Saslauthd pam_ldap

UCS - Univention Corporate Server
1

Hello,
Please I need a hint to troubleshoot the following a problem. It is not clear to me why a user successfuly can auth against LDAP without REALM ( -r flag) . And it can not with its realm or domainname.

===

root@mail:/etc/pam.d# testsaslauthd -u $USERNAME -p $PASS
0: OK “Success.”

root@mail:/etc/pam.d# testsaslauthd -u $USERNAME -p $PASS -r $DOMAINNAME

0: NO “authentication failed”

OUTPUT OF AUTH.LOG

Sep 22 12:25:47 mail saslauthd[3768]: pam_unix(imap:auth): check pass; user unknown
Sep 22 12:25:47 mail saslauthd[3768]: pam_unix(imap:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Sep 22 12:25:47 mail PAM-univentionmailcyrus[3768]: continuing as user $USERNAME
Sep 22 12:25:47 mail saslauthd[3768]: pam_ldap: error trying to bind (Invalid credentials)
Sep 22 12:25:47 mail saslauthd[3768]: pam_krb5(imap:auth): authentication failure; logname=$USERNAME uid=0 euid=0 tty= ruser= rhost=
Sep 22 12:25:49 mail saslauthd[3768]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
Sep 22 12:25:49 mail saslauthd[3768]: do_auth : auth failure: [user=$USERNAME@$DOMAINNAME] [service=imap] [realm=$DOMAINNAME] [mech=pam] [reason=PAM auth error]

===

    Any hints highly  appreciate.     This problems is reflected on  postfix smtp, cyrus-imap

Rolando Riley

2

On a UCS mail server, SASL is configured to work with email addresses. Please try:

testsaslauthd -u $mailPrimaryAddress -p $PASS -s smtp

To find out the correct email address to use, run:

univention-ldapsearch -LLL '(uid=$USERNAME)' mailPrimaryAddress

If you have a problem with authentication with Postfix or Cyrus, please provide their logfiles (/var/log/mail.log & /var/log/syslog).

3

Hi Troeder,
Thanks for the information. That is exactly what I wanted to know.
1) If testsaslauthd should truncate realm ?
2) If tesaslauthd is using another attribute to , other than uid to match user and Password.

          I don't see anything wrong with the email.

root@mail:/var/log# testsaslauthd -u dibujante-1 -p $PASSWORD -s smtp
0: OK “Success.”

root@mail:/var/log# univention-ldapsearch -LLL ‘uid=dibujante-1’ mailPrimaryAddress
dn: uid=dibujante-1,cn=users,dc=airesistemas,dc=com
mailPrimaryAddress: dibujante-1@airesistemas.com

0: root@mail:/var/log# testsaslauthd -u dibujante-1@airesistemas.com -p $PASSWORD -s smtp
0: NO “authentication failed”

root@mail:/var/log# grep dibujante-1 mail.log

root@mail:/var/log# grep dibujante-1 mail.log
Sep 22 11:36:28 mail cyrus/imap[7747]: fetching user_deny.db entry for ‘dibujante-1’
Sep 22 11:36:28 mail cyrus/imap[7747]: login: localhost [::1] dibujante-1 plaintext User logged in SESSIONID=
Sep 22 11:36:28 mail cyrus/imap[7747]: fetching user_deny.db entry for ‘dibujante-1’
Sep 22 11:36:34 mail cyrus/imap[7747]: USAGE dibujante-1 user: 0.000000 sys: 0.004000
Sep 22 11:37:28 mail cyrus/imap[7747]: badlogin: localhost [::1] plaintext dibujante-1@airesistemas.com SASL(-13): authentication failure: checkpass failed
Sep 22 11:38:32 mail cyrus/imap[7747]: badlogin: localhost [::1] plaintext dibujante-1@airesistemas.com SASL(-13): authentication failure: checkpass failed
Sep 22 11:38:52 mail cyrus/imap[7747]: fetching user_deny.db entry for ‘dibujante-1’
Sep 22 11:38:52 mail cyrus/imap[7747]: login: localhost [::1] dibujante-1 plaintext User logged in SESSIONID=
Sep 22 11:38:52 mail cyrus/imap[7747]: fetching user_deny.db entry for ‘dibujante-1’
Sep 22 11:38:59 mail cyrus/imap[7747]: USAGE dibujante-1 user: 0.000000 sys: 0.004000

4

Please make sure your password does not contain unusual or non-ascii characters.

Then all is fine. “testsaslauthd” is not neccessary for the working of the mail server.