Hello list,
I am trying to authenticate my mail users against my ldap directory (slapd 2.4.17, debian squeeze). I have setup proxy authorization for user postfix as follow:
in slapd.conf ---- # SASL proxy authorization rewrite rule authz-regexp "^uid=([^,]+).*,cn=[^,]*,cn=auth$" "ldap:///dc=linuxwall,dc=info??sub?(uid=$1)"
authz-policy to ----
ldif of user postfix ---- dn: cn=Postfix Administrator,ou=infrastructure,dc=linuxwall,dc=info authzto: ldap:///dc=linuxwall,dc=info??sub?(objectClass=inetOrgPerson) cn: Postfix Administrator [...] ----
I have a similar user with cyrus for cyrus-imapd.
My user postfix seem to have the authorization to act on behalf of other user.
---- # ldapwhoami -Y DIGEST-MD5 -U postfix -H ldap://localhost -R linuxwall.info -X u:julien
SASL/DIGEST-MD5 authentication started Please enter your password: SASL username: u:julien SASL SSF: 128 SASL data security layer installed. dn:cn=julien vehent,ou=people,dc=linuxwall,dc=info ----
Thus, I set up the ldapdb driver from the sasl library in the chroot of postfix. I see connections from postfix to slapd, postfix user is properly authenticated, but then I have the following message (see trace below):
---- May 23 12:57:04 samchiel slapd[1431]: conn=109 fd=17 ACCEPT from IP=127.0.0.1:58349 (IP=127.0.0.1:389) May 23 12:57:04 samchiel slapd[1431]: conn=109 op=0 BIND dn="" method=163 May 23 12:57:04 samchiel slapd[1431]: conn=109 op=0 RESULT tag=97 err=14 text=SASL(0): successful result: May 23 12:57:04 samchiel slapd[1431]: conn=109 op=1 BIND dn="" method=163 May 23 12:57:04 samchiel slapd[1431]: conn=109 op=1 BIND authcid="postfix" authzid="postfix" May 23 12:57:04 samchiel slapd[1431]: conn=109 op=1 BIND dn="cn=postfix administrator,ou=infrastructure,dc=linuxwall,dc=info" mech=DIGEST-MD5 sasl_ssf=128 ssf=128 May 23 12:57:04 samchiel slapd[1431]: conn=109 op=1 RESULT tag=97 err=0 text= May 23 12:57:04 samchiel slapd[1431]: conn=109 op=2 RESULT tag=120 err=123 text=not authorized to assume identity May 23 12:57:04 samchiel slapd[1431]: conn=109 op=2 do_extended: get_ctrls failed May 23 12:57:04 samchiel slapd[1431]: conn=109 op=3 UNBIND May 23 12:57:04 samchiel slapd[1431]: conn=109 fd=17 closed May 23 12:57:04 samchiel slapd[1431]: connection_read(17): no connection! ----
I don't understand this error 'not authorized to assume identity'... Since proxy authorization works fine when I test it with ldapwhoami. Also, on the same machine, I have a cyrus-imapd server that authenticates on the same slapd using the same ldapdriver. Thus, I don't think either slapd or cyrus-sasl are the problem, but since I don't understand the error.....
Can you guys give me a hand here ?
Thanks,
Julien