Postfix, SASL and LDAPDB: no worthy mech found

Fri May 21 10:41:08 EDT 2010

On Fri, 21 May 2010 08:41:17 -0500, Dan White <dwhite at olp.net> wrote:
> 
> What username are you logging in with to Postfix? The '-R
linuxwall.info'
> in your ldapwhoami may not be doing what you expect.
> 
> Try using smtptest (which is part of cyrus imap). like:
> 
> smtptest -a julien -m digest-md5 localhost

----
# smtptest -a julien -m digest-md5 localhost

S: 220 samchiel.linuxwall.info ESMTP Postfix (Debian/GNU)
C: EHLO example.com
S: 250-samchiel.linuxwall.info
S: 250-PIPELINING
S: 250-SIZE 10240000
S: 250-VRFY
S: 250-ETRN
S: 250-AUTH LOGIN PLAIN DIGEST-MD5
S: 250-ENHANCEDSTATUSCODES
S: 250-8BITMIME
S: 250 DSN
C: AUTH DIGEST-MD5
S: 334
bm9uY2U9Ijl0VzVVS0hkQkFUYlFuZ2lzb3ZHVStPZXBIcFk2cDh5ZjRoaDRVdk4yT2M9IixyZWFsbT0ibGludXh3YWxsLmluZm8iLHFvcD0iYXV0aCIsY2hhcnN
ldD11dGYtOCxhbGdvcml0aG09bWQ1LXNlc3M=
Please enter your password:
C:
dXNlcm5hbWU9Imp1bGllbiIscmVhbG09ImxpbnV4d2FsbC5pbmZvIixub25jZT0iOXRXNVVLSGRCQVRiUW5naXNvdkdVK09lcEhwWTZwOHlmNGhoNFV2TjJPYz0iLGN
ub25jZT0icUpGY0xUcWNqSVAwZytabFJrTWVCV21NRnRtTDl5ZVE2bDMyRjk3UUFlST0iLG5jPTAwMDAwMDAxLHFvcD1hdXRoLG1heGJ1Zj0xMDI0LGRpZ2VzdC11cmk9I
nNtdHAvbG9jYWxob3N0IixyZXNwb25zZT05N2UyNmMzMzFjNWZjNWFlYjQ4Mjc4YjY2YWZhMzZjNw==
S: 535 5.7.8 Error: authentication failed: authentication failure
Authentication failed. generic failure
Security strength factor: 0
quit
221 2.0.0 Bye
Connection closed.
----

Both cyrus-sasl and openldap support digest-md5, since I'm using it with
cyrus-imap on the same machine.
Note that the slapd logs confirm that my postfix user is logged in using
digest-md5. However, it seems that he cannot take the user's identity:

----
# tail -n 200 /var/log/slapd.log |grep conn
May 21 16:36:52 samchiel slapd[1431]: conn=86 op=1 BIND authcid="postfix"
authzid="postfix"
May 21 16:36:52 samchiel slapd[1431]: conn=86 op=1 BIND dn="cn=postfix
administrator,ou=infrastructure,dc=linuxwall,dc=info" mech=DIGEST-MD5
sasl_ssf=128 ssf=128
May 21 16:36:52 samchiel slapd[1431]: conn=86 op=1 RESULT tag=97 err=0
text=
May 21 16:36:52 samchiel slapd[1431]: conn=86 op=2 RESULT tag=120 err=123
text=not authorized to assume identity
May 21 16:36:52 samchiel slapd[1431]: conn=86 op=2 do_extended: get_ctrls
failed
May 21 16:36:52 samchiel slapd[1431]: conn=86 op=3 UNBIND
May 21 16:36:52 samchiel slapd[1431]: conn=86 fd=17 closed
----

Below is the test with cyrus-imap and the exact same user:

----
# imtest -a julien -m digest-md5 localhost

S: * OK samchiel Cyrus IMAP4 v2.2.13-Debian-2.2.13-19 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID
NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT
 THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=DIGEST-MD5
AUTH=NTLM AUTH=CRAM-MD5 SASL-IR
S: C01 OK Completed
C: A01 AUTHENTICATE DIGEST-MD5
S: +
bm9uY2U9IkNFenZ5aXJZRHBTOXNSN3lsWXBEZTBKeEtrK1FqMjdoekFiakJhSjdPY289IixyZWFsbT0ic2FtY2hpZWwiLHFvcD0iYXV0aCxhdXRoLWludCxhdXRoL
WNvbmYiLGNpcGhlcj0icmM0LTQwLHJjNC01NixyYzQsZGVzLDNkZXMiLG1heGJ1Zj00MDk2LGNoYXJzZXQ9dXRmLTgsYWxnb3JpdGhtPW1kNS1zZXNz
Please enter your password:
C:
dXNlcm5hbWU9Imp1bGllbiIscmVhbG09InNhbWNoaWVsIixub25jZT0iQ0V6dnlpcllEcFM5c1I3eWxZcERlMEp4S2srUWoyN2h6QWJqQmFKN09jbz0iLGNub25jZT0
iVVNIUkd0YkREeDVWMEszVjErUEROQVBscFBkbnZnQTJwUWg0aEQ4MUZTOD0iLG5jPTAwMDAwMDAxLHFvcD1hdXRoLWNvbmYsY2lwaGVyPXJjNCxtYXhidWY9MTAyNCxka
Wdlc3QtdXJpPSJpbWFwL2xvY2FsaG9zdCIscmVzcG9uc2U9MGY0OWMwZjBhOGJhZmI1NTlkYmY0MTNiMzQzMjcxMGY=
S: + cnNwYXV0aD01ZjRlMjBlYjdkMjY5M2IxM2U1NGMwYWUzYmJmZWQ4ZQ==
C:
S: A01 OK Success (privacy protection)
Authenticated.
Security strength factor: 128
. logout
* BYE LOGOUT received
. OK Completed
Connection closed.
----

This one is a success...

Julien