Re: Proxy authorization fail with cyrus-sasl and postfix

Mon, 24 May 2010 06:40:54 -0700 

> On Sun, 23 May 2010 18:35:21 +0200 (CEST), [email protected] wrote:
>> Can you check what exact operation is being attempted?  I mean: what
>> identity "cn=postfix
> administrator,ou=infrastructure,dc=linuxwall,dc=info"
>> is trying to authorize as during conn=109 op=2?  You should try to
>> reproduce the authorization part of it, e.g. using ldapwhoami as the
>> postfix administrator, and authorizing with exactly the same identity is
>> being used in that operation, using "stats,trace,args" log level to see
>> where it fails.
>>
>
> Sweet, thanks for your help at debugging, I found the issue !
>
> In the Slapd logs, when Postfix sends the UID of the user it wants to
> authenticate as, it sends the email address of the user, ie, for julien,
> it
> would send [email protected]
> Therefore,slapd looks for a user that has [email protected] in its
> UID, and obviously doesn't find it...
>
> I asked the folks at the postfix mailing if they know anything about that,
> and if they have a correction for me.
>
> ----
> May 24 11:55:30 samchiel slapd[13163]: => get_ctrls
> May 24 11:55:30 samchiel slapd[13163]: => get_ctrls:
> oid="2.16.840.1.113730.3.4.18" (critical)
> May 24 11:55:30 samchiel slapd[13163]: parseProxyAuthz: conn 3
> authzid="u:[email protected]"
> May 24 11:55:30 samchiel slapd[13163]: slap_sasl_getdn: conn 3
>id=u:[email protected] [len=23]
> May 24 11:55:30 samchiel slapd[13163]: slap_sasl_getdn: u:id converted to
> [email protected],cn=DIGEST-MD5,cn=auth
> May 24 11:55:30 samchiel slapd[13163]: >>> dnNormalize:
> <[email protected],cn=DIGEST-MD5,cn=auth>
> May 24 11:55:30 samchiel slapd[13163]: <<< dnNormalize:
> <[email protected],cn=digest-md5,cn=auth>
> May 24 11:55:30 samchiel slapd[13163]: ==>slap_sasl2dn: converting SASL
> name [email protected],cn=digest-md5,cn=auth to a DN
> May 24 11:55:30 samchiel slapd[13163]: [rw] authid:
> "[email protected],cn=digest-md5,cn=auth" ->
> "ldap:///dc=linuxwall,dc=info??sub([email protected])"
> May 24 11:55:30 samchiel slapd[13163]: slap_parseURI: parsing
> ldap:///dc=linuxwall,dc=info??sub?([email protected])
> ----


Just change your authz-regexp line to

authz-regexp "^uid=([^,]+).*,cn=[^,]*,cn=auth$"
              "ldap:///dc=linuxwall,dc=info??sub?(|(uid=$1)(mail=$1))"


p.

Reply via email to