Unable to load the ldapdb plugin -- during SMTP AUTH against LDAP server .
Dan White
whitehse at gmail.com
Tue Apr 28 11:21:17 EDT 2020
Hi Vamsi,
Comments are inline below.
>From: Cyrus-sasl <cyrus-sasl-bounces+bandaru.v=pg.com at lists.andrew.cmu.edu> On Behalf Of Bandaru, Vamsi
>Sent: Tuesday, April 28, 2020 12:37 AM
>
>Hi all ,
>
>( This is my first post here ) ,
>
>I am trying to use Cyrus SASL for SMTP authentication against my organization's LDAP server .
>
>I have two major issues I noticed :
>
>The auth.log under /var/log reads :
>
>Apr 27 14:57:36 postfix-in-1/submission/smtpd[42282]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb
>Apr 27 14:57:36 postfix-in-1/submission/smtpd[42282]: _sasl_plugin_load failed on sasl_canonuser_init for plugin: ldapdb
>
>The message logs read :
>
>saslauthd[85790]: detach_tty : could not lock pid file /run/saslauthd/saslauthd.pid: Resource temporarily unavailable
>saslauthd[85789]: detach_tty : Cannot start saslauthd
>saslauthd[85789]: detach_tty : Another instance of saslauthd is currently running
As Alexander mentioned, there are two different concepts getting mixed up here. See:
https://www.cyrusimap.org/sasl/sasl/sysadmin.html
The ldapdb auxprop plugin essentially requires that you have a clear text
password stored within your ldap directory. It allows you to make use of a
wider range of mechanisms, such as digest-md5.
The ldapdb plugin is configured using the following options, in this case
within your /etc/sasl2/smtpd.conf:
ldapdb_uri
ldapdb_id
ldapdb_mech
ldapdb_pw
ldapdb_rc
ldapdb_starttls
auxprop_plugin
canon_user_plugin
See:
https://www.sendmail.org/~ca/email/cyrus2/options.html
If you don't intend to use the ldapdb plugin, you can shut the log messages
up with:
ldapdb_uri: ldapi:///
or
auxprop_plugin: sasldb
canon_user_plugin: sasldb
The saslauthd daemon is a password verification daemon. It accepts
authentication data from the user in clear text, and can authenticate the
crendials using a wide range of methods (pam, ldap, etc). saslauthd only
supports the plain and login authentication mechanisms.
These two methods *can* be mixed - saslauthd for plain/login, and ldapdb
for other mechanisms, to give you an idea of how they interoperate, but
that makes no sense here.
For documentation on the ldap saslauthd backend, see:
https://github.com/cyrusimap/cyrus-sasl/blob/master/saslauthd/LDAP_SASLAUTHD
The saslauthd ldap backend can work with a wider range of LDAP servers than
the ldapdb plugin.
>These are the files , and their locations I am trying to configure . ( am I missing any other files to configure )
>
>
> 1. /etc/saslauthd.conf
> 2. /etc/sasl2/smtpd.conf
This is a common location, but depending on your libsasl compile options,
and your smtp server configuration, your server may look elsewhere.
>My /etc/saslauthd.conf , is configured in the following way :
>
>ldap_servers: ldaps://< hostname >:636
>ldap_bind_dn: uid=xxx,ou=xx,ou=xx,o=xx
>ldap_bind_pw: xxxx
>
>ldap_version: 3
>ldap_auth_method: bind
>ldap_search_base: ou=xx,ou=ss,o=xx
>ldap_scope: sub
>ldap_filter: ShortName=%U
>
>***********************************************************************
>
>The /etc/sasl2/smtpd.conf is configured as :
>
>pwcheck_method: auxprop
>auxprop_plugin: ldapdb
>
>mech_list: PLAIN LOGIN NTLM CRAM-MD5 DIGEST-MD5
>
>****************************************************************
>
>#ldapdb_mech: LOGIN ( I am not sure if this parameter should be configured under smtpd.conf or under saslauthd.conf )
This would go in your smtpd.conf, if you are using the ldapdb plugin.
>Output of : saslauthd -a ldap -O /etc/saslauthd.conf
>
># saslauthd -a ldap -O /etc/saslauthd.conf
>saslauthd[91048] :detach_tty : Cannot start saslauthd
>saslauthd[91048] :detach_tty : Another instance of saslauthd is currently running
Presumably you are running postfix chrooted, and need to run a second
instance of saslauthd with a mux located in a location that postfix can
find. If that's the case, you'll need to specific a different location for
the mux (-m) in a location postfix can access.
If you don't need to be running two instances (the first is started by an
init script?), then modify your saslauthd startup script to include your -O
option, and the proper location for the mux.
> * # ps aux | grep saslauthd
> * root 84395 0.0 0.0 74456 956 ? Ss 18:25 0:00 /usr/sbin/saslauthd -m /run/saslauthd -a ldap -r
> * root 84396 0.0 0.0 74456 732 ? S 18:25 0:00 /usr/sbin/saslauthd -m /run/saslauthd -a ldap -r
> * root 84397 0.0 0.0 74456 732 ? S 18:25 0:00 /usr/sbin/saslauthd -m /run/saslauthd -a ldap -r
> * root 84398 0.0 0.0 74456 732 ? S 18:25 0:00 /usr/sbin/saslauthd -m /run/saslauthd -a ldap -r
> * root 84399 0.0 0.0 74456 732 ? S 18:25 0:00 /usr/sbin/saslauthd -m /run/saslauthd -a ldap -r
At this point, if saslauthd is properly configured and your saslauthd.conf
is correct, testsaslathd will succeed, and successfully authenticate
against your ldap server. Also test it in a shell, as the postfix user, to
verify all system persmissions are correct.
You would want to have this working before you move on to your postfix and
smtpd.conf configuration.
>SASL related configuration under postfix / main.cf file .
>
>smtpd_sasl_auth_enable = yes
>smtpd_sasl_type = cyrus
>
>smtpd_sasl_path = /run/saslauthd/mux
>#smtpd_sasl_path = /usr/lib64/sasl2
This isn't correct. If I understand the config option, it should point to
the location of your sasl smtpd.conf config file (/etc/sasl2).
>smtpd_sasl_security_options = noanonymous
>smtpd_tls_auth_only = yes
>smtpd_sasl_tls_security_options = noanonymous
On 04/27/20 20:22 +0000, Bandaru, Vamsi wrote:
>Adding the output of pluginviewer : ldapdb is not listed as a one of the auxprop mechanisms :
>
># /usr/sbin/pluginviewer -a
>
>Installed and properly configured auxprop mechanisms are:
>sasldb
>List of auxprop plugins follows
>Plugin "sasldb" , API version: 8
> supports store: yes
>
>and I don't have a pluginviewer.conf on my system , another conf file I have is : /etc/sasl2/slapd.conf
pluginviewer will fail, because it requires, at least, the ldapdb_uri
option be configured. You would need to create a pluginviewer.conf, such as
in /etc/sasl2, for this command to list ldapdb.
># cat /etc/sasl2/slapd.conf
>mech_list: plain
>pwcheck_method: saslauthd
>saslauthd_path: /var/run/saslauthd/mux
>
>
>( this doesn't look right )
This looks fine, unless you're running postfix smtpd chrooted, in which
case you'll want to have the saslauthd mux located somewhere within the
postfix chroot.
More information about the Cyrus-sasl
mailing list