Docker-mailserver: saslauthd_ldap doesn't work in a multidomain setup
The saslauthd_ldap service launched by supervisord doesn't work in a multi-domain setup.
My use case is to connect with my full email name [email protected].
Context
The saslauthd is run with -d -a (source)
But for the domain not being stripped from the email address as the realm, you need to run it also with -r
Expected Behavior
When I log in to postfix with my full email address, I expect to connect correctly
Actual Behavior
Jan 22 17:43:35 mail saslauthd[1023]: Entry not found ((&(objectClass=inetOrgPerson)(mail=dolanor)(memberof=cn=mail,ou=apps,dc=domain,dc=org,dc=multiverse))).
Jan 22 17:43:35 mail saslauthd[1023]: Authentication failed for dolanor/domain.org: User not found (-6)
Jan 22 17:43:35 mail saslauthd[1023]: : auth failure: [user=dolanor] [service=smtp] [realm=domain.org] [mech=ldap] [reason=Unknown]
The realm gets the domain.org but it has been stripped from user=
Possible Fix
I don't know how to fix it so that it doesn't break the people connecting just with their user id, and not their full email address. It would be great to make both behavior possible given a flag.
dolanor
All 10 comments
I'm not using any of these things (LDAP, saslauthd) so hopefully someone else can answer.
erik-wramner
on 25 Jan 2020
@dolanor hey there
same problem here.. but for me it actually would be ok to just use [email protected] for user-auth. do you have a solution using only .env or compose.yml -file-modification?
theoneandonly-vector
on 7 Feb 2020
it looks like there's no other possibility than using "-r" also it doesn't make much sense to login with username without email in a multi-domain setup, as there may be multiple users with the "same" username when you don't use the domain-part like "domain\user".
so I would just change it so everybody needs to log-in using their full email-address.
theoneandonly-vector
on 10 Feb 2020
@all is there any way to configure this without modifying the project or interact with the docker manually?
theoneandonly-vector
on 12 Feb 2020
@dolanor
can you send me your config?
theoneandonly-vector
on 6 Mar 2020
Hey you can just modify your filter like this:
((&(objectClass=inetOrgPerson)(mail=%U@%r)(memberof=cn=mail,ou=apps,dc=domain,dc=org,dc=multiverse)))
So the domain is stripped from the user as realm, but you can reuse the realm in the search query.
In theory it should also work with %U@%d but with the latest image it stopped working for me (%d is empty).
SnowMB
on 7 May 2020
Oh good, @SnowMB, thanks for this info.
I will try on my new box where I need to migrate existing setup.
dolanor
on 8 Jun 2020
Hey you can just modify your filter like this:
((&(objectClass=inetOrgPerson)(mail=%U@%r)(memberof=cn=mail,ou=apps,dc=domain,dc=org,dc=multiverse)))I can confirm that writing the filter like this fixes it for me! Thanks @SnowMB
Maybe we should update some wiki information?
I guess updating https://github.com/tomav/docker-mailserver/wiki/Configure-LDAP and add a section for a configuration with a OpenLDAP LDAP instead of Zarafa, so we have something else instead of sAMAccountName.
dolanor
on 18 Aug 2020
@dolanor can you modify / add this to the wiki page? Or has this already been done?
aendeavor
on 30 Sep 2020
This issue was closed due to one or more of the following reasons:
- Age
- Contributor inactivity
- The issue seems to be resolved
If you think this happened by accident, or feel like this issue was not actually resolved, please feel free to re-open it. If there is an issue you could resolve in the meantime, please open a PR based on the current master branch so we can review it.
aendeavor
on 22 Oct 2020
Related issues
rwarren
路
4Comments
ShuP1
路
4Comments
nekrondev
路
3Comments
jholster
路
4Comments
landergate
路
4Comments
Most helpful comment
I guess updating https://github.com/tomav/docker-mailserver/wiki/Configure-LDAP and add a section for a configuration with a OpenLDAP LDAP instead of Zarafa, so we have something else instead of sAMAccountName.