On 06/05/18 20:19 +0000, Robert Werner wrote:
I tried running the saslauthd with the flags you suggested and got the
following output:
lpmail01 01:09 PM ~ root (1031) : /usr/sbin/saslauthd -d -n 1 -m /run/saslauthd -a ldap -O /etc/saslauthd.conf
saslauthd[4718] :main : num_procs : 1
saslauthd[4718] :main : mech_option: /etc/saslauthd.conf
saslauthd[4718] :main : run_path : /run/saslauthd
saslauthd[4718] :main : auth_mech : ldap
saslauthd[4718] :ipc_init : using accept lock file: /run/saslauthd/mux.accept
saslauthd[4718] :detach_tty : master pid is: 0
saslauthd[4718] :ipc_init : listening on socket: /run/saslauthd/mux
saslauthd[4718] :main : using process model
saslauthd[4718] :get_accept_lock : acquired accept lock
saslauthd[4718] :rel_accept_lock : released accept lock
saslauthd[4718] :do_auth : auth failure: [user=rwerner2] [service=smtp] [realm=] [mech=ldap] [reason=Unknown]
saslauthd[4718] :do_request : response: NO
saslauthd[4718] :get_accept_lock : acquired accept lock
The "debug: -1" flag didn't seem to affect the output .
I gave you the wrong option. It's 'ldap_debug: -1'.
The problem doesn't seem to be username dependent. I've used several
different ones. I'm mostly testing with my own which is "rwerner2" but
I've also tested with "ucmit-mcp" .
Does using 'ldap_filter: uid=%u' make any difference?
To clarify, it is the user supplied password that is getting cut short, and
not the ldap_bind_pw password?
Are you using a password-hash/olcPasswordHash on the server side, e.g.
{CRYPT}?
I'm seeing the same output from saslauthd in /var/log/secure after
directing the auth.debug facility there (in rsyslog).
The only way I could tell that the saslauthd was sending out only 7 chars
of the password was by looking at the tcpdump of the conversation with the
ldap server.
(as an FYI for anyone else messing with this on RHEL, I had to disable
selinux because the restrictions wouldn't let postfix talk to a saslauthd
launched from the command line as root; once this is resolved I'll
re-enable selinux).
________________________________
From: Dan White <dwhite@xxxxxxx>
Sent: Tuesday, June 5, 2018 8:42 AM
To: Robert Werner
Cc: cyrus-sasl@xxxxxxxxxxxxxxxxxxxx
Subject: Re: Problem using saslauthd against ldap server ...
On 06/04/18 22:42 +0000, Robert Werner wrote:
When saslauthd tries to bind with the credentials, it is only sending 7
characters of the password. I've validated this by using Wireshark to
examine the sasl communications. The ldap search for the user is
successful and saslauthd is finding the correct user and binding as
desired. But the auth fails, obviously, because the only 7 characters of
the actual (9 character) password is sent.
ldap_bind_dn: <user>
ldap_bind_pw: <password>
ldap_servers: ldap://lplds.ucmerced.edu
ldap_search_base: dc=ucmerced,dc=edu
ldap_filter: uid=%U
ldap_version: 3
log_level: 7
log_level: 7
pwcheck_method: saslauthd
mech_list: plain login
Is this problem reproducable with testsaslauthd and smtptest?
Disable saslauthd caching (without -c) and run in debug (-d) mode for
additional output. Set 'debug: -1' (man 3 ldap_set_option), in
saslauthd.conf to increase libldap's output.
Is this problem specific to a particular user name? If so, would you mind
sharing what that username is?
--
Dan White
