Re: Ask for saslauthd help

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 10/27/19 14:34 +0000, David Faller wrote:
Dear All,
I want to try my luck here, perhaps someone could help me.

First The Problem:

We would like to restrict the ldap authentication over saslauthd, so that users only can login with their valid e-mail address.
At the moment users are able to login with username@xxxxxxxxxx or only their username.

I tied a lot to specify the ldap_filter to take a lookup for  the userPrincipalName=%u.
With the command testsaslauthd it’s working but cyrus can’t grant access with errors like this:

saslauthd.service - LSB: saslauthd startup script
  Loaded: loaded (/etc/init.d/saslauthd; generated)
  Active: active (running) since Fri 2019-10-25 14:07:54 CEST; 1h 33min ago
    Docs: man:systemd-sysv-generator(8)
 Process: 3707 ExecStart=/etc/init.d/saslauthd start (code=exited, status=0/SUCCESS)
   Tasks: 10 (limit: 4915)
  Memory: 15.4M
  CGroup: /system.slice/saslauthd.service
          ├─3727 /usr/sbin/saslauthd -a ldap -c -m /var/run/saslauthd -n 5
          ├─3728 /usr/sbin/saslauthd -a ldap -c -m /var/run/saslauthd -n 5
          ├─3729 /usr/sbin/saslauthd -a ldap -c -m /var/run/saslauthd -n 5
          ├─3730 /usr/sbin/saslauthd -a ldap -c -m /var/run/saslauthd -n 5
          ├─3733 /usr/sbin/saslauthd -a ldap -c -m /var/run/saslauthd -n 5
          ├─3745 /usr/sbin/saslauthd -a ldap -c -m /var/spool/postfix/var/run/saslauthd -n 5
          ├─3746 /usr/sbin/saslauthd -a ldap -c -m /var/spool/postfix/var/run/saslauthd -n 5
          ├─3747 /usr/sbin/saslauthd -a ldap -c -m /var/spool/postfix/var/run/saslauthd -n 5
          ├─3748 /usr/sbin/saslauthd -a ldap -c -m /var/spool/postfix/var/run/saslauthd -n 5
          └─3749 /usr/sbin/saslauthd -a ldap -c -m /var/spool/postfix/var/run/saslauthd -n 5

Oct 25 15:38:27 CGSG saslauthd[3747]:                 : auth failure: [user=money] [service=smtp] [realm=uc-central.net] [mech=ldap] [reason=Unknown]
Oct 25 15:39:07 CGSG saslauthd[3745]: Entry not found (sAMAccountName=account).
Oct 25 15:39:07 CGSG saslauthd[3745]: Authentication failed for account/uc-central.net: User not found (-6)
Oct 25 15:39:07 CGSG saslauthd[3745]:                 : auth failure: [user=account] [service=smtp] [realm=uc-central.net] [mech=ldap] [reason=Unknown]
Oct 25 15:40:20 CGSG saslauthd[3748]: Entry not found (sAMAccountName=tg).
Oct 25 15:40:20 CGSG saslauthd[3748]: Authentication failed for tg/uc-central.net: User not found (-6)
Oct 25 15:40:20 CGSG saslauthd[3748]:                 : auth failure: [user=tg] [service=smtp] [realm=uc-central.net] [mech=ldap] [reason=Unknown]
Oct 25 15:40:56 CGSG saslauthd[3746]: Entry not found (sAMAccountName=pearl).
Oct 25 15:40:56 CGSG saslauthd[3746]: Authentication failed for pearl/uc-central.net: User not found (-6)
Oct 25 15:40:56 CGSG saslauthd[3746]:                 : auth failure: [user=pearl] [service=smtp] [realm=uc-central.net] [mech=ldap] [reason=Unknown]

Hi David,

Your detail is appreciated. It helps to paint a good picture of what's going on.

The errors above appear to be for postfix. An ldap filter to try:

ldap_filter: (|(sAMAccountName=%U)(userPrincipalName=%u))

Note that saslauthd does not return the username/auth identity for postfix
and cyrus imapd to use. It's only used to authenticate the user.

To troubleshoot, you can enable debugging with:

ldap_debug: -1

See (3)ldap_set_option and include/ldap_log.h in the openldap source.

If you don't see ldap output in syslog, try starting saslauthd in debug mode.

The -r option for saslauthdm, which combines the username and realm, may be useful.

Oct 25 13:49:52 CGSG cyrus/imaps[3074]: SASL Password verification failed

Oct 25 13:31:25 CGSG cyrus/imap[2420]: badlogin: localhost [127.0.0.1] plaintext it@xxxxxxxxxxxxxxx SASL(-13): authentication failure: checkpass failed
Oct 25 13:31:25 CGSG cyrus/imaps[2434]: badlogin: port-83-236-195-74.static.qsc.de[83.236.195.74] LOGIN [SASL(-13): authentication failure: checkpass failed]
Oct 25 13:31:25 CGSG cyrus/imaps[2432]: badlogin: port-83-236-195-74.static.qsc.de[83.236.195.74] LOGIN [SASL(-13): authentication failure: checkpass failed]
Oct 25 13:31:28 CGSG cyrus/imap[2445]: badlogin: localhost [127.0.0.1] plaintext it@xxxxxxxxxxxxxxx SASL(-13): authentication failure: checkpass failed
Oct 25 13:31:29 CGSG cyrus/imaps[2432]: badlogin: port-83-236-195-74.static.qsc.de[83.236.195.74] plaintext lager SASL(-13): authentication failure: checkpass failed
Oct 25 13:31:29 CGSG cyrus/imaps[2434]: badlogin: port-83-236-195-74.static.qsc.de[83.236.195.74] plaintext sebastian.mandl@xxxxxxxxxxxxxxx SASL(-13): authentication failure: checkpass failed

The problem is our multi domain setup and when a user login with a client or over the web with only their username, cyrus create new false mailboxes.
This we would like to prevent.

The mapping of username[@domain] to mailbox function is a cyrus imap decision. You can influence this by setting:

defaultdomain: <domain>

in /etc/imapd.conf. I recommend being cautious with changing following
imapd.conf settings on a production system:

defaultdomain
virtdomains

Or you can use a canonicalization plugin.

Perhaps someone know how to configure the saslauthd filter right for this special case.

Configuration

Our /etc/saslauthd.config

ldap_servers: ldap://ddcl001.domain.dir
ldap_search_base: dc=domain,dc=dir
ldap_filter: sAMAccountName=%U
#ldap_filter: userPrincipalName=%u

#ldap_version: 3
ldap_auth_method: bind
ldap_bind_dn: cn=Administrator,cn=Users,dc=domain,dc=dir
ldap_bind_pw: ******
#ldap_scope: sub

If supported on your ldap server, sasl/digest-md5 is a simpler way to go
about this:

ldap_servers: ldaps://<host>
ldap_use_sasl: yes
ldap_mech: DIGEST-MD5

--
Dan White



[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux