Hi Vamsi,
Comments are inline below.
From: Cyrus-sasl <cyrus-sasl-bounces+bandaru.v=pg.com@xxxxxxxxxxxxxxxxxxxx> On Behalf Of Bandaru, Vamsi
Sent: Tuesday, April 28, 2020 12:37 AM
Hi all ,
( This is my first post here ) ,
I am trying to use Cyrus SASL for SMTP authentication against my organization's LDAP server .
I have two major issues I noticed :
The auth.log under /var/log reads :
Apr 27 14:57:36 postfix-in-1/submission/smtpd[42282]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb
Apr 27 14:57:36 postfix-in-1/submission/smtpd[42282]: _sasl_plugin_load failed on sasl_canonuser_init for plugin: ldapdb
The message logs read :
saslauthd[85790]: detach_tty : could not lock pid file /run/saslauthd/saslauthd.pid: Resource temporarily unavailable
saslauthd[85789]: detach_tty : Cannot start saslauthd
saslauthd[85789]: detach_tty : Another instance of saslauthd is currently running
As Alexander mentioned, there are two different concepts getting mixed up here. See:
https://www.cyrusimap.org/sasl/sasl/sysadmin.html
The ldapdb auxprop plugin essentially requires that you have a clear text
password stored within your ldap directory. It allows you to make use of a
wider range of mechanisms, such as digest-md5.
The ldapdb plugin is configured using the following options, in this case
within your /etc/sasl2/smtpd.conf:
ldapdb_uri
ldapdb_id
ldapdb_mech
ldapdb_pw
ldapdb_rc
ldapdb_starttls
auxprop_plugin
canon_user_plugin
See:
https://www.sendmail.org/~ca/email/cyrus2/options.html
If you don't intend to use the ldapdb plugin, you can shut the log messages
up with:
ldapdb_uri: ldapi:///
or
auxprop_plugin: sasldb
canon_user_plugin: sasldb
The saslauthd daemon is a password verification daemon. It accepts
authentication data from the user in clear text, and can authenticate the
crendials using a wide range of methods (pam, ldap, etc). saslauthd only
supports the plain and login authentication mechanisms.
These two methods *can* be mixed - saslauthd for plain/login, and ldapdb
for other mechanisms, to give you an idea of how they interoperate, but
that makes no sense here.
For documentation on the ldap saslauthd backend, see:
https://github.com/cyrusimap/cyrus-sasl/blob/master/saslauthd/LDAP_SASLAUTHD
The saslauthd ldap backend can work with a wider range of LDAP servers than
the ldapdb plugin.
These are the files , and their locations I am trying to configure . ( am I missing any other files to configure )
1. /etc/saslauthd.conf
2. /etc/sasl2/smtpd.conf
This is a common location, but depending on your libsasl compile options,
and your smtp server configuration, your server may look elsewhere.
My /etc/saslauthd.conf , is configured in the following way :
ldap_servers: ldaps://< hostname >:636
ldap_bind_dn: uid=xxx,ou=xx,ou=xx,o=xx
ldap_bind_pw: xxxx
ldap_version: 3
ldap_auth_method: bind
ldap_search_base: ou=xx,ou=ss,o=xx
ldap_scope: sub
ldap_filter: ShortName=%U
***********************************************************************
The /etc/sasl2/smtpd.conf is configured as :
pwcheck_method: auxprop
auxprop_plugin: ldapdb
mech_list: PLAIN LOGIN NTLM CRAM-MD5 DIGEST-MD5
****************************************************************
#ldapdb_mech: LOGIN ( I am not sure if this parameter should be configured under smtpd.conf or under saslauthd.conf )
This would go in your smtpd.conf, if you are using the ldapdb plugin.
Output of : saslauthd -a ldap -O /etc/saslauthd.conf
# saslauthd -a ldap -O /etc/saslauthd.conf
saslauthd[91048] :detach_tty : Cannot start saslauthd
saslauthd[91048] :detach_tty : Another instance of saslauthd is currently running
Presumably you are running postfix chrooted, and need to run a second
instance of saslauthd with a mux located in a location that postfix can
find. If that's the case, you'll need to specific a different location for
the mux (-m) in a location postfix can access.
If you don't need to be running two instances (the first is started by an
init script?), then modify your saslauthd startup script to include your -O
option, and the proper location for the mux.
* # ps aux | grep saslauthd
* root 84395 0.0 0.0 74456 956 ? Ss 18:25 0:00 /usr/sbin/saslauthd -m /run/saslauthd -a ldap -r
* root 84396 0.0 0.0 74456 732 ? S 18:25 0:00 /usr/sbin/saslauthd -m /run/saslauthd -a ldap -r
* root 84397 0.0 0.0 74456 732 ? S 18:25 0:00 /usr/sbin/saslauthd -m /run/saslauthd -a ldap -r
* root 84398 0.0 0.0 74456 732 ? S 18:25 0:00 /usr/sbin/saslauthd -m /run/saslauthd -a ldap -r
* root 84399 0.0 0.0 74456 732 ? S 18:25 0:00 /usr/sbin/saslauthd -m /run/saslauthd -a ldap -r
At this point, if saslauthd is properly configured and your saslauthd.conf
is correct, testsaslathd will succeed, and successfully authenticate
against your ldap server. Also test it in a shell, as the postfix user, to
verify all system persmissions are correct.
You would want to have this working before you move on to your postfix and
smtpd.conf configuration.
SASL related configuration under postfix / main.cf file .
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = cyrus
smtpd_sasl_path = /run/saslauthd/mux
#smtpd_sasl_path = /usr/lib64/sasl2
This isn't correct. If I understand the config option, it should point to
the location of your sasl smtpd.conf config file (/etc/sasl2).
smtpd_sasl_security_options = noanonymous
smtpd_tls_auth_only = yes
smtpd_sasl_tls_security_options = noanonymous
On 04/27/20 20:22 +0000, Bandaru, Vamsi wrote:
Adding the output of pluginviewer : ldapdb is not listed as a one of the auxprop mechanisms :
# /usr/sbin/pluginviewer -a
Installed and properly configured auxprop mechanisms are:
sasldb
List of auxprop plugins follows
Plugin "sasldb" , API version: 8
supports store: yes
and I don't have a pluginviewer.conf on my system , another conf file I have is : /etc/sasl2/slapd.conf
pluginviewer will fail, because it requires, at least, the ldapdb_uri
option be configured. You would need to create a pluginviewer.conf, such as
in /etc/sasl2, for this command to list ldapdb.
# cat /etc/sasl2/slapd.conf
mech_list: plain
pwcheck_method: saslauthd
saslauthd_path: /var/run/saslauthd/mux
( this doesn't look right )
This looks fine, unless you're running postfix smtpd chrooted, in which
case you'll want to have the saslauthd mux located somewhere within the
postfix chroot.
