[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Proxy authorization fail with cyrus-sasl and postfix
- To: Openldap technical <openldap-technical@openldap.org>
- Subject: Proxy authorization fail with cyrus-sasl and postfix
- From: Julien Vehent <julien@linuxwall.info>
- Date: Sun, 23 May 2010 13:00:27 +0200
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed; d=linuxwall.info; h= mime-version:content-type:content-transfer-encoding:date:from:to :subject:message-id; s=lnw-dkim; bh=QKKDNeaw8Vt2X7RDU9Gr0shWFe4Z M/W8EVOG7aAq9xc=; b=gvdjZ8p3NQVRWMR0GCqqq0Sm4iVtCW7MOuPx8TOkCBQu v72Ru3yj2FA71VOcV9BlS2NheV7qbN5iqeeswu2umfmrDJ7fTMUyLiNL9PuDi40e NVAmLPsUAeKWgJGbKAQ3QQ+Znu0IbxfbhSk5L3jlClJ47i4exNKUodFOQ58r+yg=
- Organization: linuxwall.info
- User-agent: Linuxwall Roundcube Webmail/0.4-beta
Hello list,
I am trying to authenticate my mail users against my ldap directory (slapd
2.4.17, debian squeeze). I have setup proxy authorization for user postfix
as follow:
in slapd.conf
----
# SASL proxy authorization rewrite rule
authz-regexp "^uid=([^,]+).*,cn=[^,]*,cn=auth$"
"ldap:///dc=linuxwall,dc=info??sub?(uid=$1)"
authz-policy to
----
ldif of user postfix
----
dn: cn=Postfix Administrator,ou=infrastructure,dc=linuxwall,dc=info
authzto: ldap:///dc=linuxwall,dc=info??sub?(objectClass=inetOrgPerson)
cn: Postfix Administrator
[...]
----
I have a similar user with cyrus for cyrus-imapd.
My user postfix seem to have the authorization to act on behalf of other
user.
----
# ldapwhoami -Y DIGEST-MD5 -U postfix -H ldap://localhost -R
linuxwall.info -X u:julien
SASL/DIGEST-MD5 authentication started
Please enter your password:
SASL username: u:julien
SASL SSF: 128
SASL data security layer installed.
dn:cn=julien vehent,ou=people,dc=linuxwall,dc=info
----
Thus, I set up the ldapdb driver from the sasl library in the chroot of
postfix. I see connections from postfix to slapd, postfix user is properly
authenticated, but then I have the following message (see trace below):
----
May 23 12:57:04 samchiel slapd[1431]: conn=109 fd=17 ACCEPT from
IP=127.0.0.1:58349 (IP=127.0.0.1:389)
May 23 12:57:04 samchiel slapd[1431]: conn=109 op=0 BIND dn="" method=163
May 23 12:57:04 samchiel slapd[1431]: conn=109 op=0 RESULT tag=97 err=14
text=SASL(0): successful result:
May 23 12:57:04 samchiel slapd[1431]: conn=109 op=1 BIND dn="" method=163
May 23 12:57:04 samchiel slapd[1431]: conn=109 op=1 BIND authcid="postfix"
authzid="postfix"
May 23 12:57:04 samchiel slapd[1431]: conn=109 op=1 BIND dn="cn=postfix
administrator,ou=infrastructure,dc=linuxwall,dc=info" mech=DIGEST-MD5
sasl_ssf=128 ssf=128
May 23 12:57:04 samchiel slapd[1431]: conn=109 op=1 RESULT tag=97 err=0
text=
May 23 12:57:04 samchiel slapd[1431]: conn=109 op=2 RESULT tag=120 err=123
text=not authorized to assume identity
May 23 12:57:04 samchiel slapd[1431]: conn=109 op=2 do_extended: get_ctrls
failed
May 23 12:57:04 samchiel slapd[1431]: conn=109 op=3 UNBIND
May 23 12:57:04 samchiel slapd[1431]: conn=109 fd=17 closed
May 23 12:57:04 samchiel slapd[1431]: connection_read(17): no connection!
----
I don't understand this error 'not authorized to assume identity'... Since
proxy authorization works fine when I test it with ldapwhoami.
Also, on the same machine, I have a cyrus-imapd server that authenticates
on the same slapd using the same ldapdriver. Thus, I don't think either
slapd or cyrus-sasl are the problem, but since I don't understand the
error.....
Can you guys give me a hand here ?
Thanks,
Julien