2

I am trying to setup a mail server on Debian Jessie and have come across a problem that's doing my head in.

When trying to access OpenLDAP through saslauthd via the command

testsaslauthd -u user1 -p user1pw -f /var/spool/postfix/var/run/saslauthd/mux

I get the following error in auth.log

Apr 17 10:36:50 debmailserv saslauthd[1661]: user ldap_search_st() failed: Bad search filter
Apr 17 10:36:50 debmailserv saslauthd[1661]: Retrying authentication
Apr 17 10:36:50 debmailserv saslauthd[1661]: user ldap_search_st() failed: Bad search filter
Apr 17 10:36:50 debmailserv saslauthd[1661]: Authentication failed for user1: Retry condition (ldap server connection reset or broken) (-3)
Apr 17 10:36:50 debmailserv saslauthd[1661]: do_auth         : auth failure: [user=user1] [service=imap] [realm=] [mech=ldap] [reason=Unknown]

But if i use the same search filter used in saslauthd.conf using the following ldapsearch it works fine.

ldapsearch -D "uid=saslauthd,ou=services,dc=example,dc=com" -w saslauthdpw \
  -p 389 -h 127.0.0.1 -b "ou=people,dc=example,dc=com" \
  -s sub "(&(uid=user1)(mailEnabled=TRUE))"

My saslauthd.conf looks like this

# Server
ldap_servers: ldap://127.0.0.1/

# Identity
ldap_bind_dn: uid=saslauthd,ou=services,dc=example,dc=com
ldap_bind_pw: saslauthdpw
ldap_auth_method: bind

# Connection
ldap_version: 3
ldap_timeout: 10
ldap_time_limit: 10
ldap_referrals: yes

# Search
ldap_scope: sub
ldap_search_base: ou=people,dc=example,dc=com
ldap_filter: (&(uid=%u)(mailEnabled=TRUE))

# SSL
ldap_ssl: no
ldap_starttls: no

If I comment out the ldap_filter then the testsaslauth works fine.

Any pointers will be greatly appreciated!

Jakuje
  • 9,715
  • 2
  • 42
  • 45
silkyriver
  • 21
  • 2
  • Unfortunately `saslauthd` does not provide further details to see what is actually passed to the `ldap_search_st` function as `filter` argument. The simplest possibility would by probably to run it under `gdb` to see what are the actual arguments after expansions and whatever is evaluated further. Otherwise I don't see any problem there. – Jakuje Apr 17 '16 at 10:12
  • Is your LDAP server a ActiveDirectory? Try to set ldap_referrals to no – Izac Apr 18 '16 at 05:38
  • @Izac I am using OpenLDAP. I tried with both `ldap_referrals` to yes and no and the same result – silkyriver Apr 19 '16 at 07:09
  • @Jakuje It seems that `testsaslauthd` does not have any debugging built in to the executable. Unfortunately I'm not too proficient in the linux environment so I might try again from a fresh system to see if some other config is interfering with `saslathd`. – silkyriver Apr 19 '16 at 07:12
  • Is your filter working with ldapsearch on the command line? – Izac Apr 19 '16 at 08:19
  • @Izac When I run `ldapsearch` with the arguments stated above it works fine. I have tried again from a fresh system but the same error persists. – silkyriver Apr 21 '16 at 10:04

1 Answers1

0

I was getting the same error today. By using wireshark to examine the conversation between saslauthd and the LDAP server I was able to determine two things that might help you...

  1. The default filter appears to be (uid=%u)

  2. The query from saslauthd restricts the size of the result to 1 record.

In my case a search for uid=fred was returning two records from the LDAP server.

Dave
  • 1