[Date Prev][Date Next] [Chronological] [Thread] [Top]

Proxy authorization fail with cyrus-sasl and postfix

To: Openldap technical <openldap-technical@openldap.org>
Subject: Proxy authorization fail with cyrus-sasl and postfix
From: Julien Vehent <julien@linuxwall.info>
Date: Sun, 23 May 2010 13:00:27 +0200
Dkim-signature: v=1; a=rsa-sha256; c=relaxed; d=linuxwall.info; h= mime-version:content-type:content-transfer-encoding:date:from:to :subject:message-id; s=lnw-dkim; bh=QKKDNeaw8Vt2X7RDU9Gr0shWFe4Z M/W8EVOG7aAq9xc=; b=gvdjZ8p3NQVRWMR0GCqqq0Sm4iVtCW7MOuPx8TOkCBQu v72Ru3yj2FA71VOcV9BlS2NheV7qbN5iqeeswu2umfmrDJ7fTMUyLiNL9PuDi40e NVAmLPsUAeKWgJGbKAQ3QQ+Znu0IbxfbhSk5L3jlClJ47i4exNKUodFOQ58r+yg=
Organization: linuxwall.info
User-agent: Linuxwall Roundcube Webmail/0.4-beta

Hello list,

I am trying to authenticate my mail users against my ldap directory (slapd
2.4.17, debian squeeze). I have setup proxy authorization for user postfix
as follow:

in slapd.conf
----
# SASL proxy authorization rewrite rule
authz-regexp "^uid=([^,]+).*,cn=[^,]*,cn=auth$"
              "ldap:///dc=linuxwall,dc=info??sub?(uid=$1)"

authz-policy to
----

ldif of user postfix
----
dn: cn=Postfix Administrator,ou=infrastructure,dc=linuxwall,dc=info
authzto: ldap:///dc=linuxwall,dc=info??sub?(objectClass=inetOrgPerson)
cn: Postfix Administrator
[...]
----

I have a similar user with cyrus for cyrus-imapd.

My user postfix seem to have the authorization to act on behalf of other
user.

----
# ldapwhoami -Y DIGEST-MD5 -U postfix -H ldap://localhost -R
linuxwall.info -X u:julien

SASL/DIGEST-MD5 authentication started
Please enter your password:
SASL username: u:julien
SASL SSF: 128
SASL data security layer installed.
dn:cn=julien vehent,ou=people,dc=linuxwall,dc=info
----

Thus, I set up the ldapdb driver from the sasl library in the chroot of
postfix. I see connections from postfix to slapd, postfix user is properly
authenticated, but then I have the following message (see trace below):

----
May 23 12:57:04 samchiel slapd[1431]: conn=109 fd=17 ACCEPT from
IP=127.0.0.1:58349 (IP=127.0.0.1:389)
May 23 12:57:04 samchiel slapd[1431]: conn=109 op=0 BIND dn="" method=163
May 23 12:57:04 samchiel slapd[1431]: conn=109 op=0 RESULT tag=97 err=14
text=SASL(0): successful result:
May 23 12:57:04 samchiel slapd[1431]: conn=109 op=1 BIND dn="" method=163
May 23 12:57:04 samchiel slapd[1431]: conn=109 op=1 BIND authcid="postfix"
authzid="postfix"
May 23 12:57:04 samchiel slapd[1431]: conn=109 op=1 BIND dn="cn=postfix
administrator,ou=infrastructure,dc=linuxwall,dc=info" mech=DIGEST-MD5
sasl_ssf=128 ssf=128
May 23 12:57:04 samchiel slapd[1431]: conn=109 op=1 RESULT tag=97 err=0
text=
May 23 12:57:04 samchiel slapd[1431]: conn=109 op=2 RESULT tag=120 err=123
text=not authorized to assume identity
May 23 12:57:04 samchiel slapd[1431]: conn=109 op=2 do_extended: get_ctrls
failed
May 23 12:57:04 samchiel slapd[1431]: conn=109 op=3 UNBIND
May 23 12:57:04 samchiel slapd[1431]: conn=109 fd=17 closed
May 23 12:57:04 samchiel slapd[1431]: connection_read(17): no connection!
----

I don't understand this error 'not authorized to assume identity'... Since
proxy authorization works fine when I test it with ldapwhoami.
Also, on the same machine, I have a cyrus-imapd server that authenticates
on the same slapd using the same ldapdriver. Thus, I don't think either
slapd or cyrus-sasl are the problem, but since I don't understand the
error.....


Can you guys give me a hand here ?


Thanks,

Julien

Follow-Ups:
- Re: Proxy authorization fail with cyrus-sasl and postfix
  - From: masarati@aero.polimi.it
- Re: Proxy authorization fail with cyrus-sasl and postfix
  - From: "Dieter Kluenter" <dieter@dkluenter.de>

Prev by Date: Re: More on dynamic group searches
Next by Date: Re: Q: status of component matching?
Index(es):
- Chronological
- Thread