Bug 442817 - SASL + LDAP: group_ldap_dn broken, cannot restrict access by group
SASL + LDAP: group_ldap_dn broken, cannot restrict access by group
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: cyrus-sasl (Show other bugs)
All Linux
low Severity high
: rc
: ---
Assigned To: Jan F. Chadima
Brian Brock
Depends On:
  Show dependency treegraph
Reported: 2008-04-16 20:19 EDT by Graham Leggett
Modified: 2010-09-14 09:54 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-09-14 09:54:29 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Graham Leggett 2008-04-16 20:19:38 EDT
While upgrading from RHEL4 to RHEL5, SASL support within postfix broke.

After lots of hair pulling, the problem was reduced down to the
/etc/sasl2/smtpd.conf file, and the ldap_group_dn setting.

Previously, this setting referred to a group that the user needed to be a member
of before being allowed access, and this worked in RHEL4.

In RHEL5, the presence of this setting causes the following error:

Apr 16 19:11:35 162242-app1 saslauthd[20637]: Authentication failed for minfrin@
example.com: Group member check failed (-4)
Apr 16 19:11:35 162242-app1 saslauthd[20637]: do_auth         : auth failure: [u
ser=minfrin@example.com] [service=smtpd] [realm=] [mech=ldap] [reason=Unknown]

Removing the ldap_group_dn setting allows anybody with a valid password to come in.
Comment 1 Tomas Mraz 2008-07-01 15:59:09 EDT
Was the LDAP server upgraded as well? I don't see any change in cyrus-sasl
related to the ldap group matching code between RHEL-4 and 5. What if you add
'ldap_group_match_method: filter' setting to the config file?
Comment 2 Jan F. Chadima 2010-06-14 04:13:06 EDT
Reporter, could you please reply to the previous question?

Note You need to log in before you can comment on or make changes to this bug.