As you've expected it was an error on my side. However I've done a few changes and for history I can't say what brought the change. Thanks for the attention to my problem. p@rick * Patrick Ben Koetter <p@xxxxxxxxxxxxxxxx>: > * Howard Chu <hyc@xxxxxxxxxxxxxxx>: > > Patrick Ben Koetter wrote: > > >This mail expands on a mail I had sent to cyrus-sasl@xxxxxxxxxxxxxxxxxxxx a > > >few days ago. I spent the last days testing this and I believe I have > > >found a > > >bug. > > > > The likelihood that a bug is in the ldapdb code is about zero. > > Agreed. That's why I wrote "possible". > > > > >Version: Cyrus SASL 2.1.22 > > >OS: CentOS (also tested and verified on Ubuntu and OpenSuse) > > >Descrition: Entries that successfully can be authenticated using the > > > ldapwhoami command can only partially be authenticated using > > > the > > > Cyrus SASL ldapdb-plugin. > > > > >Steps to reproduce: > > >(All files are available for download at > > ><http://www.state-of-mind.de/bugreport_cyrus-sasl-2.1.22.tgz>) > > > > Since you've gone to the trouble of packaging this up, you should also have > > included an extract from the slapd debug log taken from running the sample- > > authentication. > > > Right. My fault. I've created a completely new package and put it at > http://www.state-of-mind.de/bugreport_2_cyrus-sasl-2.1.22.tgz. > > It contains log from "loglevel ACL traces". > > > > >1. Install configuration as provided by bugreport_cyrus-sasl-2.1.22.tgz. > > >2. Use ldapwhoami to verify authentication: > > > > > > [root@netinstall ldap]# ldapwhoami -U a -w a > > > SASL/DIGEST-MD5 authentication started > > > SASL username: a > > > SASL SSF: 128 > > > SASL installing layers > > > dn:uid=a,ou=people,dc=example,dc=com > > > Result: Success (0) > > > > > > [root@netinstall ldap]# ldapwhoami -U b -w b > > > SASL/DIGEST-MD5 authentication started > > > SASL username: b > > > SASL SSF: 128 > > > SASL installing layers > > > dn:uid=b,ou=people,dc=example,dc=com > > > Result: Success (0) > > > > Neither of these commands reflects what the ldapdb plugin does. To test > > that you first need to test e.g. > > ldapwhoami -U proxyuser -X a > > [root@netinstall ~]# ldapwhoami -U proxyuser -X a > SASL/DIGEST-MD5 authentication started > Please enter your password: > ldap_sasl_interactive_bind_s: Insufficient access (50) > additional info: SASL(-14): authorization failure: unable authorization ID > > > So it seems that the proxyuser has "Insufficient access". I've followed the > traces of authentication in the log and see that it fails, but I can't tell > why. > > If I do interpret the log correctly the authz-regexp mapping works and maps > proxyuser to the correct dn. Permission is given to read the uid and > userPassword, but then it fails. This is where I am lost. > > (On a sidenote I wonder: If proxyuser fails, how come the ldapdb plugin would > work for one entry and not the other?) > > p@rick > > P.S: Seems this is more an OpenLDAP topic than a Cyrus SASL topic. If you want > me to I can open a new thread on openldap. > > -- > The Book of Postfix > <http://www.postfix-book.com> > saslfinger (debugging SMTP AUTH): > <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/> -- The Book of Postfix <http://www.postfix-book.com> saslfinger (debugging SMTP AUTH): <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
