search

tasansga / haraka-ldap

Developing LDAP plugins for Haraka
MIT License
5 stars 6 forks source link

Host did not advertise authentication #4

Closed tiredofit closed 6 years ago

tiredofit commented 7 years ago

Doing a couple tests with your plugin - specifically trying to test authn but I can't seem to get it to issue an AUTH command.

My plugins is simple and stripped down:

#auth/flat_file
tls
ldap
rcpt_to.in_host_list
test_queue

I am able to recieve messages from mailservers to route to LDAP Users and Aliases, just not able to authenticate out. My ldap.ini contains the following.. What am I missing?

[authn]
scope = sub
searchfilter = (&(objectclass=*)(uid=%u))
tasansga commented 7 years ago

Only encrypted connections receive AUTH capability, same as with standard Haraka. Did you connect with STARTTLS? If not, try connecting with _openssl sclient -starttls smtp -crlf -connect $HOST:$PORT

tiredofit commented 7 years ago

If I enable auth/flat_file as well it will issue AUTH request and I am able to perform LDAP lookups, however without it will fail.

tasansga commented 7 years ago

The ldap.ini snippet you posted doesn't contain server definitions. Did you leave them out on purpose? If not, this is what your ldap.ini should look like:

server[] = ldap://yourserver:389 binddn = uid=yourldapbinduser,dc=yourdc bindpw = yourldapbinduserpassword basedn = yourbasedn scope = base

[authn] scope = sub searchfilter = (&(objectclass=*)(uid=%u))

Remember you need a valid bind to search for the given uid. Also, check your logs, preferably on loglevel LOGDEBUG.

tiredofit commented 7 years ago

I didn't want to clog this issue with too much information, but at the bottom is my ldap.ini. To reiterate, all the LDAP lookups, authz, authn, and aliases are working, however if I do not have auth_flat_file (I haven't tested any other included auth plugins) in my haraka/config/plugins file enabled it will not work. 

server[] = ldap://hidden:389
binddn = cn=dsa-mailserverng,ou=dsa,ou=System,dc=hidden,dc=org
bindpw = PASSSWORD
basedn = dc=hidden,dc=org
scope = base

[authn]
scope = sub
#searchfilter = (&(objectclass=*)(uid=%u))
searchfilter = (&(objectclass=*)(mail=%u))

[authz]
scope = sub
searchfilter = (&(objectclass=*)(mail=%a))

[aliases]
scope = sub
searchfilter = (&(objectclass=fdGroupMail)(mail=%a))
attribute = member
attribute_is_dn = true
subattribute = mail

[rcpt_to]
scope = sub
searchfilter = (&(objectclass=*)(mail=%a))

Just for fun, here's a copy of plugins with it working. If I put a # in front of auth/flat_file it fails. In Debug mode nothing for LDAP appears other than "Loading ldap plugin and loading ldap.ini".


ldap
helo.checks

tls
auth/flat_file
ldap
mail_from.is_resolvable

rcpt_to.in_host_list

data.headers
#rspamd
test_queue
max_unrecognized_commands
tasansga commented 7 years ago

Could you please try to disable all LDAP ops except authn (that is, no authz, rcpt_to, aliases sections). Does authn work then?

tasansga commented 6 years ago

No further feedback after 4 weeks, probably solved, thus closing.

As a hint for others: Haraka has basically only one flow for in- and outbound. Since it isn't possible to change plugins flow dynamically some plugins simply won't work together. So, one would want, for example, haraka-ldap's aliases and rcpt_to for an MSA/outbound haraka instance, whereas authn and authz would be used for MTA/inbound.