Sorry to cross post. Immediately after I sent this to the OpenLDAP list I realized it probably would be better answered here... I am trying to setup a postfix and cyrus-impad to authenticate using SASL Proxy Authentication to OpenLDAP. I had this working on another machine about a year back and have tried using the same procedure that I used to get that machine working but am I so far unsuccesful. My setup steps are shown below but let me show the tests I am doing: I have a user (fred) in ldap with the following information: dn: uid=fred,ou=people,dc=securemail,dc=swro,dc=local uid: fred cn: Fred Flintstone homeDirectory: /home/fred uidNumber: 501 objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson gidNumber: 501 gecos: Fred Flintstone sn: Flintstone givenName: Fred shadowLastChange: 12990 loginShell: /sbin/nologin userPassword:: d2lsbWE= mail: fred@xxxxxxxxxxxxxxxxx dn: cn=fred,ou=group,dc=securemail,dc=swro,dc=local gidNumber: 501 cn: fred objectClass: posixGroup I try to use SMTP AUTH to authenticate fred to the postfix server by doing the following: # openssl s_client -connect localhost:25 -starttls smtp 220 securemail.swro.local ESMTP Postfix ehlo swro.local 250-securemail.swro.local 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-AUTH DIGEST-MD5 PLAIN LOGIN 250-AUTH=DIGEST-MD5 PLAIN LOGIN 250 8BITMIME auth login 334 VXNlcm5hbWU6 ZnJlZA== 334 UGFzc3dvcmQ6 d2lsbWE= 535 Error: authentication failed FAILED! I try to use DIGEST-MD5 with the cyrus-imap by doing the following: # imtest -a fred -m DIGEST-MD5 S: * OK securemail.swro.local Cyrus IMAP4 v2.3.1-Invoca-RPM-2.3.1-2.6.fc5 server ready C: C01 CAPABILITY S: * CAPABILITY IMAP4 IMAP4rev1 ACL RIGHTS=kxte QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE IDLE STARTTLS AUTH=DIGEST-MD5 SASL-IR LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH S: C01 OK Completed C: A01 AUTHENTICATE DIGEST-MD5 S: + bm9uY2U9IituMWFTUVR2akp2THl1S1lVcEhUS3FDeEt3YitXTnFFN2ltREdyM293bHc9IixyZWFsbT0ic2VjdXJlbWFpbC5zd3JvLmxvY2FsIixxb3A9ImF1dGgsYXV0aC1pbnQsYXV0aC1jb25mIixjaXBoZXI9InJjNC00MCxyYzQtNTYscmM0LGRlcywzZGVzIixtYXhidWY9NDA5NixjaGFyc2V0PXV0Zi04LGFsZ29yaXRobT1tZDUtc2Vzcw== base64 decoding error Authentication failed. generic failure Security strength factor: 0 FAILED! I don't even get prompted to enter my password. I have tried turning on logging for OpenLDAP but I can't make out what is wrong. I know that on my server that works, I get messages with PROXYAUTHZ but I don't see anything like that here. What other information can I provide? My setup process is shown below. Grateful for any help! Doug Here is the procedure I am using: 1. Started with fresh install of Fedora Core 5 2. yum install postfix cyrus-imapd cyrus-imapd-utils 3. Download cyrus-sasl-2.1.22 and Install using ./configure --prefix=/usr/local --with-plugindir=/usr/local/lib/sasl2 --with-rc4 \ --with-dblib=berkeley --enable-anon --enable-cram --enable-digest --enable-plain \ --enable-login --enable-ntlm make sasldir=/usr/local/lib/sasl2 make install sasldir=/usr/local/lib/sasl2 4. Backup/Remove existing FC5 SASL stuff mv /usr/lib/sasl2 /usr/lib/sasl2.fc5 ln -s /usr/local/lib/sasl2 /usr/lib/sasl2 mv /usr/lib/libsasl2.a libsasl2.a.fc5 ln -s /usr/local/lib/libsasl2.la /usr/lib/libsasl2.la ln -s /usr/local/lib/libsasl2.so.2.0.22 /usr/lib/libsasl2.so.2.0.22 ldconfig rm libsasl2.so ln -s libsasl2.so.2.0.22 libsasl2.so 5. Download openldap.2.3.28 and Install using ./configure --prefix=/usr/local --with-slapd --with-slurpd --without-ldapd --with-threads=posix \ --enable-local --enable-ldap --disable-rlookups --with-tls --with-cyrus-sasl --enable-bdb \ --enable-wrappers --enable-passwd --enable-shell --enable-cleartext --enable-crypt --enable-spasswd \ --enable-modules --disable-sql --enable-aci --libexecdir=/usr/local/sbin --localstatedir=/var make depend make make test make install datadir=/var/lib/ldap libexecdir=/usr/local/sbin localstatedir=/var sysconfigdir=/etc/openldap 6. Editted my /etc/init.d/ldap startup script and replace the locations for slapd, slurpd and slaptest to their new locations AND change the value of hargs to "ldap:/// ldapi:///" from "ldap:///"; 7. Rebuild cyrus-sasl make distclean ./configure --prefix=/usr/local --with-plugindir=/usr/local/lib/sasl2 --with-rc4 \ --with-dblib=berkeley --enable-anon --enable-cram --enable-digest --enable-plain \ --enable-login --enable-ntlm --enable-ldapdb make sasldir=/usr/local/lib/sasl2 make install sasldir=/usr/local/lib/sasl2 7. Created /usr/local/lib/sasl2/slapd.conf and put the following in it: auxprop_plugin: slapd 8. Also created /usr/local/lib/sasl2/smtpd.conf and put the following in it: pwcheck_method: auxprop auxprop_plugin: ldapdb mech_list: PLAIN LOGIN DIGEST-MD5 ldapdb_uri: ldapi://%2Fvar%2Frun%2Fldapi/ ldapdb_mech: EXTERNAL 9. Added the following lines to my OpenLDAP slapd.conf file password-hash {CLEARTEXT} authz-policy to authz-regexp uidNumber=(.*)\\+gidNumber=(.*),cn=peercred,cn=external,cn=auth ldap:///dc=securemail,dc=swro,dc=local??sub?(&(uidNumber=$1)(gidNumber=$2)) authz-regexp uid=(.*),cn=external,cn=auth ldap:///dc=securemail,dc=swro,dc=local??sub?(uid=$1) 10. Modified /etc/imapd.conf to look like this: configdirectory: /var/lib/imap partition-default: /var/spool/imap admins: cyrus sievedir: /var/lib/imap/sieve sendmail: /usr/sbin/sendmail hashimapspool: true sasl_pwcheck_method: auxprop sasl_auxprop_plugin: ldapdb sasl_mech_list: digest-md5 sasl_ldapdb_uri: ldapi://%2Fvar%2Frun%2Fldapi/ sasl_ldapdb_mech: EXTERNAL tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt 11. Added the following line to my /etc/ldap.conf (PADL) uri ldapi://%2Fvar%2Frun%2Fldapi/ 12. Added the following ldif for the cyrus account: dn: uid=cyrus,ou=people,dc=securemail,dc=swro,dc=local uid: cyrus cn: Cyrus IMAP Server objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword: {crypt}!! shadowLastChange: 12934 loginShell: /bin/bash uidNumber: 76 gidNumber: 12 homeDirectory: /var/lib/imap gecos: Cyrus IMAP Server authzTo: dn.regex: uid=.*,ou=people,dc=securemail,dc=swro,dc=local 13. Added the following ldif for the postfix account: dn: uid=postfix,ou=people,dc=securemail,dc=swro,dc=local uid: postfix cn: Postfix SMTP Server objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword: {crypt}!! shadowLastChange: 12934 loginShell: /bin/bash uidNumber: 89 gidNumber: 89 homeDirectory: /var/spool/postfix gecos: Postfix SMTP Server authzTo: dn.regex: uid=uid=.*,ou=people,dc=securemail,dc=swro,dc=local 14. Postfix configuration Added the following lines to my postfix main.cf file smtpd_use_tls = yes smtpd_tls_auth_only = yes smtpd_tls_key_file = /etc/pki/tls/certs/cyrus-imapd.pem smtpd_tls_cert_file = /etc/pki/tls/certs/cyrus-imapd.pem smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt smtpd_tls_loglevel = 3 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, check_relay_domains
