Bug 442817 - SASL + LDAP: group_ldap_dn broken, cannot restrict access by group
Summary: SASL + LDAP: group_ldap_dn broken, cannot restrict access by group
Keywords:
Status: CLOSED CANTFIX
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: cyrus-sasl
Version: 5.3
Hardware: All
OS: Linux
low
high
Target Milestone: rc
: ---
Assignee: Jan F. Chadima
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-04-17 00:19 UTC by Graham Leggett
Modified: 2010-09-14 13:54 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-09-14 13:54:29 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Graham Leggett 2008-04-17 00:19:38 UTC 
While upgrading from RHEL4 to RHEL5, SASL support within postfix broke.

After lots of hair pulling, the problem was reduced down to the
/etc/sasl2/smtpd.conf file, and the ldap_group_dn setting.

Previously, this setting referred to a group that the user needed to be a member
of before being allowed access, and this worked in RHEL4.

In RHEL5, the presence of this setting causes the following error:

Apr 16 19:11:35 162242-app1 saslauthd[20637]: Authentication failed for minfrin@
example.com: Group member check failed (-4)
Apr 16 19:11:35 162242-app1 saslauthd[20637]: do_auth         : auth failure: [u
ser=minfrin] [service=smtpd] [realm=] [mech=ldap] [reason=Unknown]

Removing the ldap_group_dn setting allows anybody with a valid password to come in.
Comment 1 Tomas Mraz 2008-07-01 19:59:09 UTC 
Was the LDAP server upgraded as well? I don't see any change in cyrus-sasl
related to the ldap group matching code between RHEL-4 and 5. What if you add
'ldap_group_match_method: filter' setting to the config file?
Comment 2 Jan F. Chadima 2010-06-14 08:13:06 UTC 
Reporter, could you please reply to the previous question?
Note You need to log in before you can comment on or make changes to this bug.