Ask for saslauthd help

David Faller d.faller at live.de
Sun Oct 27 10:34:57 EDT 2019 

Dear All,
I want to try my luck here, perhaps someone could help me.

First The Problem:

We would like to restrict the ldap authentication over saslauthd, so that users only can login with their valid e-mail address.
At the moment users are able to login with username at domain.com<mailto:name at domain.com> or only their username.

I tied a lot to specify the ldap_filter to take a lookup for  the userPrincipalName=%u.
With the command testsaslauthd it’s working but cyrus can’t grant access with errors like this:

saslauthd.service - LSB: saslauthd startup script
   Loaded: loaded (/etc/init.d/saslauthd; generated)
   Active: active (running) since Fri 2019-10-25 14:07:54 CEST; 1h 33min ago
     Docs: man:systemd-sysv-generator(8)
  Process: 3707 ExecStart=/etc/init.d/saslauthd start (code=exited, status=0/SUCCESS)
    Tasks: 10 (limit: 4915)
   Memory: 15.4M
   CGroup: /system.slice/saslauthd.service
           ├─3727 /usr/sbin/saslauthd -a ldap -c -m /var/run/saslauthd -n 5
           ├─3728 /usr/sbin/saslauthd -a ldap -c -m /var/run/saslauthd -n 5
           ├─3729 /usr/sbin/saslauthd -a ldap -c -m /var/run/saslauthd -n 5
           ├─3730 /usr/sbin/saslauthd -a ldap -c -m /var/run/saslauthd -n 5
           ├─3733 /usr/sbin/saslauthd -a ldap -c -m /var/run/saslauthd -n 5
           ├─3745 /usr/sbin/saslauthd -a ldap -c -m /var/spool/postfix/var/run/saslauthd -n 5
           ├─3746 /usr/sbin/saslauthd -a ldap -c -m /var/spool/postfix/var/run/saslauthd -n 5
           ├─3747 /usr/sbin/saslauthd -a ldap -c -m /var/spool/postfix/var/run/saslauthd -n 5
           ├─3748 /usr/sbin/saslauthd -a ldap -c -m /var/spool/postfix/var/run/saslauthd -n 5
           └─3749 /usr/sbin/saslauthd -a ldap -c -m /var/spool/postfix/var/run/saslauthd -n 5

Oct 25 15:38:27 CGSG saslauthd[3747]:                 : auth failure: [user=money] [service=smtp] [realm=uc-central.net<http://uc-central.net/>] [mech=ldap] [reason=Unknown]
Oct 25 15:39:07 CGSG saslauthd[3745]: Entry not found (sAMAccountName=account).
Oct 25 15:39:07 CGSG saslauthd[3745]: Authentication failed for account/uc-central.net<http://uc-central.net/>: User not found (-6)
Oct 25 15:39:07 CGSG saslauthd[3745]:                 : auth failure: [user=account] [service=smtp] [realm=uc-central.net<http://uc-central.net/>] [mech=ldap] [reason=Unknown]
Oct 25 15:40:20 CGSG saslauthd[3748]: Entry not found (sAMAccountName=tg).
Oct 25 15:40:20 CGSG saslauthd[3748]: Authentication failed for tg/uc-central.net<http://uc-central.net/>: User not found (-6)
Oct 25 15:40:20 CGSG saslauthd[3748]:                 : auth failure: [user=tg] [service=smtp] [realm=uc-central.net<http://uc-central.net/>] [mech=ldap] [reason=Unknown]
Oct 25 15:40:56 CGSG saslauthd[3746]: Entry not found (sAMAccountName=pearl).
Oct 25 15:40:56 CGSG saslauthd[3746]: Authentication failed for pearl/uc-central.net<http://uc-central.net/>: User not found (-6)
Oct 25 15:40:56 CGSG saslauthd[3746]:                 : auth failure: [user=pearl] [service=smtp] [realm=uc-central.net<http://uc-central.net/>] [mech=ldap] [reason=Unknown]




Oct 25 13:49:52 CGSG cyrus/imaps[3074]: SASL Password verification failed

Oct 25 13:31:25 CGSG cyrus/imap[2420]: badlogin: localhost [127.0.0.1] plaintext it at mandldreyer.com<mailto:it at mandldreyer.com> SASL(-13): authentication failure: checkpass failed
Oct 25 13:31:25 CGSG cyrus/imaps[2434]: badlogin: port-83-236-195-74.static.qsc.de<http://port-83-236-195-74.static.qsc.de/>[83.236.195.74] LOGIN [SASL(-13): authentication failure: checkpass failed]
Oct 25 13:31:25 CGSG cyrus/imaps[2432]: badlogin: port-83-236-195-74.static.qsc.de<http://port-83-236-195-74.static.qsc.de/>[83.236.195.74] LOGIN [SASL(-13): authentication failure: checkpass failed]
Oct 25 13:31:28 CGSG cyrus/imap[2445]: badlogin: localhost [127.0.0.1] plaintext it at mandldreyer.com<mailto:it at mandldreyer.com> SASL(-13): authentication failure: checkpass failed
Oct 25 13:31:29 CGSG cyrus/imaps[2432]: badlogin: port-83-236-195-74.static.qsc.de<http://port-83-236-195-74.static.qsc.de/>[83.236.195.74] plaintext lager SASL(-13): authentication failure: checkpass failed
Oct 25 13:31:29 CGSG cyrus/imaps[2434]: badlogin: port-83-236-195-74.static.qsc.de<http://port-83-236-195-74.static.qsc.de/>[83.236.195.74] plaintext sebastian.mandl at mandldreyer.com<mailto:sebastian.mandl at mandldreyer.com> SASL(-13): authentication failure: checkpass failed




The problem is our multi domain setup and when a user login with a client or over the web with only their username, cyrus create new false mailboxes.
This we would like to prevent.

Perhaps someone know how to configure the saslauthd filter right for this special case.


Configuration

Our /etc/saslauthd.config

ldap_servers: ldap://ddcl001.domain.dir
ldap_search_base: dc=domain,dc=dir
ldap_filter: sAMAccountName=%U
#ldap_filter: userPrincipalName=%u

#ldap_version: 3
ldap_auth_method: bind
ldap_bind_dn: cn=Administrator,cn=Users,dc=domain,dc=dir
ldap_bind_pw: ******
#ldap_scope: sub

Best Regards,
David Faller

Von meinem iPad gesendet
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20191027/18436ebe/attachment-0001.html>

More information about the Cyrus-sasl mailing list