>Frame 453 (66 bytes on wire, 66 bytes captured)
>Ethernet II, Src: 192.168.1.1 (00:02:a5:dd:2a:8c), Dst: 192.168.1.254 (00:11:95:c7:12:b1)
>Internet Protocol, Src: 192.168.1.1 (192.168.1.1), Dst: 192.168.0.3 (192.168.0.3)
>Transmission Control Protocol, Src Port: 1935 (1935), Dst Port: ldap (389), Seq: 1, Ack: 1, Len: 0
>    Source port: 1935 (1935)
>    Destination port: ldap (389)
>    Sequence number: 1    (relative sequence number)
>    Acknowledgement number: 1    (relative ack number)
>    Header length: 32 bytes
>    Flags: 0x0010 (ACK)
>    Window size: 5840 (scaled)
>    Checksum: 0xf846 [correct]
>    Options: (12 bytes)
>    SEQ/ACK analysis
>
>No.     Time        Source                Destination           Protocol Info
>    456 9.036467    192.168.1.1           192.168.0.3           LDAP     MsgId=1 Unbind Request
>
>Frame 456 (73 bytes on wire, 73 bytes captured)
>Ethernet II, Src: 192.168.1.1 (00:02:a5:dd:2a:8c), Dst: 192.168.1.254 (00:11:95:c7:12:b1)
>Internet Protocol, Src: 192.168.1.1 (192.168.1.1), Dst: 192.168.0.3 (192.168.0.3)
>Transmission Control Protocol, Src Port: 1935 (1935), Dst Port: ldap (389), Seq: 1, Ack: 1, Len: 7
>    Source port: 1935 (1935)
>    Destination port: ldap (389)
>    Sequence number: 1    (relative sequence number)
>    Next sequence number: 8    (relative sequence number)
>    Acknowledgement number: 1    (relative ack number)
>    Header length: 32 bytes
>    Flags: 0x0018 (PSH, ACK)
>    Window size: 5840 (scaled)
>    Checksum: 0xc4ea [correct]
>    Options: (12 bytes)
>Lightweight Directory Access Protocol
>    LDAP Message, Unbind Request
>        Message Id: 1
>        Message Type: Unbind Request (0x02)
>        Message Length: 0
>
>No.     Time        Source                Destination           Protocol Info
>    457 9.036638    192.168.1.1           192.168.0.3           TCP      1935 > ldap [FIN, ACK] Seq=8 Ack=1 Win=5840 Len=0 TSV=253310155 TSER=3629615146
>
>Frame 457 (66 bytes on wire, 66 bytes captured)
>Ethernet II, Src: 192.168.1.1 (00:02:a5:dd:2a:8c), Dst: 192.168.1.254 (00:11:95:c7:12:b1)
>Internet Protocol, Src: 192.168.1.1 (192.168.1.1), Dst: 192.168.0.3 (192.168.0.3)
>Transmission Control Protocol, Src Port: 1935 (1935), Dst Port: ldap (389), Seq: 8, Ack: 1, Len: 0
>    Source port: 1935 (1935)
>    Destination port: ldap (389)
>    Sequence number: 8    (relative sequence number)
>    Acknowledgement number: 1    (relative ack number)
>    Header length: 32 bytes
>    Flags: 0x0011 (FIN, ACK)
>    Window size: 5840 (scaled)
>    Checksum: 0xf838 [correct]
>    Options: (12 bytes)
>
>No.     Time        Source                Destination           Protocol Info
>    458 9.036701    192.168.0.3           192.168.1.1           TCP      ldap > 1935 [ACK] Seq=1 Ack=8 Win=5792 Len=0 TSV=3629615152 TSER=253310154
>
>Frame 458 (66 bytes on wire, 66 bytes captured)
>Ethernet II, Src: 192.168.1.254 (00:11:95:c7:12:b1), Dst: 192.168.1.1 (00:02:a5:dd:2a:8c)
>Internet Protocol, Src: 192.168.0.3 (192.168.0.3), Dst: 192.168.1.1 (192.168.1.1)
>Transmission Control Protocol, Src Port: ldap (389), Dst Port: 1935 (1935), Seq: 1, Ack: 8, Len: 0
>    Source port: ldap (389)
>    Destination port: 1935 (1935)
>    Sequence number: 1    (relative sequence number)
>    Acknowledgement number: 8    (relative ack number)
>    Header length: 32 bytes
>    Flags: 0x0010 (ACK)
>    Window size: 5792 (scaled)
>    Checksum: 0xf840 [correct]
>    Options: (12 bytes)
>    SEQ/ACK analysis
>
>No.     Time        Source                Destination           Protocol Info
>    460 9.037539    192.168.0.3           192.168.1.1           TCP      ldap > 1935 [FIN, ACK] Seq=1 Ack=9 Win=5792 Len=0 TSV=3629615153 TSER=253310155
>
>Frame 460 (66 bytes on wire, 66 bytes captured)
>Ethernet II, Src: 192.168.1.254 (00:11:95:c7:12:b1), Dst: 192.168.1.1 (00:02:a5:dd:2a:8c)
>Internet Protocol, Src: 192.168.0.3 (192.168.0.3), Dst: 192.168.1.1 (192.168.1.1)
>Transmission Control Protocol, Src Port: ldap (389), Dst Port: 1935 (1935), Seq: 1, Ack: 9, Len: 0
>    Source port: ldap (389)
>    Destination port: 1935 (1935)
>    Sequence number: 1    (relative sequence number)
>    Acknowledgement number: 9    (relative ack number)
>    Header length: 32 bytes
>    Flags: 0x0011 (FIN, ACK)
>    Window size: 5792 (scaled)
>    Checksum: 0xf83c [correct]
>    Options: (12 bytes)
>    SEQ/ACK analysis
>
>No.     Time        Source                Destination           Protocol Info
>    461 9.037602    192.168.1.1           192.168.0.3           TCP      1935 > ldap [ACK] Seq=9 Ack=2 Win=5840 Len=0 TSV=253310156 TSER=3629615153
>
>Frame 461 (66 bytes on wire, 66 bytes captured)
>Ethernet II, Src: 192.168.1.1 (00:02:a5:dd:2a:8c), Dst: 192.168.1.254 (00:11:95:c7:12:b1)
>Internet Protocol, Src: 192.168.1.1 (192.168.1.1), Dst: 192.168.0.3 (192.168.0.3)
>Transmission Control Protocol, Src Port: 1935 (1935), Dst Port: ldap (389), Seq: 9, Ack: 2, Len: 0
>    Source port: 1935 (1935)
>    Destination port: ldap (389)
>    Sequence number: 9    (relative sequence number)
>    Acknowledgement number: 2    (relative ack number)
>    Header length: 32 bytes
>    Flags: 0x0010 (ACK)
>    Window size: 5840 (scaled)
>    Checksum: 0xf82f [correct]
>    Options: (12 bytes)
>    SEQ/ACK analysis
>  
>



-----------------
Utiba Pty Ltd 
This message has been scanned for viruses and
dangerous content by Utiba mail server and is 
believed to be clean.



More information about the Cyrus-sasl mailing list