Dan, * Dan Nicholson <dbn.lists@xxxxxxxxx>: > On 4/21/06, Igor Brezac <igor@xxxxxxxxx> wrote: > > > > This looks ok. What does debug of the ldap server show? Did you setup > > proxy correctly on the ldap server, ldapwhoami -Y DIGEST-MD5 -U proxyuser > > -X u:user? > > Hi, > > Patrick, I'm going to assume that I have the same setup as you since I > took mine entirely from the Book of Postfix. I was having the same right you are and it is a real shame since I am one of the authors of the book and I should really know how to handle this. :/ But then it's been a while since we wrote the book and I had time to exercise my LDAP and ldapdb skills. > problems with openldap-2.3.x, but I think I've solved the problem. > The big thing was getting the regexp in /etc/openldap/slapd.conf to > work correctly. Now, ldapwhoami checks out as well as ldapdb > authorization through the cyrus-sasl client/server utilities. ACK. I see you posted most of your config. I will do so as well as soon I have this all setup and going, so others can make use of it. > One thing to note is that the authorization settings have changed for > openldap-2.3. With 2.2, I was using saslAuthzTo, sasl-authz-policy > and sasl-regexp. Those have all now been changed to authzTo, > authz-policy and authz-regexp (man slapd.conf). Here is what I set in Yep. It pays to RTFM. I was glad I did before I started. > /etc/openldap/slapd.conf: > > $ tail /etc/openldap/slapd.conf > index objectClass eq > index cn eq > index mail,maildrop pres > index mailbox,quota,uidNumber,gidNumber eq > > ## BINDING > authz-policy to > authz-regexp > uid=(.*),cn=.*,cn=auth > ldap:///dc=foo,dc=com??sub?(&(objectclass=inetOrgPerson)(uid=$1)) > > The important piece differing from the Book of Postfix is that the > replacement could not be mail=$1 since the match was on uid. Without > this, ./server would give me > > starting SASL negotiation: user not foundclosing connection Hmmm, well it works here using (mail=$1). > Also, I get the "invalid parameter" error even with successful > authorization. I also checked with my old openldap-2.2 system, and it You get the same thing with the sql plugin even if you don't use it. Many Postfix users ask this on the mailing list, because they think they have a real error aka misconfigured something. > happens there, too. Here's the tail from a successful ./server, > ./client login: > > Apr 22 12:22:14 silky slapd[2265]: auxpropfunc error invalid parameter supplied > Apr 22 12:22:14 silky slapd[2265]: _sasl_plugin_load failed on > sasl_auxprop_plug_init for plugin: ldapdb > Apr 22 12:22:26 silky lt-server: DIGEST-MD5 client step 2 > Apr 22 12:22:26 silky lt-server: DIGEST-MD5 client step 2 > Apr 22 12:22:26 silky lt-server: DIGEST-MD5 client step 3 > > For completeness, this is what I changed my auth user to, notice the authzTo: > > dn: uid=proxy,ou=auth,dc=foo,dc=com > uid: proxy > objectClass: inetOrgPerson > givenName: proxy > sn: proxy > cn: proxy > userPassword: XXXXXXXXX > mail: proxy > authzTo: ldap:///ou=people,dc=foo,dc=com??sub?(objectclass=inetOrgPerson) > > Hope that helps. Yes, it did. Thanks! p@rick -- The Book of Postfix <http://www.postfix-book.com> saslfinger (debugging SMTP AUTH): <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
