Re: Unable to load the ldapdb plugin -- during SMTP AUTH against LDAP server .

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


Hi Vamsi,

Comments are inline below.

From: Cyrus-sasl <> On Behalf Of Bandaru, Vamsi
Sent: Tuesday, April 28, 2020 12:37 AM

Hi all ,

( This is my first post here ) ,

I am trying to use Cyrus SASL for SMTP authentication against my organization's LDAP server .

I have two major issues I noticed :

The auth.log under /var/log reads :

Apr 27 14:57:36 postfix-in-1/submission/smtpd[42282]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb
Apr 27 14:57:36 postfix-in-1/submission/smtpd[42282]: _sasl_plugin_load failed on sasl_canonuser_init for plugin: ldapdb

The message logs read :

saslauthd[85790]: detach_tty      : could not lock pid file /run/saslauthd/ Resource temporarily unavailable
saslauthd[85789]: detach_tty      : Cannot start saslauthd
saslauthd[85789]: detach_tty      : Another instance of saslauthd is currently running

As Alexander mentioned, there are two different concepts getting mixed up here. See:

The ldapdb auxprop plugin essentially requires that you have a clear text
password stored within your ldap directory. It allows you to make use of a
wider range of mechanisms, such as digest-md5.

The ldapdb plugin is configured using the following options, in this case
within your /etc/sasl2/smtpd.conf:



If you don't intend to use the ldapdb plugin, you can shut the log messages
up with:

ldapdb_uri: ldapi:///


auxprop_plugin: sasldb
canon_user_plugin: sasldb

The saslauthd daemon is a password verification daemon. It accepts
authentication data from the user in clear text, and can authenticate the
crendials using a wide range of methods (pam, ldap, etc).  saslauthd only
supports the plain and login authentication mechanisms.

These two methods *can* be mixed - saslauthd for plain/login, and ldapdb
for other mechanisms, to give you an idea of how they interoperate, but
that makes no sense here.

For documentation on the ldap saslauthd backend, see:

The saslauthd ldap backend can work with a wider range of LDAP servers than
the ldapdb plugin.

These are the files , and their locations I am trying to configure . ( am I missing any other files to configure )

 1.  /etc/saslauthd.conf
 2.  /etc/sasl2/smtpd.conf

This is a common location, but depending on your libsasl compile options,
and your smtp server configuration, your server may look elsewhere.

My  /etc/saslauthd.conf , is configured in the following way :

ldap_servers: ldaps://< hostname >:636
ldap_bind_dn: uid=xxx,ou=xx,ou=xx,o=xx
ldap_bind_pw: xxxx

ldap_version: 3
ldap_auth_method: bind
ldap_search_base: ou=xx,ou=ss,o=xx
ldap_scope: sub
ldap_filter: ShortName=%U


The  /etc/sasl2/smtpd.conf   is configured as :

pwcheck_method: auxprop
auxprop_plugin: ldapdb



#ldapdb_mech: LOGIN   ( I am not sure if this parameter should be configured under smtpd.conf or under saslauthd.conf )

This would go in your smtpd.conf, if you are using the ldapdb plugin.

Output of : saslauthd -a ldap -O /etc/saslauthd.conf

# saslauthd -a ldap -O /etc/saslauthd.conf
saslauthd[91048] :detach_tty      : Cannot start saslauthd
saslauthd[91048] :detach_tty      : Another instance of saslauthd is currently running

Presumably you are running postfix chrooted, and need to run a second
instance of saslauthd with a mux located in a location that postfix can
find. If that's the case, you'll need to specific a different location for
the mux (-m) in a location postfix can access.

If you don't need to be running two instances (the first is started by an
init script?), then modify your saslauthd startup script to include your -O
option, and the proper location for the mux.

 *   # ps aux | grep saslauthd
 *   root      84395  0.0  0.0  74456   956 ?        Ss   18:25   0:00 /usr/sbin/saslauthd -m /run/saslauthd -a ldap -r
 *   root      84396  0.0  0.0  74456   732 ?        S    18:25   0:00 /usr/sbin/saslauthd -m /run/saslauthd -a ldap -r
 *   root      84397  0.0  0.0  74456   732 ?        S    18:25   0:00 /usr/sbin/saslauthd -m /run/saslauthd -a ldap -r
 *   root      84398  0.0  0.0  74456   732 ?        S    18:25   0:00 /usr/sbin/saslauthd -m /run/saslauthd -a ldap -r
 *   root      84399  0.0  0.0  74456   732 ?        S    18:25   0:00 /usr/sbin/saslauthd -m /run/saslauthd -a ldap -r

At this point, if saslauthd is properly configured and your saslauthd.conf
is correct, testsaslathd will succeed, and successfully authenticate
against your ldap server. Also test it in a shell, as the postfix user, to
verify all system persmissions are correct.

You would want to have this working before you move on to your postfix and
smtpd.conf configuration.

SASL related configuration under postfix / file .

smtpd_sasl_auth_enable = yes
smtpd_sasl_type = cyrus

smtpd_sasl_path = /run/saslauthd/mux
#smtpd_sasl_path = /usr/lib64/sasl2

This isn't correct. If I understand the config option, it should point to
the location of your sasl smtpd.conf config file (/etc/sasl2).

smtpd_sasl_security_options = noanonymous
smtpd_tls_auth_only = yes
smtpd_sasl_tls_security_options = noanonymous

On 04/27/20 20:22 +0000, Bandaru, Vamsi wrote:
Adding the output of pluginviewer : ldapdb is not listed as a one of the auxprop mechanisms :

# /usr/sbin/pluginviewer -a

Installed and properly configured auxprop mechanisms are:
List of auxprop plugins follows
Plugin "sasldb" ,       API version: 8
       supports store: yes

and I don't have a pluginviewer.conf on my system , another conf file I have is : /etc/sasl2/slapd.conf

pluginviewer will fail, because it requires, at least, the ldapdb_uri
option be configured. You would need to create a pluginviewer.conf, such as
in /etc/sasl2, for this command to list ldapdb.

# cat /etc/sasl2/slapd.conf
mech_list: plain
pwcheck_method: saslauthd
saslauthd_path: /var/run/saslauthd/mux

( this doesn't look right )

This looks fine, unless you're running postfix smtpd chrooted, in which
case you'll want to have the saslauthd mux located somewhere within the
postfix chroot.

[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux