First Last Prev Next    This bug is not in your last search results.
Bug 442817 - SASL + LDAP: group_ldap_dn broken, cannot restrict access by group
SASL + LDAP: group_ldap_dn broken, cannot restrict access by group
Status: CLOSED CANTFIX
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: cyrus-sasl (Show other bugs)
5.3
All Linux
low Severity high
: rc
: ---
Assigned To: Jan F. Chadima
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-04-16 20:19 EDT by Graham Leggett
Modified: 2010-09-14 09:54 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-09-14 09:54:29 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Graham Leggett 2008-04-16 20:19:38 EDT 
While upgrading from RHEL4 to RHEL5, SASL support within postfix broke.

After lots of hair pulling, the problem was reduced down to the
/etc/sasl2/smtpd.conf file, and the ldap_group_dn setting.

Previously, this setting referred to a group that the user needed to be a member
of before being allowed access, and this worked in RHEL4.

In RHEL5, the presence of this setting causes the following error:

Apr 16 19:11:35 162242-app1 saslauthd[20637]: Authentication failed for minfrin@
example.com: Group member check failed (-4)
Apr 16 19:11:35 162242-app1 saslauthd[20637]: do_auth         : auth failure: [u
ser=minfrin@example.com] [service=smtpd] [realm=] [mech=ldap] [reason=Unknown]

Removing the ldap_group_dn setting allows anybody with a valid password to come in.
Comment 1 Tomas Mraz 2008-07-01 15:59:09 EDT 
Was the LDAP server upgraded as well? I don't see any change in cyrus-sasl
related to the ldap group matching code between RHEL-4 and 5. What if you add
'ldap_group_match_method: filter' setting to the config file?
Comment 2 Jan F. Chadima 2010-06-14 04:13:06 EDT 
Reporter, could you please reply to the previous question?
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.