Red Hat Bugzilla – Bug 442817
SASL + LDAP: group_ldap_dn broken, cannot restrict access by group
Last modified: 2010-09-14 09:54:29 EDT
While upgrading from RHEL4 to RHEL5, SASL support within postfix broke.
After lots of hair pulling, the problem was reduced down to the
/etc/sasl2/smtpd.conf file, and the ldap_group_dn setting.
Previously, this setting referred to a group that the user needed to be a member
of before being allowed access, and this worked in RHEL4.
In RHEL5, the presence of this setting causes the following error:
Apr 16 19:11:35 162242-app1 saslauthd: Authentication failed for minfrin@
example.com: Group member check failed (-4)
Apr 16 19:11:35 162242-app1 saslauthd: do_auth : auth failure: [u
email@example.com] [service=smtpd] [realm=] [mech=ldap] [reason=Unknown]
Removing the ldap_group_dn setting allows anybody with a valid password to come in.
Was the LDAP server upgraded as well? I don't see any change in cyrus-sasl
related to the ldap group matching code between RHEL-4 and 5. What if you add
'ldap_group_match_method: filter' setting to the config file?
Reporter, could you please reply to the previous question?