On 06/04/18 22:42 +0000, Robert Werner wrote:
I'm trying to use saslauthd to test "auth plain" and "auth login"
authentication against our LDAP data store using the "MECH=ldap"
configuration.
When saslauthd tries to bind with the credentials, it is only sending 7
characters of the password. I've validated this by using Wireshark to
examine the sasl communications. The ldap search for the user is
successful and saslauthd is finding the correct user and binding as
desired. But the auth fails, obviously, because the only 7 characters of
the actual (9 character) password is sent.
If I use the "MECH=pam" and authenticate against a valid user (also with a
password that is 9 charcaters) on the local server, the authentication is
successful.
I'm running this on RHEL 7.5 with cyrus-sasl* packages that are version
"2.1.26-23.el7.x86_64", ie:
cyrus-sasl-plain-2.1.26-23.el7.x86_64
cyrus-sasl-2.1.26-23.el7.x86_64
cyrus-sasl-gssapi-2.1.26-23.el7.x86_64
cyrus-sasl-lib-2.1.26-23.el7.x86_64
I've attached my smtp.conf, saslauthd and saslauthd.conf files (with
passwords redacted).
Is there a configuration I'm missing or have I found a bug? Any
suggestions as to how to get around this problem?
ldap_bind_dn: <user>
ldap_bind_pw: <password>
ldap_servers: ldap://lplds.ucmerced.edu
ldap_search_base: dc=ucmerced,dc=edu
ldap_filter: uid=%U
ldap_version: 3
log_level: 7
log_level: 7
pwcheck_method: saslauthd
mech_list: plain login
Is this problem reproducable with testsaslauthd and smtptest?
Disable saslauthd caching (without -c) and run in debug (-d) mode for
additional output. Set 'debug: -1' (man 3 ldap_set_option), in
saslauthd.conf to increase libldap's output.
Is this problem specific to a particular user name? If so, would you mind
sharing what that username is?
--
Dan White