Hello! Dovecot uses it's own SASL implementation, doesn't it? Aug 14 23:45:23 example.com auth[10428]: GSSAPI client step 1 Aug 14 23:45:23 example.com auth[10428]: encoded packet size too big (813804546 > 65536) Aug 14 23:45:23 example.com dovecot[10085]: auth-worker(10428): Error: LDAP: Can't connect to server: ldap://ipa2.example.com Aug 14 23:45:23 example.com dovecot[10085]: auth: Error: auth worker: Aborted USER request for eugene: Lookup timed out Aug 14 23:45:23 example.com dovecot[10085]: imap: Error: auth-master: login: request [3847225345]: Login auth request failed: Internal auth failure (auth connected 60000 msecs ago, request took 60000 msecs, client-pid=10362 client-id=1) Looks like cyrus-sasl encountered same problem earlier. https://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2017-March/003001.html I never have such an issue with ldapsearch. So, I assume there is a similar problem in Dovecot SASL implementation. -- Eugene Bright IT engineer Tel: + 79257289622 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: <https://dovecot.org/pipermail/dovecot/attachments/20190815/79b99bfb/attachment-0001.sig>
The next combination of parameters makes 100% LDAP connections unsuccessful (the
log snippet form the previous mail).
sasl_bind = yes
sasl_mech = gssapi
tls = yes
Looks like this combination is utterly incorrect and should be prohibited (tls
must not be used when mech is gssapi).
https://lists.fedorahosted.org/archives/list/sssd-users at
lists.fedorahosted.org/message/G7S2TOFDCM62ZUHIBWYVZIEVYXO3KYAI/
With `tls = no` errors `encoded packet size too big` becomes sporadic, but still
heart auth orepations performance.
May be there are two different problems.
Has someone encountered this problem before?
How can I help to facilitate the issue debugging?
[I] net-mail/dovecot
Installed versions: 2.3.7.1(01:58:12 08/14/19)(bzip2 caps ipv6 kerberos
ldap libressl lua lz4 lzma pam postgres sieve sqlite tcpd zlib -argon2 -doc
-lucene -managesieve -mysql -selinux -solr -static-libs -suid -textcat
-vpopmail)
On 8/15/19 12:01 AM, Eugene wrote:> Hello!
>
> Dovecot uses it's own SASL implementation, doesn't it?
>
> Aug 14 23:45:23 example.com auth[10428]: GSSAPI client step 1
> Aug 14 23:45:23 example.com auth[10428]: encoded packet size too big
(813804546 > 65536)
> Aug 14 23:45:23 example.com dovecot[10085]: auth-worker(10428): Error:
LDAP: Can't connect to server: ldap://ipa2.example.com
> Aug 14 23:45:23 example.com dovecot[10085]: auth: Error: auth worker:
Aborted USER request for eugene: Lookup timed out
> Aug 14 23:45:23 example.com dovecot[10085]: imap: Error: auth-master:
login: request [3847225345]: Login auth request failed: Internal auth failure
(auth connected 60000 msecs ago, request took 60000 msecs, client-pid=10362
client-id=1)
>
> Looks like cyrus-sasl encountered same problem earlier.
> https://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2017-March/003001.html
>
> I never have such an issue with ldapsearch. So, I assume there is a similar
problem in Dovecot SASL implementation.
>
--
Eugene Bright
IT engineer
Tel: + 79257289622
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20190815/f68f4329/attachment.sig>
> On 15/08/2019 00:34 Eugene via dovecot <dovecot at dovecot.org> wrote: > > > The next combination of parameters makes 100% LDAP connections unsuccessful (the log snippet form the previous mail). > sasl_bind = yes > sasl_mech = gssapi > tls = yes > > Looks like this combination is utterly incorrect and should be prohibited (tls must not be used when mech is gssapi). > https://lists.fedorahosted.org/archives/list/sssd-users at lists.fedorahosted.org/message/G7S2TOFDCM62ZUHIBWYVZIEVYXO3KYAI/ > > With `tls = no` errors `encoded packet size too big` becomes sporadic, but still heart auth orepations performance. > May be there are two different problems. >Does the "encoded packet size too big" coincide with LDAP server connection failure? Aki> Has someone encountered this problem before? > How can I help to facilitate the issue debugging? > > [I] net-mail/dovecot > Installed versions: 2.3.7.1(01:58:12 08/14/19)(bzip2 caps ipv6 kerberos ldap libressl lua lz4 lzma pam postgres sieve sqlite tcpd zlib -argon2 -doc -lucene -managesieve -mysql -selinux -solr -static-libs -suid -textcat -vpopmail) > > On 8/15/19 12:01 AM, Eugene wrote: > > Hello! > > > > Dovecot uses it's own SASL implementation, doesn't it? > > > > Aug 14 23:45:23 example.com auth[10428]: GSSAPI client step 1 > > Aug 14 23:45:23 example.com auth[10428]: encoded packet size too big (813804546 > 65536) > > Aug 14 23:45:23 example.com dovecot[10085]: auth-worker(10428): Error: LDAP: Can't connect to server: ldap://ipa2.example.com > > Aug 14 23:45:23 example.com dovecot[10085]: auth: Error: auth worker: Aborted USER request for eugene: Lookup timed out > > Aug 14 23:45:23 example.com dovecot[10085]: imap: Error: auth-master: login: request [3847225345]: Login auth request failed: Internal auth failure (auth connected 60000 msecs ago, request took 60000 msecs, client-pid=10362 client-id=1) > > > > Looks like cyrus-sasl encountered same problem earlier. > > https://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2017-March/003001.html > > > > I never have such an issue with ldapsearch. So, I assume there is a similar problem in Dovecot SASL implementation. > > > > -- > Eugene Bright > IT engineer > Tel: + 79257289622