On Sun, 23 May 2010 18:35:21 +0200 (CEST), masarati@aero.polimi.it wrote:
Can you check what exact operation is being attempted? I mean: what identity "cn=postfix
administrator,ou=infrastructure,dc=linuxwall,dc=info"
is trying to authorize as during conn=109 op=2? You should try to reproduce the authorization part of it, e.g. using ldapwhoami as the postfix administrator, and authorizing with exactly the same identity is being used in that operation, using "stats,trace,args" log level to see where it fails.
Sweet, thanks for your help at debugging, I found the issue !
In the Slapd logs, when Postfix sends the UID of the user it wants to authenticate as, it sends the email address of the user, ie, for julien, it would send julien@linuxwall.info Therefore,slapd looks for a user that has julien@linuxwall.info in its UID, and obviously doesn't find it...
I asked the folks at the postfix mailing if they know anything about that, and if they have a correction for me.
---- May 24 11:55:30 samchiel slapd[13163]: => get_ctrls May 24 11:55:30 samchiel slapd[13163]: => get_ctrls: oid="2.16.840.1.113730.3.4.18" (critical) May 24 11:55:30 samchiel slapd[13163]: parseProxyAuthz: conn 3 authzid="u:julien@linuxwall.info" May 24 11:55:30 samchiel slapd[13163]: slap_sasl_getdn: conn 3 id=u:julien@linuxwall.info [len=23] May 24 11:55:30 samchiel slapd[13163]: slap_sasl_getdn: u:id converted to uid=julien@linuxwall.info,cn=DIGEST-MD5,cn=auth May 24 11:55:30 samchiel slapd[13163]: >>> dnNormalize: <uid=julien@linuxwall.info,cn=DIGEST-MD5,cn=auth> May 24 11:55:30 samchiel slapd[13163]: <<< dnNormalize: <uid=julien@linuxwall.info,cn=digest-md5,cn=auth> May 24 11:55:30 samchiel slapd[13163]: ==>slap_sasl2dn: converting SASL name uid=julien@linuxwall.info,cn=digest-md5,cn=auth to a DN May 24 11:55:30 samchiel slapd[13163]: [rw] authid: "uid=julien@linuxwall.info,cn=digest-md5,cn=auth" -> "ldap:///dc=linuxwall,dc=info??sub(uid=julien@linuxwall.info)" May 24 11:55:30 samchiel slapd[13163]: slap_parseURI: parsing ldap:///dc=linuxwall,dc=info??sub?(uid=julien@linuxwall.info) ----
(complete trace is attached)
Thanks, Julien