Discussion:
ldapdb: error: invalid parameter supplied
Patrick Ben Koetter
2006-04-20 21:07:46 UTC
Permalink
I am trying to configure the ldapdb auxprop plugin, built manually from
Cyrus-SASL.2.1.21, to authenticate against OpenLDAP, using stock RPM
openldap-2.3.19-4 from Fedora Core 5.

Authentication fails with the following errors:

Apr 20 19:50:12 laptop slapd[28454]: auxpropfunc error invalid parameter supplied
Apr 20 19:50:12 laptop slapd[28454]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb

Now I am trying to find out who "supplied" the "invalid parameter" in order to
fix it.

The OpenLDAP slaptest utility didn't report any errors on slapd.conf. Also the
log_level I've set in /usr/lib/sasl2/sample.conf didn't give me any verbose
output either when I used Cyrus SASL's server and client to test
authentication.

Any hints or ideas?

Thanks,

***@rick
Igor Brezac
2006-04-21 03:32:29 UTC
Permalink
Post by Patrick Ben Koetter
I am trying to configure the ldapdb auxprop plugin, built manually from
Cyrus-SASL.2.1.21, to authenticate against OpenLDAP, using stock RPM
openldap-2.3.19-4 from Fedora Core 5.
Apr 20 19:50:12 laptop slapd[28454]: auxpropfunc error invalid parameter supplied
Apr 20 19:50:12 laptop slapd[28454]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb
Now I am trying to find out who "supplied" the "invalid parameter" in order to
fix it.
The OpenLDAP slaptest utility didn't report any errors on slapd.conf. Also the
log_level I've set in /usr/lib/sasl2/sample.conf didn't give me any verbose
output either when I used Cyrus SASL's server and client to test
authentication.
Any hints or ideas?
What are the contents of sample.conf? You probably did not specify
ldapdb_uri.
--
Igor
Patrick Ben Koetter
2006-04-21 05:27:40 UTC
Permalink
Post by Igor Brezac
Post by Patrick Ben Koetter
I am trying to configure the ldapdb auxprop plugin, built manually from
Cyrus-SASL.2.1.21, to authenticate against OpenLDAP, using stock RPM
openldap-2.3.19-4 from Fedora Core 5.
Apr 20 19:50:12 laptop slapd[28454]: auxpropfunc error invalid parameter supplied
Apr 20 19:50:12 laptop slapd[28454]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb
Now I am trying to find out who "supplied" the "invalid parameter" in order
to fix it.
The OpenLDAP slaptest utility didn't report any errors on slapd.conf. Also
the log_level I've set in /usr/lib/sasl2/sample.conf didn't give me any
verbose output either when I used Cyrus SASL's server and client to test
authentication.
Any hints or ideas?
What are the contents of sample.conf? You probably did not specify
ldapdb_uri.
Here's the content of sample.conf:

log_level: 7
pwcheck_method: auxprop
auxprop_plugin: ldapdb
mech_list: PLAIN LOGIN DIGEST-MD5 CRAM-MD5
ldapdb_uri: ldap://localhost
ldapdb_id: proxyuser
ldapdb_pw: proxy_secret
ldapdb_mech: DIGEST-MD5

As you can see I did specify ldapdb_uri. I don't see anything being wrong with
the config. Do you?

Thanks,

***@rick
--
The Book of Postfix
<http://www.postfix-book.com>
saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
Igor Brezac
2006-04-21 17:22:55 UTC
Permalink
Post by Patrick Ben Koetter
Post by Igor Brezac
Post by Patrick Ben Koetter
Apr 20 19:50:12 laptop slapd[28454]: auxpropfunc error invalid parameter supplied
Apr 20 19:50:12 laptop slapd[28454]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb
Now I am trying to find out who "supplied" the "invalid parameter" in order
to fix it.
I missed this one earlier.

This error does not come from the sample utility. It comes from the
openldap server and is probably OK as long as you did not explicitely
configure ldapdb as the slapd auxprop plugin (if you do not have
/usr/lib/sasl2/slapd.conf you should be ok).
Post by Patrick Ben Koetter
Post by Igor Brezac
Post by Patrick Ben Koetter
The OpenLDAP slaptest utility didn't report any errors on slapd.conf. Also
the log_level I've set in /usr/lib/sasl2/sample.conf didn't give me any
verbose output either when I used Cyrus SASL's server and client to test
authentication.
Any hints or ideas?
What are the contents of sample.conf? You probably did not specify
ldapdb_uri.
log_level: 7
pwcheck_method: auxprop
auxprop_plugin: ldapdb
mech_list: PLAIN LOGIN DIGEST-MD5 CRAM-MD5
ldapdb_uri: ldap://localhost
ldapdb_id: proxyuser
ldapdb_pw: proxy_secret
ldapdb_mech: DIGEST-MD5
As you can see I did specify ldapdb_uri. I don't see anything being wrong with
the config. Do you?
This looks ok. What does debug of the ldap server show? Did you setup
proxy correctly on the ldap server, ldapwhoami -Y DIGEST-MD5 -U proxyuser
-X u:user?
--
Igor
Dan Nicholson
2006-04-22 19:33:23 UTC
Permalink
This post might be inappropriate. Click to display it.
Dan Nicholson
2006-04-22 20:09:01 UTC
Permalink
Post by Dan Nicholson
Patrick, I'm going to assume that I have the same setup as you since I
took mine entirely from the Book of Postfix. I was having the same
problems with openldap-2.3.x, but I think I've solved the problem.
The big thing was getting the regexp in /etc/openldap/slapd.conf to
work correctly. Now, ldapwhoami checks out as well as ldapdb
authorization through the cyrus-sasl client/server utilities.
I lied. That worked when I only had one user under ou=people. Now I
have two, and one authenticates and one doesn't. I'm baffled. Here's
some output trying to authenticate through ldapwhoami with the
troublesome user.

$ ldapwhoami -Y DIGEST-MD5 -U proxy -X u:dan
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Insufficient access (50)
additional info: SASL(-14): authorization failure: not authorized


And debugging output from slapd. What I don't understand is that it's
failing when trying to read attributes of the user I'm not trying to
authorize as, uid=ange. In reverse, when using -X u:ange in
ldapwhoami, it can read the attributes of uid=dan.

=> access_allowed: auth access to "uid=ange,ou=people,dc=dwcab,dc=com"
"objectClass" requested
=> dn: [1] dc=dwcab,dc=com
=> acl_get: [1] matched
=> dn: [2] dc=dwcab,dc=com
=> acl_get: [2] matched
=> dn: [3] dc=dwcab,dc=com
=> acl_get: [3] matched
=> dn: [4] dc=dwcab,dc=com
=> acl_get: [4] matched
=> acl_get: [5] attr objectClass
=> acl_mask: access to entry "uid=ange,ou=people,dc=dwcab,dc=com",
attr "objectClass" requested
=> acl_mask: to value by "uid=proxy,ou=auth,dc=dwcab,dc=com", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> access_allowed: auth access granted by read(=rscxd)
<= test_filter 6
send_ldap_result: conn=0 op=1 p=3
send_ldap_result: err=0 matched="" text=""
<===slap_sasl_match: comparison returned 48
<==slap_sasl_check_authz: authzTo check returning 48
<== slap_sasl_authorized: return 48
SASL Proxy Authorize [conn=0]: proxy authorization disallowed (48)
SASL [conn=0] Failure: not authorized
send_ldap_result: conn=0 op=1 p=3
send_ldap_result: err=50 matched="" text="SASL(-14): authorization failure: not
authorized"

Thanks in advance for anyone that can help.

--
Dan
Dan Nicholson
2006-04-22 20:44:54 UTC
Permalink
Post by Dan Nicholson
Post by Dan Nicholson
Patrick, I'm going to assume that I have the same setup as you since I
took mine entirely from the Book of Postfix. I was having the same
problems with openldap-2.3.x, but I think I've solved the problem.
The big thing was getting the regexp in /etc/openldap/slapd.conf to
work correctly. Now, ldapwhoami checks out as well as ldapdb
authorization through the cyrus-sasl client/server utilities.
I lied. That worked when I only had one user under ou=people. Now I
have two, and one authenticates and one doesn't. I'm baffled. Here's
some output trying to authenticate through ldapwhoami with the
troublesome user.
$ ldapwhoami -Y DIGEST-MD5 -U proxy -X u:dan
SASL/DIGEST-MD5 authentication started
ldap_sasl_interactive_bind_s: Insufficient access (50)
additional info: SASL(-14): authorization failure: not authorized
Changing my proxy user authzTo to this regex solved the ldapwhoami problem.

authzTo: dn.regex:uid=[^,]*,ou=people,dc=foo,dc=com

cyrus-sasl-2.1.21 server/client utilities now work too with ldapdb.

--
Dan
Tuan Van
2006-05-06 17:47:06 UTC
Permalink
Post by Dan Nicholson
Post by Dan Nicholson
Post by Dan Nicholson
Patrick, I'm going to assume that I have the same setup as you since I
took mine entirely from the Book of Postfix. I was having the same
problems with openldap-2.3.x, but I think I've solved the problem.
The big thing was getting the regexp in /etc/openldap/slapd.conf to
work correctly. Now, ldapwhoami checks out as well as ldapdb
authorization through the cyrus-sasl client/server utilities.
I lied. That worked when I only had one user under ou=people. Now I
have two, and one authenticates and one doesn't. I'm baffled. Here's
some output trying to authenticate through ldapwhoami with the
troublesome user.
$ ldapwhoami -Y DIGEST-MD5 -U proxy -X u:dan
SASL/DIGEST-MD5 authentication started
ldap_sasl_interactive_bind_s: Insufficient access (50)
additional info: SASL(-14): authorization failure: not authorized
Changing my proxy user authzTo to this regex solved the ldapwhoami problem.
authzTo: dn.regex:uid=[^,]*,ou=people,dc=foo,dc=com
cyrus-sasl-2.1.21 server/client utilities now work too with ldapdb.
--
Dan
does postfix work with {CRYPT} password in LDAP?

TIA
Tuan

Patrick Ben Koetter
2006-04-22 21:33:59 UTC
Permalink
Dan,
Post by Dan Nicholson
Post by Igor Brezac
This looks ok. What does debug of the ldap server show? Did you setup
proxy correctly on the ldap server, ldapwhoami -Y DIGEST-MD5 -U proxyuser
-X u:user?
Hi,
Patrick, I'm going to assume that I have the same setup as you since I
took mine entirely from the Book of Postfix. I was having the same
right you are and it is a real shame since I am one of the authors of the book
and I should really know how to handle this. :/ But then it's been a while
since we wrote the book and I had time to exercise my LDAP and ldapdb skills.
Post by Dan Nicholson
problems with openldap-2.3.x, but I think I've solved the problem.
The big thing was getting the regexp in /etc/openldap/slapd.conf to
work correctly. Now, ldapwhoami checks out as well as ldapdb
authorization through the cyrus-sasl client/server utilities.
ACK.

I see you posted most of your config. I will do so as well as soon I have this
all setup and going, so others can make use of it.
Post by Dan Nicholson
One thing to note is that the authorization settings have changed for
openldap-2.3. With 2.2, I was using saslAuthzTo, sasl-authz-policy
and sasl-regexp. Those have all now been changed to authzTo,
authz-policy and authz-regexp (man slapd.conf). Here is what I set in
Yep. It pays to RTFM. I was glad I did before I started.
Post by Dan Nicholson
$ tail /etc/openldap/slapd.conf
index objectClass eq
index cn eq
index mail,maildrop pres
index mailbox,quota,uidNumber,gidNumber eq
## BINDING
authz-policy to
authz-regexp
uid=(.*),cn=.*,cn=auth
ldap:///dc=foo,dc=com??sub?(&(objectclass=inetOrgPerson)(uid=$1))
The important piece differing from the Book of Postfix is that the
replacement could not be mail=$1 since the match was on uid. Without
this, ./server would give me
starting SASL negotiation: user not foundclosing connection
Hmmm, well it works here using (mail=$1).
Post by Dan Nicholson
Also, I get the "invalid parameter" error even with successful
authorization. I also checked with my old openldap-2.2 system, and it
You get the same thing with the sql plugin even if you don't use it. Many
Postfix users ask this on the mailing list, because they think they have a
real error aka misconfigured something.
Post by Dan Nicholson
happens there, too. Here's the tail from a successful ./server,
Apr 22 12:22:14 silky slapd[2265]: auxpropfunc error invalid parameter supplied
Apr 22 12:22:14 silky slapd[2265]: _sasl_plugin_load failed on
sasl_auxprop_plug_init for plugin: ldapdb
Apr 22 12:22:26 silky lt-server: DIGEST-MD5 client step 2
Apr 22 12:22:26 silky lt-server: DIGEST-MD5 client step 2
Apr 22 12:22:26 silky lt-server: DIGEST-MD5 client step 3
dn: uid=proxy,ou=auth,dc=foo,dc=com
uid: proxy
objectClass: inetOrgPerson
givenName: proxy
sn: proxy
cn: proxy
userPassword: XXXXXXXXX
mail: proxy
authzTo: ldap:///ou=people,dc=foo,dc=com??sub?(objectclass=inetOrgPerson)
Hope that helps.
Yes, it did. Thanks!

***@rick
--
The Book of Postfix
<http://www.postfix-book.com>
saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
Patrick Ben Koetter
2006-04-22 21:24:21 UTC
Permalink
Igor,
Post by Igor Brezac
Post by Patrick Ben Koetter
Post by Igor Brezac
Post by Patrick Ben Koetter
Apr 20 19:50:12 laptop slapd[28454]: auxpropfunc error invalid parameter supplied
Apr 20 19:50:12 laptop slapd[28454]: _sasl_plugin_load failed on
sasl_auxprop_plug_init for plugin: ldapdb
Now I am trying to find out who "supplied" the "invalid parameter" in
order to fix it.
I missed this one earlier.
This error does not come from the sample utility. It comes from the
openldap server and is probably OK as long as you did not explicitely
configure ldapdb as the slapd auxprop plugin (if you do not have
/usr/lib/sasl2/slapd.conf you should be ok).
yep, you're right. As far as I understand it, this 'error' happens when
libsasl in slapd tries to intialize all plugins it can find, when it
intializes itself. It runs over the ldapdb plugin, the plugin replies "I need
ldapdb_uri", and libsasl returns "invalid parameter" allthough ldapdb is never
being used for slapd.conf.

I do have slapd.conf though to limit the mechanisms as I don't have Kerberos
and want to use shared-secret mechs instead.
Post by Igor Brezac
Post by Patrick Ben Koetter
Post by Igor Brezac
Post by Patrick Ben Koetter
The OpenLDAP slaptest utility didn't report any errors on slapd.conf.
Also the log_level I've set in /usr/lib/sasl2/sample.conf didn't give me
any verbose output either when I used Cyrus SASL's server and client to
test authentication.
Any hints or ideas?
What are the contents of sample.conf? You probably did not specify
ldapdb_uri.
log_level: 7
pwcheck_method: auxprop
auxprop_plugin: ldapdb
mech_list: PLAIN LOGIN DIGEST-MD5 CRAM-MD5
ldapdb_uri: ldap://localhost
ldapdb_id: proxyuser
ldapdb_pw: proxy_secret
ldapdb_mech: DIGEST-MD5
As you can see I did specify ldapdb_uri. I don't see anything being wrong
with the config. Do you?
This looks ok. What does debug of the ldap server show? Did you setup
proxy correctly on the ldap server, ldapwhoami -Y DIGEST-MD5 -U proxyuser
-X u:user?
I am a little bit further, but not done all the way (which is why it took me
some time before I started to reply to your mail).

It turns out my mapping for the proxyuser in slapd.conf had been incorrect and
the whole process of authorization and authentication didn't work from the
very beginning.

Additionally I had the authzTo attribute placed wrong...

Anyway, basic functionality is there now. There's still something that doesn't
work. I can authenticate users from ou=purchasing,ou=people,dc=example,dc=com,
but not from ou=it,ou=people,dc=example,dc=com, which really drives me crazy
at the moment, because I don't understand it, but this is a problem I will
probably take to the OpenLDAP mailing list.

Thanks for the assistance so far!

***@rick
--
The Book of Postfix
<http://www.postfix-book.com>
saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
Loading...