PHWinfo - Afficher un message - SASL Auth -- "no secret in database"

03/09/2007, 11h39

René Berber <rberber@mailandnews.com> writes:

> On Sep 2, 5:01 am, Matthew Seaman wrote:
>
> This has not much to do with sendmail, it is a cyrus-sasl problem,
> but...
>
> [snip]
>> Everything is working well, *except* for SMTP AUTH. User account
>> information, virthosts, aliases etc. all come out of LDAP, and that's
>> working fine: I can send e-mail to the system happily, and from the
>> system so long as it's from a trusted relay that doesn't have to
>> authenticate.
>>
>> The authentication data should all come out of the same LDAP database.
>> I'm happy that LDAP is working correctly, as I've got Cyrus IMAPd
>> authenticating against it, as well as using it for HTTP basic auth in
>> Apache.
>>
>> However sendmail refuses to play ball.
>
> Not true, sendmail asks whatever mechanism you configured and the
> error messages you get are from that mechanism.

Sendmail is the only SASL enabled application that is not working.
Smells like a sendmail problem to me.

> [snip]
>> Authentication related config file stuff is pretty standard:
>>
>> TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5')dnl
>> define(`confAUTH_REALM', `thebunker.net')dnl
>> define(`confAUTH_MECHANISMS', `EXTERNAL DIGEST-MD5 CRAM-MD5')dnl
>>
>> I've tried setting up SASL to use:
>>
>> pwcheck_method: auxprop
>> auxprop_plugin: ldapdb
>> [...]
>>
>> but no dice. That gives me the following in auth.log:
>>
>> Sep 1 18:31:09 livid sm-mta[49959]: Unexpectedly missing a prompt result
>> Sep 1 18:31:09 livid sm-mta[49959]: no secret in database
>
> That message means the user is not in the database. Which database?
> that depends...

Except that the user ID is very definitely in the database, and it
works perfectly well with Cyrus IMAPd and indeed OpenLDAP both of
which are specifically using SASL authentication mechanisms.

>> So I also tried to use 'pwcheck_method: saslauthd' (which would be
>> acceptable although clearly it means the SASL EXTERNAL mechanism won't
>> be available)
>
> But in this case you are expecting LDAP to work? saslauthd uses what
> it was told to use on the parameter used to start it, did you check
> the "-a ldap" parameter? and is /usr/local/etc/saslauthd.conf set
> correctly?

Yes, thank you. As I said, *everything* about user authentication
comes out of the LDAP directory. saslauthd was configured to use LDAP
as a back end within seconds of installing it.

> [snip]
>> However trying the same smtptest results in the same 'no secret in
>> database' error as with the ldapdb auxprop_plugin, plus I cannot
>> detect that saslauthd is querying LDAP at all during this process.
>
> My guess is that saslauthd is using its own database, in /etc/sasldb2,
> but to be certain you have to check both build parameters and the
> options used to start saslauthd.
>
>> I'm missing something obvious somewhere, but I've run out of ideas as
>> to what that might be. Any clues would be gratefully received,
>> especially any debug flags for sendmail that will make it trace out
>> exactly what it is doing during the authentication process.
>
> Sasl is pretty hard to debug, be patient.
> --
> René Berber
>

Indeed.

Cheers,

Matthew

--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW

03/09/2007, 11h39	#3
Matthew Seaman Messages: n/a Hébergeur:	Re: SASL Auth -- "no secret in database" René Berber <rberber@mailandnews.com> writes: > On Sep 2, 5:01 am, Matthew Seaman wrote: > > This has not much to do with sendmail, it is a cyrus-sasl problem, > but... > > [snip] >> Everything is working well, except for SMTP AUTH. User account >> information, virthosts, aliases etc. all come out of LDAP, and that's >> working fine: I can send e-mail to the system happily, and from the >> system so long as it's from a trusted relay that doesn't have to >> authenticate. >> >> The authentication data should all come out of the same LDAP database. >> I'm happy that LDAP is working correctly, as I've got Cyrus IMAPd >> authenticating against it, as well as using it for HTTP basic auth in >> Apache. >> >> However sendmail refuses to play ball. > > Not true, sendmail asks whatever mechanism you configured and the > error messages you get are from that mechanism. Sendmail is the only SASL enabled application that is not working. Smells like a sendmail problem to me. > [snip] >> Authentication related config file stuff is pretty standard: >> >> TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5')dnl >> define(`confAUTH_REALM', `thebunker.net')dnl >> define(`confAUTH_MECHANISMS', `EXTERNAL DIGEST-MD5 CRAM-MD5')dnl >> >> I've tried setting up SASL to use: >> >> pwcheck_method: auxprop >> auxprop_plugin: ldapdb >> [...] >> >> but no dice. That gives me the following in auth.log: >> >> Sep 1 18:31:09 livid sm-mta[49959]: Unexpectedly missing a prompt result >> Sep 1 18:31:09 livid sm-mta[49959]: no secret in database > > That message means the user is not in the database. Which database? > that depends... Except that the user ID is very definitely in the database, and it works perfectly well with Cyrus IMAPd and indeed OpenLDAP both of which are specifically using SASL authentication mechanisms. >> So I also tried to use 'pwcheck_method: saslauthd' (which would be >> acceptable although clearly it means the SASL EXTERNAL mechanism won't >> be available) > > But in this case you are expecting LDAP to work? saslauthd uses what > it was told to use on the parameter used to start it, did you check > the "-a ldap" parameter? and is /usr/local/etc/saslauthd.conf set > correctly? Yes, thank you. As I said, everything about user authentication comes out of the LDAP directory. saslauthd was configured to use LDAP as a back end within seconds of installing it. > [snip] >> However trying the same smtptest results in the same 'no secret in >> database' error as with the ldapdb auxprop_plugin, plus I cannot >> detect that saslauthd is querying LDAP at all during this process. > > My guess is that saslauthd is using its own database, in /etc/sasldb2, > but to be certain you have to check both build parameters and the > options used to start saslauthd. > >> I'm missing something obvious somewhere, but I've run out of ideas as >> to what that might be. Any clues would be gratefully received, >> especially any debug flags for sendmail that will make it trace out >> exactly what it is doing during the authentication process. > > Sasl is pretty hard to debug, be patient. > -- > René Berber > Indeed. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW