Loading ...
Sorry, an error occurred while loading the content.
 

Postfix Dovecot SASL LDAP problem

Expand Messages
  • Markus Bajones
    Hi, I m trying to implement the following setup. Kerberos with LDAP-Backend. Postfix and Dovecot authenticate with Dovecot SASL against the Kerberos server. My
    Message 1 of 5 , Sep 19, 2011
      Hi,

      I'm trying to implement the following setup.

      Kerberos with LDAP-Backend. Postfix and Dovecot authenticate with Dovecot
      SASL against the Kerberos server.
      My user informations (logon, name, email, etc.) are stored in the
      LDAP-directory.

      I can logon to dovecot with gssapi over dovecot sasl without any problems.
      I can query fro users with the following command and get the expected
      result for users stored in ldap.

      postmap -q ccolumbus@... ldap:/etc/postfix/ldap-aliases.cf

      But when I try to send an email to any address I get the following error.

      Sep 19 11:56:32 hermes postfix/local[12260]: warning: dict_ldap_connect:
      Unable to bind to server ldap://laika.htu.tuwien.ac.at:389 with dn empty
      or implicit: -2 (Local error)

      With debuglevel = 3 in my ldap-aliases.cf I get the following log entries.

      Sep 19 12:07:09 hermes postfix/local[12430]: dict_ldap_debug: ldap_create
      Sep 19 12:07:09 hermes postfix/local[12430]: dict_ldap_debug:
      ldap_url_parse_ext(ldap://laika.htu.tuwien.ac.at:389)
      Sep 19 12:07:09 hermes postfix/local[12430]: dict_ldap_debug:
      ldap_sasl_interactive_bind_s: user selected: GSSAPI
      Sep 19 12:07:09 hermes postfix/local[12430]: dict_ldap_debug:
      ldap_int_sasl_bind: GSSAPI
      Sep 19 12:07:09 hermes postfix/local[12430]: dict_ldap_debug:
      ldap_new_connection 1 1 0
      Sep 19 12:07:09 hermes postfix/local[12430]: dict_ldap_debug:
      ldap_int_open_connection
      Sep 19 12:07:09 hermes postfix/local[12430]: dict_ldap_debug:
      ldap_connect_to_host: TCP laika.htu.tuwien.ac.at:389
      Sep 19 12:07:09 hermes postfix/local[12430]: dict_ldap_debug:
      ldap_new_socket: 14
      Sep 19 12:07:09 hermes postfix/local[12430]: dict_ldap_debug:
      ldap_prepare_socket: 14
      Sep 19 12:07:09 hermes postfix/local[12430]: dict_ldap_debug:
      ldap_connect_to_host: Trying 128.131.95.204:389
      Sep 19 12:07:09 hermes postfix/local[12430]: dict_ldap_debug:
      ldap_pvt_connect: fd: 14 tm: 10 async: 0
      Sep 19 12:07:09 hermes postfix/local[12430]: dict_ldap_debug:
      ldap_ndelay_on: 14
      Sep 19 12:07:09 hermes postfix/local[12430]: dict_ldap_debug:
      ldap_int_poll: fd: 14 tm: 10
      Sep 19 12:07:09 hermes postfix/local[12430]: dict_ldap_debug:
      ldap_is_sock_ready: 14
      Sep 19 12:07:09 hermes postfix/local[12430]: dict_ldap_debug:
      ldap_ndelay_off: 14
      Sep 19 12:07:09 hermes postfix/local[12430]: dict_ldap_debug:
      ldap_pvt_connect: 0
      Sep 19 12:07:09 hermes postfix/local[12430]: dict_ldap_debug:
      ldap_int_sasl_open: host=laika.htu.tuwien.ac.at
      Sep 19 12:07:09 hermes postfix/local[12430]: dict_ldap_debug: ldap_err2string
      Sep 19 12:07:09 hermes postfix/local[12430]: warning: dict_ldap_connect:
      Unable to bind to server ldap://laika.htu.tuwien.ac.at:389 with dn empty
      or implicit: -2 (Local error)
      Sep 19 12:07:09 hermes postfix/local[12430]: dict_ldap_debug:
      ldap_free_connection 1 1
      Sep 19 12:07:09 hermes postfix/local[12430]: dict_ldap_debug:
      ldap_send_unbind
      Sep 19 12:07:09 hermes postfix/local[12430]: dict_ldap_debug: ber_flush2:
      7 bytes to sd 14
      Sep 19 12:07:09 hermes postfix/local[12430]: dict_ldap_debug: ldap_write:
      want=7, written=7
      Sep 19 12:07:09 hermes postfix/local[12430]: dict_ldap_debug: 0000: 30
      05 02 01 01 42 00 0....B.
      Sep 19 12:07:09 hermes postfix/local[12430]: dict_ldap_debug:
      ldap_free_connection: actually freed

      Can anybody tell my why postmap can access my ldap data and postfix can not?

      Thanks in advance.

      Markus
    • Wietse Venema
      ... Because you run the postmap tests as root, whereas Postfix avoids using root privileges all the time? To find out what operation fails, see the section on
      Message 2 of 5 , Sep 19, 2011
        Markus Bajones:
        > Can anybody tell my why postmap can access my ldap data and postfix can not?

        Because you run the postmap tests as root, whereas Postfix avoids
        using root privileges all the time?

        To find out what operation fails, see the section on non-interactive
        debuggers in http://www.postfix.org/DEBUG_README.html

        Wietse
      • Markus Bajones
        Hello Wietse, thank you for your reply. I tried to do this, but failed to get any result. Obviously debian optimized the debugging symbols out of postfix. :-(
        Message 3 of 5 , Sep 19, 2011
          Hello Wietse,

          thank you for your reply.

          I tried to do this, but failed to get any result. Obviously debian
          optimized the debugging symbols out of postfix. :-(

          What i did now was the following.
          In the log /var/log/auth.log i found:

          Sep 19 18:53:51 hermes postfix/postmap[5385]: GSSAPI Error: Unspecified
          GSS failure. Minor code may provide more information (Credentials cache
          file '/tmp/krb5cc_106' not found)

          As i did not have this file i symlinked /tmp/krb55cc_0 to /tmp/krb55cc_106
          for the test and run the postmap command as the postfix user.

          /usr/sbin/postmap -q ccolumbus@... ldap:/etc/postfix/ldap-aliases.cf
          ccolumbus

          So the connection is possible with the postfix user.
          But i have no idea to set the right configuration parameters to let the
          postfix user have access to the kerberos credentials cache and to use the
          correct file. As i dont know why postfix wants to access /tmp/krb5cc_106
          when there is only /tmp/krb5cc_0 present.


          Any hint how to do this?

          Thank you.

          Markus

          On Mon, September 19, 2011 15:09, Wietse Venema wrote:
          > Markus Bajones:
          >> Can anybody tell my why postmap can access my ldap data and postfix can
          >> not?
          >
          > Because you run the postmap tests as root, whereas Postfix avoids
          > using root privileges all the time?
          >
          > To find out what operation fails, see the section on non-interactive
          > debuggers in http://www.postfix.org/DEBUG_README.html
          >
          > Wietse
          >
        • Wietse Venema
          ... You should follow the DEBUG_README example that uses STRACE not GDB. ... Postfix does not use Kerberos. LDAP uses Kerberos. Therefore, there is no Postfix
          Message 4 of 5 , Sep 19, 2011
            Markus Bajones:
            > Hello Wietse,
            >
            > thank you for your reply.
            >
            > I tried to do this, but failed to get any result. Obviously debian
            > optimized the debugging symbols out of postfix. :-(

            You should follow the DEBUG_README example that uses STRACE not GDB.

            > What i did now was the following.
            > In the log /var/log/auth.log i found:
            >
            > Sep 19 18:53:51 hermes postfix/postmap[5385]: GSSAPI Error: Unspecified
            > GSS failure. Minor code may provide more information (Credentials cache
            > file '/tmp/krb5cc_106' not found)
            >
            > As i did not have this file i symlinked /tmp/krb55cc_0 to /tmp/krb55cc_106
            > for the test and run the postmap command as the postfix user.
            >
            > /usr/sbin/postmap -q ccolumbus@... ldap:/etc/postfix/ldap-aliases.cf
            > ccolumbus
            >
            > So the connection is possible with the postfix user.
            > But i have no idea to set the right configuration parameters to let the
            > postfix user have access to the kerberos credentials cache and to use the
            > correct file. As i dont know why postfix wants to access /tmp/krb5cc_106
            > when there is only /tmp/krb5cc_0 present.
            >
            >
            > Any hint how to do this?

            Postfix does not use Kerberos. LDAP uses Kerberos. Therefore,
            there is no Postfix parameter for Kerberos.

            Wietse

            > Thank you.
            >
            > Markus
            >
            > On Mon, September 19, 2011 15:09, Wietse Venema wrote:
            > > Markus Bajones:
            > >> Can anybody tell my why postmap can access my ldap data and postfix can
            > >> not?
            > >
            > > Because you run the postmap tests as root, whereas Postfix avoids
            > > using root privileges all the time?
            > >
            > > To find out what operation fails, see the section on non-interactive
            > > debuggers in http://www.postfix.org/DEBUG_README.html
            > >
            > > Wietse
            > >
            >
            >
            >
          • Markus Bajones
            Hello Wietse. Thank you for the help. I found the problem to be in my dovecot config file. Now it is working as expected. Thanks. Markus
            Message 5 of 5 , Oct 4, 2011
              Hello Wietse.

              Thank you for the help.

              I found the problem to be in my dovecot config file.
              Now it is working as expected.

              Thanks.

              Markus


              On 09/19/2011 11:35 PM, Wietse Venema wrote:
              > Markus Bajones:
              >> Hello Wietse,
              >>
              >> thank you for your reply.
              >>
              >> I tried to do this, but failed to get any result. Obviously debian
              >> optimized the debugging symbols out of postfix. :-(
              > You should follow the DEBUG_README example that uses STRACE not GDB.
              >
              >> What i did now was the following.
              >> In the log /var/log/auth.log i found:
              >>
              >> Sep 19 18:53:51 hermes postfix/postmap[5385]: GSSAPI Error: Unspecified
              >> GSS failure. Minor code may provide more information (Credentials cache
              >> file '/tmp/krb5cc_106' not found)
              >>
              >> As i did not have this file i symlinked /tmp/krb55cc_0 to /tmp/krb55cc_106
              >> for the test and run the postmap command as the postfix user.
              >>
              >> /usr/sbin/postmap -q ccolumbus@... ldap:/etc/postfix/ldap-aliases.cf
              >> ccolumbus
              >>
              >> So the connection is possible with the postfix user.
              >> But i have no idea to set the right configuration parameters to let the
              >> postfix user have access to the kerberos credentials cache and to use the
              >> correct file. As i dont know why postfix wants to access /tmp/krb5cc_106
              >> when there is only /tmp/krb5cc_0 present.
              >>
              >>
              >> Any hint how to do this?
              > Postfix does not use Kerberos. LDAP uses Kerberos. Therefore,
              > there is no Postfix parameter for Kerberos.
              >
              > Wietse
              >
              >> Thank you.
              >>
              >> Markus
              >>
              >> On Mon, September 19, 2011 15:09, Wietse Venema wrote:
              >>> Markus Bajones:
              >>>> Can anybody tell my why postmap can access my ldap data and postfix can
              >>>> not?
              >>> Because you run the postmap tests as root, whereas Postfix avoids
              >>> using root privileges all the time?
              >>>
              >>> To find out what operation fails, see the section on non-interactive
              >>> debuggers in http://www.postfix.org/DEBUG_README.html
              >>>
              >>> Wietse
              >>>
              >>
              >>
            Your message has been successfully submitted and would be delivered to recipients shortly.