Can you explain AUTH process using LDAP

Fri, 02 Sep 2016 03:29:54 -0700 

Hi,
I'm setting up smtpd with virtual LDAP users (on OpenBSD 6.0 / OpenSMTPD 6.0.0) and the SMTP authentication fails. 

Relevant smtpd.conf part is:
  table vusers ldap:/etc/mail/tumfatig-QNAP.conf
  listen on egress tls pki www.tumfatig.net auth-optional <vusers>

The LDAP configuration is:
  # LDAP server
  url                     ldap://qnap.tumfatig.net
  basedn                  dc=tumfatig,dc=net
  username                uid=service,ou=people,dc=tumfatig,dc=net
  password                secret
  # SMTP submission / authentication
  credentials_filter      (&(objectClass=posixAccount)(uid=%s))
  credentials_attributes  uid,userPassword


LDAP lookups for RCPT works. So I know url/basedn/username/password are 
correct.

Only SMTP AUTH fails. The daemon says:
  debug: smtp: new client on listener: 0x138c683ec000

  ba71f1a249ecc401 smtp event=connected address=192.168.0.60 
host=openbsd.tumfatig.net

  debug: lka: looking up pki "www.tumfatig.net"
  debug: session_start_ssl: switching to SSL
  debug: pony: rsae_priv_enc

  ba71f1a249ecc401 smtp event=starttls ciphers="version=TLSv1.2, 
cipher=ECDHE-RSA-CHACHA20-POLY1305, bits=256"

  debug: lka: authenticating for vusers:ptijo

  vusers[89674]: debug: table_ldap: ldap_query: 
filter=(&(objectClass=posixAccount)(uid=ptijo)), ret=1

  ba71f1a249ecc401 smtp event=authentication user=ptijo result=permfail

  smtp-in: Failed command on session ba71f1a249ecc401: "AUTH PLAIN 
(...)" => 535 Authentication failed

  ba71f1a249ecc401 smtp event=closed reason=disconnect
  debug: smtp: 0x138bc897b000: deleting session: disconnected


If I manually run ldapsearch using 
url/basedn/username/password/credentials_filter, I can find the user and 
see its attrs.
I also tried using the "admin" LDAP user as username/password but it 
still fails. So AFIAK, it's not a matter of getting userPassword or not.
Using the same url/basedn/username/password, Dovecot can authenticate 
users for IMAPS connections.


How does OpenSMTPd authenticates users using LDAP ?

Does it connects using username/password and do some HASH comparison 
with credentials given in the SMTP/TLS session or does it try to connect 
to LDAP using the provided SMTP AUTH credentials ?


Does userPassword format (SHA/SSHA/CRYPT) matters ?

Thanks,
 Jo

--
You received this mail because you are subscribed to [email protected]
To unsubscribe, send a mail to: [email protected]















    











					Reply via email to