Auxpropfunc error invalid parameter supplied

Description Robert Scheck 2005-09-01 14:03:08 UTC


Description


Robert Scheck



2005-09-01 14:03:08 UTC

Description of problem:
I've the following error message in syslog (/var/log/messages) after updating to 
Rawhide and restarting saslauthd and sendmail:

[...] sendmail[18698]: auxpropfunc error invalid parameter supplied

Version-Release number of selected component (if applicable):
sendmail-8.13.4-2
cyrus-sasl-2.1.21-2
cyrus-sasl-2.1.21-3
openldap-2.2.26-1

Steps to Reproduce & how reproducible:
Everytime, restart sendmail.

Actual results:
I searched a bit in the Internet and only got, that the problem is ldapdb 
related. When I built cyrus-sasl myself with --disable-ldapdb, the problem 
disappeared.

Expected results:
No error message in syslog! ;-)

Additional info:
I filed this bug against cyrus-sasl, because I think this problem caused by 
cyrus-sasl and not by sendmail.


Comment 1


Nalin Dahyabhai



2005-09-01 20:11:54 UTC

The ldapdb plugin gets loaded, and I don't see any way to disable it in your
configuration without also disabling sasldb support.  As a temporary workaround,
try adding "ldapdb_uri: ldapi:///" to /usr/lib/sasl2/Sendmail.conf.


Comment 2


Nalin Dahyabhai



2005-09-01 20:17:32 UTC

I guess moving the ldapdb auxprop module into yet another subpackage is the most
workable solution.

Источник

I try to set up saslauthd for the XMPP server prosody but got stuck somewhere. I used the following documentation:

  • http://blogs.mafia-server.net/nur-bahnhof/2013/12/prosody-authentification-ldapactivedirectory/
  • http://prosody.im/doc/cyrus_sasl
  • https://wiki.debian.org/InstallingProsody

My problem is that I can’t get connected. The XMPP client always gets stuck somewhere while exchanging authentication information.

Test using testsaslauthd was successful:

testsaslauthd -u theuser -p "$pw" 
0: OK "Success."

I assume this means that the /etc/saslauthd.conf file is correct in this case.

Test using sasl-sample-server/sasl-sample-client (called in different terminals and copy-pasting the S: and C: lines):

root@xmpp:~# sasl-sample-server -s "xmpp" -m plain
Forcing use of mechanism plain
Sending list of 1 mechanism(s)
S: cGxhaW4=
Waiting for client mechanism...
C: U......................=
got 'PLAIN'
sasl-sample-server: SASL Other: Password verification failed
sasl-sample-server: Starting SASL negotiation: user not found (user not found)
<terminates>

root@xmpp:~# sasl-sample-client -s xmpp -a theuser 
service=xmpp
Waiting for mechanism list from server...
S: cGxhaW4=
recieved 5 byte message
Choosing best mechanism from: plain
returning OK: theuser
Password: 
Using mechanism PLAIN
Preparing initial.
Sending initial response...
C: U......................=
Negotiation complete
Username: theuser
SSF: 0
Waiting for encoded message...

I don’t understand why testsaslauthd succeeds while the other tool combo can’t find the user.

After running /usr/sbin/saslauthd -d I found the following block in /var/log/auth.log. Maybe that’s the problem. But whatever I tried, I can’t find out what’s supplying the invalid parameter:

Dec  2 15:42:14 xmpp sasl-sample-server: auxpropfunc error invalid parameter supplied
Dec  2 15:42:14 xmpp sasl-sample-server: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb
Dec  2 15:42:14 xmpp sasl-sample-server: ldapdb_canonuser_plug_init() failed in sasl_canonuser_add_plugin(): invalid parameter supplied
Dec  2 15:42:14 xmpp sasl-sample-server: _sasl_plugin_load failed on sasl_canonuser_init for plugin: ldapdb
Dec  2 15:42:20 xmpp sasl-sample-client: ldapdb_canonuser_plug_init() failed in sasl_canonuser_add_plugin(): invalid parameter supplied
Dec  2 15:42:20 xmpp sasl-sample-client: _sasl_plugin_load failed on sasl_canonuser_init for plugin: ldapdb
Dec  2 15:42:34 xmpp sasl-sample-server: DIGEST-MD5 common mech free

Also, I found that sasl-sample-server and sasl-sample-client use a list of several methods when using without -m option but in the file /usr/lib/sasl2/xmpp.conf I explicitly select the PLAIN method:

pwcheck_method: saslauthd
mech_list: PLAIN

Probably I got the wrong path so I copied the file also to /etc/sasl/xmpp.conf and /etc/sasl2/xmpp.conf just for case. Unfortunately, I can’t find any piece of documentation which tells the paths explicitly for Debian 8.

Also testsaslauthd doesn’t seem to care about the service:

root@xmpp:~# testsaslauthd -s xmpp -u theuser -p "$pw" 
0: OK "Success."
root@xmpp:~# testsaslauthd -s nonexistingservice -u theuser -p "$pw" 
0: OK "Success."

Any idea what else I can to do find the reason?

Update:

Obviously, sasl-sample-server accesses the file /etc/sasldb2 which should not happen in ldap mode, I think. Is it possible that this tool doesn’t care about configuration and that it doesn’t support ldap? Output from strace:

stat("/etc/sasldb2", {st_mode=S_IFREG|0640, st_size=12288, ...}) = 0
open("/etc/sasldb2", O_RDONLY)          = 3
fcntl(3, F_GETFD)                       = 0
fcntl(3, F_SETFD, FD_CLOEXEC)           = 0
read(3, "1a256t2010"..., 512) = 512
close(3)                                = 0

Источник
View previous topic :: View next topic  
Author Message
olli.bo
Apprentice
Apprentice

Joined: 16 Jul 2003
Posts: 208
Location: Germany
PostPosted: Tue May 19, 2009 9:58 am    Post subject: sasl ldapdb auxpropfunc error Reply with quote
Hi,

I have strage errors in my /var/log/auth.log:

Code:

May 19 11:40:51 silent-gabosh imap[22436]: auxpropfunc error invalid parameter supplied

May 19 11:40:51 silent-gabosh imap[22436]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb

May 19 11:43:57 silent-gabosh postfix/smtpd[22478]: auxpropfunc error invalid parameter supplied

May 19 11:43:57 silent-gabosh postfix/smtpd[22478]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb

May 19 11:43:58 silent-gabosh lmtpunix[22483]: auxpropfunc error invalid parameter supplied

May 19 11:43:58 silent-gabosh lmtpunix[22483]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb



I’m Using LDAP-Authentication which is workling fine, but this errors are coming every time when a login is proceeded.

This errors are coming from different services authenticatig over sasl (CyrusIMAP, Postfix,…).

Has anyone an idea?

Here is my sasl config:

/etc/conf.d/saslauthd

Code:
# $Header: /var/cvsroot/gentoo-x86/dev-libs/cyrus-sasl/files/saslauthd-2.1.21.conf,v 1.2 2007/04/07 13:03:55 chtekk Exp $

# Config file for /etc/init.d/saslauthd

# Initial (empty) options.

SASLAUTHD_OPTS=»-O /etc/saslauthd.conf»

# Specify the authentications mechanism.

# **NOTE** For a list see: saslauthd -v

# Since 2.1.19, add «-r» to options for old behavior,

# ie. reassemble user and realm to user@realm form.

#SASLAUTHD_OPTS=»${SASLAUTHD_OPTS} -a pam -r»

SASLAUTHD_OPTS=»${SASLAUTHD_OPTS} -a ldap»

# Specify the hostname for remote IMAP server.

# **NOTE** Only needed if rimap auth mechanism is used.

#SASLAUTHD_OPTS=»${SASLAUTHD_OPTS} -O localhost»

# Specify the number of worker processes to create.

#SASLAUTHD_OPTS=»${SASLAUTHD_OPTS} -n 5″

# Enable credential cache, set cache size and timeout.

# **NOTE** Size is measured in kilobytes.

#          Timeout is measured in seconds.

#SASLAUTHD_OPTS=»${SASLAUTHD_OPTS} -c -s 128 -t 30″

/etc/saslauthd.conf

Code:
ldap_servers: ldaps://127.0.0.1:636

ldap_search_base: ou=People,dc=gabosh,dc=net

ldap_scope: one

ldap_uidattr: uid

/etc/sasl2/smtpd.conf

Code:
pwcheck_method: saslauthd

mech_list: LOGIN PLAIN

You can find futher documentation of my System here: http://doc.gabosh.net

thx

olli
Back to top

View user's profile Send private message

Display posts from previous:   

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Источник

SASL/PAM/LDAP is driving me crazy… that’s what I read a lot when googling for problems in this area, and what I experience myself :-S
I’m trying to get Cyrus imap working for virtual hosting on CentOS with this authorisation backend and really don’t know what’s happening.
In saslauthd I configured the LDAP search filter to use, but it looks like pam completely ignores it.

Here’s what I do for testing (done more tests but all with similar results):

[root@testserv ~]# imtest -u my.Email@testserv.mydomain.com -a my.Email@testserv.mydomain.com
WARNING: no hostname supplied, assuming localhost

S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS] testserv. Cyrus IMAP4 v2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH
S: C01 OK Completed
Please enter your password: 
C: L01 LOGIN my.Email@testserv.mydomain.com {6}
S: + go ahead
C: <omitted>
S: L01 NO Login failed: authentication failure
Authentication failed. generic failure
Security strength factor: 0
C: Q01 LOGOUT
* BYE LOGOUT received
Q01 OK Completed
Connection closed.

The LDAP entry does exist (and so does the mailbox in Cyrus):

[root@testserv ~]# ldapsearch -WxD cn=Manager,o=mydomain,c=com mail=my.Email@testserv.mydomain.com
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: mail=my.Email@testserv.mydomain.com
# requesting: ALL
#

# myuser, accounts, testserv.mydomain.com, mydomain, com
dn: uid=myuser,ou=accounts,dc=testserv.mydomain.com,o=mydomain,c=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uidNumber: 16
uid: myuser
gidNumber: 5
givenName: My
sn: Name
mail: my.Email@testserv.mydomain.com
cn: My Name
userPassword:: dYN5ebB0fXhNRn1pZllhRnJX7Uk=
shadowLastChange: 15176
homeDirectory: /dev/null

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

This is what I get in /var/log/messages

Aug  2 04:00:11 testserv cyrus/imap[12514]: auxpropfunc error invalid parameter supplied 
Aug  2 04:00:19 testserv saslauthd[5926]: do_auth         : auth failure: [user=my.email@testserv.mydomain.com] [service=imap] [realm=testserv.mydomain.com] [mech=pam] [reason=PAM auth error]

… /var/adm/auth.log

Aug  2 04:00:11 testserv cyrus/imap[12514]: auxpropfunc error invalid parameter supplied 
Aug  2 04:00:11 testserv cyrus/imap[12514]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb 
Aug  2 04:00:19 testserv saslauthd[5926]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
Aug  2 04:00:19 testserv saslauthd[5926]: do_auth         : auth failure: [user=my.email@testserv.mydomain.com] [service=imap] [realm=testserv.mydomain.com] [mech=pam] [reason=PAM auth error]

(AFAIK I can ignore the auxprop msg)

… and /var/log/slapd.log:

Aug  2 04:00:19 testserv slapd[5968]: conn=61 fd=27 ACCEPT from IP=127.0.0.1:51403 (IP=0.0.0.0:389) 
Aug  2 04:00:19 testserv slapd[5968]: conn=61 op=0 BIND dn="" method=128 
Aug  2 04:00:19 testserv slapd[5968]: conn=61 op=0 RESULT tag=97 err=0 text= 
Aug  2 04:00:19 testserv slapd[5968]: conn=61 op=1 SRCH base="o=mydomain,c=com" scope=2 deref=0 filter="(mail=my.Email@testserv.mydomain.com)" 
Aug  2 04:00:19 testserv slapd[5968]: conn=61 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text= 
Aug  2 04:00:19 testserv slapd[5968]: conn=61 op=2 UNBIND 
Aug  2 04:00:19 testserv slapd[5968]: conn=61 fd=27 closed

These are the settings in In /etc/imapd.conf:

sasl_mech_list: PLAIN LOGIN
sasl_pwcheck_method: saslauthd
## sasl_auxprop_plugin: sasldb
sasl_auto_transition: no

and my sasl config:

[root@testserv ~]# cat /etc/sysconfig/saslauthd 
# Directory in which to place saslauthd's listening socket, pid file, and so
# on.  This directory must already exist.
SOCKETDIR=/var/run/saslauthd

# Mechanism to use when checking passwords.  Run "saslauthd -v" to get a list
# of which mechanism your installation was compiled with the ablity to use.
MECH=pam

# Additional flags to pass to saslauthd on the command line.  See saslauthd(8)
# for the list of accepted flags.
FLAGS="-c -r -O /etc/saslauthd.conf"

[root@testserv ~]# cat /etc/saslauthd.conf
ldap_servers: ldap://127.0.0.1/
ldap_search_base: dc=%d,o=mydomain,c=com
ldap_auth_method: bind 
#ldap_filter: (|(uid=%u)((&(mail=%u@%d)(accountStatus=active))) 
ldap_filter: (&(mail=%u@%d)(accountStatus=active)) 
ldap_debug: 1 
ldap_version: 3

The accountStatus=active is not in ldap yet, but that doesn’t make a difference since I don’t see it in the filter… that’s not the reason for the failure.
The weird thing is, I do get an error when I rename or remove /etc/saslauthd.conf, but when the file exists it seems happily ignored…

The filter in slapd.log seems to be taken from /etc/ldap.conf. Apart from some timers, that only contains:

host 127.0.0.1
base o=mydomain,c=com
pam_login_attribute mail

Outcommenting the pam_login_attribute results in this filter in slapd.log:

filter="(uid=my.Email@testserv.mydomain.com)"

Pam-imap looks like this:

[root@testserv ~]# cat /etc/pam.d/imap 
auth       required    pam_ldap.so debug
account       required    pam_ldap.so debug

#auth       sufficient   pam_unix.so likeauth nullok
#auth       sufficient  pam_ldap.so use_first_pass
#auth       required     pam_deny.so
#account    sufficient   pam_unix.so
#account    sufficient   pam_ldap.so

The outcommented stuff is because I don’t have the cyrus admin user in Ldap; that’s a Linux user. That works fine when uncommented, but I still need to play around with that a little and first I wanna get imap working.

Finally nsswitch:

[root@testserv ~]# cat /etc/nsswitch.conf 
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
#       nisplus or nis+         Use NIS+ (NIS version 3)
#       nis or yp               Use NIS (NIS version 2), also called YP
#       dns                     Use DNS (Domain Name Service)
#       files                   Use the local files
#       db                      Use the local database (.db) files
#       compat                  Use NIS on compat mode
#       hesiod                  Use Hesiod for user lookups
#       [NOTFOUND=return]       Stop searching if not found so far
#

# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd:    db files nisplus nis
#shadow:    db files nisplus nis
#group:     db files nisplus nis

passwd: compat ldap
group:  compat ldap
shadow: compat ldap

hosts:      files dns

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files

netgroup:   nisplus

publickey:  nisplus

automount:  files nisplus
aliases:    files nisplus

Any info where to start looking will be greatly appreciated!

Thnx in advance

Источник

Понравилась статья? Поделить с друзьями:
  • Autorun exe как исправить
  • Autorun dll 0x7e как исправить
  • Autoreconf error configure ac is required
  • Automation error разрушительный сбой
  • Automation error ошибка vba