[Date Prev][Date Next] [Chronological] [Thread] [Top]

Proxy authorization fail with cyrus-sasl and postfix



Hello list,

I am trying to authenticate my mail users against my ldap directory (slapd
2.4.17, debian squeeze). I have setup proxy authorization for user postfix
as follow:

in slapd.conf
----
# SASL proxy authorization rewrite rule
authz-regexp "^uid=([^,]+).*,cn=[^,]*,cn=auth$"
              "ldap:///dc=linuxwall,dc=info??sub?(uid=$1)"

authz-policy to
----

ldif of user postfix
----
dn: cn=Postfix Administrator,ou=infrastructure,dc=linuxwall,dc=info
authzto: ldap:///dc=linuxwall,dc=info??sub?(objectClass=inetOrgPerson)
cn: Postfix Administrator
[...]
----

I have a similar user with cyrus for cyrus-imapd.

My user postfix seem to have the authorization to act on behalf of other
user.

----
# ldapwhoami -Y DIGEST-MD5 -U postfix -H ldap://localhost -R
linuxwall.info -X u:julien

SASL/DIGEST-MD5 authentication started
Please enter your password:
SASL username: u:julien
SASL SSF: 128
SASL data security layer installed.
dn:cn=julien vehent,ou=people,dc=linuxwall,dc=info
----

Thus, I set up the ldapdb driver from the sasl library in the chroot of
postfix. I see connections from postfix to slapd, postfix user is properly
authenticated, but then I have the following message (see trace below):

----
May 23 12:57:04 samchiel slapd[1431]: conn=109 fd=17 ACCEPT from
IP=127.0.0.1:58349 (IP=127.0.0.1:389)
May 23 12:57:04 samchiel slapd[1431]: conn=109 op=0 BIND dn="" method=163
May 23 12:57:04 samchiel slapd[1431]: conn=109 op=0 RESULT tag=97 err=14
text=SASL(0): successful result:
May 23 12:57:04 samchiel slapd[1431]: conn=109 op=1 BIND dn="" method=163
May 23 12:57:04 samchiel slapd[1431]: conn=109 op=1 BIND authcid="postfix"
authzid="postfix"
May 23 12:57:04 samchiel slapd[1431]: conn=109 op=1 BIND dn="cn=postfix
administrator,ou=infrastructure,dc=linuxwall,dc=info" mech=DIGEST-MD5
sasl_ssf=128 ssf=128
May 23 12:57:04 samchiel slapd[1431]: conn=109 op=1 RESULT tag=97 err=0
text=
May 23 12:57:04 samchiel slapd[1431]: conn=109 op=2 RESULT tag=120 err=123
text=not authorized to assume identity
May 23 12:57:04 samchiel slapd[1431]: conn=109 op=2 do_extended: get_ctrls
failed
May 23 12:57:04 samchiel slapd[1431]: conn=109 op=3 UNBIND
May 23 12:57:04 samchiel slapd[1431]: conn=109 fd=17 closed
May 23 12:57:04 samchiel slapd[1431]: connection_read(17): no connection!
----

I don't understand this error 'not authorized to assume identity'... Since
proxy authorization works fine when I test it with ldapwhoami.
Also, on the same machine, I have a cyrus-imapd server that authenticates
on the same slapd using the same ldapdriver. Thus, I don't think either
slapd or cyrus-sasl are the problem, but since I don't understand the
error.....


Can you guys give me a hand here ?


Thanks,

Julien