On Tue, May 22, 2018 at 06:13:23PM -0700, Paul B. Henson wrote: > So I recently converted my opensmtpd server to use ldap as the backend > for user authentication. It seems it's a bit untolerant to ldap issues? >
yes most likely If the ldap server isn't available when opensmtpd is started, it says it > started: > > # /etc/rc.d/smtpd start > smtpd(ok) > > But it isn't there: > > # ps -aux | grep smtpd > root 89090 0.0 0.0 304 1208 p6 S+p 5:52PM 0:00.00 grep smtpd > > And it's not really obvious why: > > May 22 17:52:51 bart smtpd[46044]: info: OpenSMTPD 6.0.4 starting > May 22 17:52:51 bart smtpd[23325]: warn: table-proc: pipe closed > May 22 17:52:51 bart smtpd[23325]: lookup: table-proc: exiting > May 22 17:52:51 bart smtpd[73239]: smtpd: process lka socket closed > not good > Starting in debug mode: > > # smtpd -d > info: OpenSMTPD 6.0.4 starting > users[43283]: debug: reading key "url" -> "ldap://localhost:3389" > users[43283]: debug: reading key "basedn" -> > users[43283]: debug: reading key "username" -> > users[43283]: debug: reading key "password" -> > users[43283]: debug: reading key "credentials_filter" -> > "(&(objectClass=uidObject)(uid=%s))" > users[43283]: debug: parsing attribute "credentials_attributes" (2) -> > "uid,description" > users[43283]: debug: done reading config > users[43283]: warn: aldap_parse > users[43283]: fatal: failed to connect > warn: table-proc: pipe closed > lookup: table-proc: exiting > smtpd: process lka socket closed > > You can see it looks like it fails to connect to the ldap server at > startup and just dies. > > Further, if the ldap server is up at startup, but ever restarts or has > the connection broken, authentication just fails: > > May 21 13:22:10 bart smtpd[42132]: warn: user credentials lookup fail for > users:henson > > The opensmtpd process needs to be restarted before authentication works > again. > not good > In debug mode, it shows: > > users[7295]: debug: table_ldap: ldap_query: > filter=(&(objectClass=uidObject)(uid=henson)), ret=0 > 5e46e2fabbf8d72e smtp event=authentication user=henson > address=134.71.249.41 host=134.71.249.41 result=permfail > > Is it expected that the ldap support is currently not production ready? > I see in a presentation from back in 2013 that ldap was classified > experimental at the time, but it's not clear if that's still the case. > Yes, sadly I wrote the initial ldap support but I don't use ldap myself and I could not get any user to spend time with me testing related diffs more than a couple times, so... > I see in the repo at > > https://github.com/OpenSMTPD/OpenSMTPD-extras/blob/master/extras/tables/table-ldap/table_ldap.c > > there's a change to add ldap reconnection support: > > https://github.com/OpenSMTPD/OpenSMTPD-extras/commit/04e4c521b34d1987af915ff97dcb0d87daf122b0#diff-369c0fcbfbc85bf2cdad7dba1131b872 > > but it's dated 7/27/2017, and the last github release seems to be > 201601072302 (although the openbsd port appears to be 201703132115, I > guess it's not downloading it from github?). > It's been a while since the last -extras release indeed, I suppose the openbsd port pulls from github, I dunno really > It looks like the code in head still fails to start if the ldap server > isn't available when opensmtpd is started though. > That's bad but could easily be fixed if you want to help us > Is anybody using opensmtpd with ldap in production? If so, how are you > working around this issue? > That would be a bad idea... it's experimental :-p -- Gilles Chehade https://www.poolp.org @poolpOrg