Closed tiredofit closed 6 years ago
Only encrypted connections receive AUTH capability, same as with standard Haraka. Did you connect with STARTTLS? If not, try connecting with _openssl sclient -starttls smtp -crlf -connect $HOST:$PORT
If I enable auth/flat_file as well it will issue AUTH request and I am able to perform LDAP lookups, however without it will fail.
The ldap.ini snippet you posted doesn't contain server definitions. Did you leave them out on purpose? If not, this is what your ldap.ini should look like:
server[] = ldap://yourserver:389 binddn = uid=yourldapbinduser,dc=yourdc bindpw = yourldapbinduserpassword basedn = yourbasedn scope = base
[authn] scope = sub searchfilter = (&(objectclass=*)(uid=%u))
Remember you need a valid bind to search for the given uid. Also, check your logs, preferably on loglevel LOGDEBUG.
I didn't want to clog this issue with too much information, but at the bottom is my ldap.ini. To reiterate, all the LDAP lookups, authz, authn, and aliases are working, however if I do not have auth_flat_file (I haven't tested any other included auth plugins) in my haraka/config/plugins file enabled it will not work.
server[] = ldap://hidden:389
binddn = cn=dsa-mailserverng,ou=dsa,ou=System,dc=hidden,dc=org
bindpw = PASSSWORD
basedn = dc=hidden,dc=org
scope = base
[authn]
scope = sub
#searchfilter = (&(objectclass=*)(uid=%u))
searchfilter = (&(objectclass=*)(mail=%u))
[authz]
scope = sub
searchfilter = (&(objectclass=*)(mail=%a))
[aliases]
scope = sub
searchfilter = (&(objectclass=fdGroupMail)(mail=%a))
attribute = member
attribute_is_dn = true
subattribute = mail
[rcpt_to]
scope = sub
searchfilter = (&(objectclass=*)(mail=%a))
Just for fun, here's a copy of plugins with it working. If I put a # in front of auth/flat_file it fails. In Debug mode nothing for LDAP appears other than "Loading ldap plugin and loading ldap.ini".
ldap
helo.checks
tls
auth/flat_file
ldap
mail_from.is_resolvable
rcpt_to.in_host_list
data.headers
#rspamd
test_queue
max_unrecognized_commands
Could you please try to disable all LDAP ops except authn (that is, no authz, rcpt_to, aliases sections). Does authn work then?
No further feedback after 4 weeks, probably solved, thus closing.
As a hint for others: Haraka has basically only one flow for in- and outbound. Since it isn't possible to change plugins flow dynamically some plugins simply won't work together. So, one would want, for example, haraka-ldap's aliases and rcpt_to for an MSA/outbound haraka instance, whereas authn and authz would be used for MTA/inbound.
Doing a couple tests with your plugin - specifically trying to test
authn
but I can't seem to get it to issue an AUTH command.My plugins is simple and stripped down:
I am able to recieve messages from mailservers to route to LDAP Users and Aliases, just not able to authenticate out. My ldap.ini contains the following.. What am I missing?