Postfix, SASL and LDAPDB: no worthy mech found

Dan White dwhite at olp.net
Sun May 23 12:49:17 EDT 2010 

On 21/05/10 16:41 +0200, Julien Vehent wrote:
>> smtptest -a julien -m digest-md5 localhost
>
>S: 535 5.7.8 Error: authentication failed: authentication failure
>Authentication failed. generic failure
>Security strength factor: 0
>quit
>221 2.0.0 Bye
>Connection closed.
>----
>
>Both cyrus-sasl and openldap support digest-md5, since I'm using it with
>cyrus-imap on the same machine.
>Note that the slapd logs confirm that my postfix user is logged in using
>digest-md5. However, it seems that he cannot take the user's identity:
>
>
>----
># tail -n 200 /var/log/slapd.log |grep conn
>May 21 16:36:52 samchiel slapd[1431]: conn=86 op=1 BIND authcid="postfix"
>authzid="postfix"
>May 21 16:36:52 samchiel slapd[1431]: conn=86 op=1 BIND dn="cn=postfix
>administrator,ou=infrastructure,dc=linuxwall,dc=info" mech=DIGEST-MD5
>sasl_ssf=128 ssf=128
>May 21 16:36:52 samchiel slapd[1431]: conn=86 op=1 RESULT tag=97 err=0
>text=
>May 21 16:36:52 samchiel slapd[1431]: conn=86 op=2 RESULT tag=120 err=123
>text=not authorized to assume identity
>May 21 16:36:52 samchiel slapd[1431]: conn=86 op=2 do_extended: get_ctrls
>failed
>May 21 16:36:52 samchiel slapd[1431]: conn=86 op=3 UNBIND
>May 21 16:36:52 samchiel slapd[1431]: conn=86 fd=17 closed
>----

I don't have a lot of familiarity interpreting slapd logs, but seems
to indicate that cn=postfix
administrator,ou=infrastructure,dc=linuxwall,dc=info cannot assume the
identify of 'postfix'.

What level of debugging are you capturing at? I'll try to log one of my
postfix authentications so you can compare.

>Below is the test with cyrus-imap and the exact same user:

># imtest -a julien -m digest-md5 localhost

>S: A01 OK Success (privacy protection)
>Authenticated.

Are you using the same authc identity within your imapd.conf config and
smtpd.conf? If not, is there anything different about how they're
configured in your ldap tree?

Can you provide your /etc/postfix/sasl/smtpd.conf config, and the output of
'grep sasl /etc/imapd.conf' for comparison?

-- 
Dan White

More information about the Cyrus-sasl mailing list