Dear All, I want to try my luck here, perhaps someone could help me. First The Problem:
We would like to restrict the ldap authentication over saslauthd, so that users only can login with their valid e-mail address. At the moment users are able to login with usern...@domain.com<mailto:n...@domain.com> or only their username. I tied a lot to specify the ldap_filter to take a lookup for the userPrincipalName=%u. With the command testsaslauthd it’s working but cyrus can’t grant access with errors like this: saslauthd.service - LSB: saslauthd startup script Loaded: loaded (/etc/init.d/saslauthd; generated) Active: active (running) since Fri 2019-10-25 14:07:54 CEST; 1h 33min ago Docs: man:systemd-sysv-generator(8) Process: 3707 ExecStart=/etc/init.d/saslauthd start (code=exited, status=0/SUCCESS) Tasks: 10 (limit: 4915) Memory: 15.4M CGroup: /system.slice/saslauthd.service ├─3727 /usr/sbin/saslauthd -a ldap -c -m /var/run/saslauthd -n 5 ├─3728 /usr/sbin/saslauthd -a ldap -c -m /var/run/saslauthd -n 5 ├─3729 /usr/sbin/saslauthd -a ldap -c -m /var/run/saslauthd -n 5 ├─3730 /usr/sbin/saslauthd -a ldap -c -m /var/run/saslauthd -n 5 ├─3733 /usr/sbin/saslauthd -a ldap -c -m /var/run/saslauthd -n 5 ├─3745 /usr/sbin/saslauthd -a ldap -c -m /var/spool/postfix/var/run/saslauthd -n 5 ├─3746 /usr/sbin/saslauthd -a ldap -c -m /var/spool/postfix/var/run/saslauthd -n 5 ├─3747 /usr/sbin/saslauthd -a ldap -c -m /var/spool/postfix/var/run/saslauthd -n 5 ├─3748 /usr/sbin/saslauthd -a ldap -c -m /var/spool/postfix/var/run/saslauthd -n 5 └─3749 /usr/sbin/saslauthd -a ldap -c -m /var/spool/postfix/var/run/saslauthd -n 5 Oct 25 15:38:27 CGSG saslauthd[3747]: : auth failure: [user=money] [service=smtp] [realm=uc-central.net<http://uc-central.net/>] [mech=ldap] [reason=Unknown] Oct 25 15:39:07 CGSG saslauthd[3745]: Entry not found (sAMAccountName=account). Oct 25 15:39:07 CGSG saslauthd[3745]: Authentication failed for account/uc-central.net<http://uc-central.net/>: User not found (-6) Oct 25 15:39:07 CGSG saslauthd[3745]: : auth failure: [user=account] [service=smtp] [realm=uc-central.net<http://uc-central.net/>] [mech=ldap] [reason=Unknown] Oct 25 15:40:20 CGSG saslauthd[3748]: Entry not found (sAMAccountName=tg). Oct 25 15:40:20 CGSG saslauthd[3748]: Authentication failed for tg/uc-central.net<http://uc-central.net/>: User not found (-6) Oct 25 15:40:20 CGSG saslauthd[3748]: : auth failure: [user=tg] [service=smtp] [realm=uc-central.net<http://uc-central.net/>] [mech=ldap] [reason=Unknown] Oct 25 15:40:56 CGSG saslauthd[3746]: Entry not found (sAMAccountName=pearl). Oct 25 15:40:56 CGSG saslauthd[3746]: Authentication failed for pearl/uc-central.net<http://uc-central.net/>: User not found (-6) Oct 25 15:40:56 CGSG saslauthd[3746]: : auth failure: [user=pearl] [service=smtp] [realm=uc-central.net<http://uc-central.net/>] [mech=ldap] [reason=Unknown] Oct 25 13:49:52 CGSG cyrus/imaps[3074]: SASL Password verification failed Oct 25 13:31:25 CGSG cyrus/imap[2420]: badlogin: localhost [127.0.0.1] plaintext i...@mandldreyer.com<mailto:i...@mandldreyer.com> SASL(-13): authentication failure: checkpass failed Oct 25 13:31:25 CGSG cyrus/imaps[2434]: badlogin: port-83-236-195-74.static.qsc.de<http://port-83-236-195-74.static.qsc.de/>[83.236.195.74] LOGIN [SASL(-13): authentication failure: checkpass failed] Oct 25 13:31:25 CGSG cyrus/imaps[2432]: badlogin: port-83-236-195-74.static.qsc.de<http://port-83-236-195-74.static.qsc.de/>[83.236.195.74] LOGIN [SASL(-13): authentication failure: checkpass failed] Oct 25 13:31:28 CGSG cyrus/imap[2445]: badlogin: localhost [127.0.0.1] plaintext i...@mandldreyer.com<mailto:i...@mandldreyer.com> SASL(-13): authentication failure: checkpass failed Oct 25 13:31:29 CGSG cyrus/imaps[2432]: badlogin: port-83-236-195-74.static.qsc.de<http://port-83-236-195-74.static.qsc.de/>[83.236.195.74] plaintext lager SASL(-13): authentication failure: checkpass failed Oct 25 13:31:29 CGSG cyrus/imaps[2434]: badlogin: port-83-236-195-74.static.qsc.de<http://port-83-236-195-74.static.qsc.de/>[83.236.195.74] plaintext sebastian.ma...@mandldreyer.com<mailto:sebastian.ma...@mandldreyer.com> SASL(-13): authentication failure: checkpass failed The problem is our multi domain setup and when a user login with a client or over the web with only their username, cyrus create new false mailboxes. This we would like to prevent. Perhaps someone know how to configure the saslauthd filter right for this special case. Configuration Our /etc/saslauthd.config ldap_servers: ldap://ddcl001.domain.dir ldap_search_base: dc=domain,dc=dir ldap_filter: sAMAccountName=%U #ldap_filter: userPrincipalName=%u #ldap_version: 3 ldap_auth_method: bind ldap_bind_dn: cn=Administrator,cn=Users,dc=domain,dc=dir ldap_bind_pw: ****** #ldap_scope: sub Best Regards, David Faller Von meinem iPad gesendet
