SASL + LDAP

Giovanni Malfarà giovanni.malfara at gmail.com
Tue Apr 13 07:38:10 EDT 2010 

Hi all,
I have a problem with SASL with a LDAP backend.
I installed the following packages on a Centos 5.4 x86_64

cyrus-sasl-2.1.22-5.el5_4.3
cyrus-sasl-ldap-2.1.22-5.el5_4.3
cyrus-sasl-md5-2.1.22-5.el5_4.3
openldap-2.3.43-3.el5

I have the following /etc/saslauthd.conf

ldap_server: ldap://"my server address" :389
ldap_bind_dn: cn=Manager,dc=mycompany,dc=it
ldap_search_base: ou=People,dc=mycompany,dc=it
ldap_filter: (objectClass=inetOrgPerson)
ldap_use_sasl: yes
ldap_bind_pw: "my passwd in SSHA"
ldap_auth_method: bind
ldap_verbose: on
ldap_debug: 10
ldap_version: 3


and the following /etc/openldap/slapd.conf:

include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/authldap.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
include /etc/openldap/schema/radius.schema

pidfile        /var/run/slapd/slapd.pid
argsfile    /var/run/slapd/slapd.args

access to dn.base= by * read

access to dn="" by * read

access to dn.base="" by self write by * auth

access to * attrs=userPassword by self write by * write

access to attrs=shadowLastChange by self write by * read

access to * by * read by anonymous auth


loglevel    -1


schemacheck     on
idletimeout    30000
backend        bdb
database    bdb
cachesize 10000


password-hash   {CLEARTEXT}

suffix dc=mycompany,dc=it
rootdn cn=Manager,dc=mycompany,dc=it
rootpw          {SSHA}"..."

checkpoint      1024 5
directory    /var/lib/ldap

sasl-authz-policy    to
sasl-regexp
 uid=(.*),cn=.*,cn=auth
 ldap:///ou=People,dc=mycompany,dc=it??sub?(&(mail=$1)(objectClass=inetOrgPerson))

# Indices to maintain
index objectClass                   eq
index cn                            pres,sub,eq
index sn                            pres,sub,eq
index uid                           pres,sub,eq
index displayName                   pres,sub,eq
index uidNumber                     eq
index gidNumber                     eq
index memberUID                     eq
index sambaSID                      eq
index sambaPrimaryGroupSID          eq
index sambaDomainName               eq
index mail,maildrop                pres
index mailbox,quota                eq
index default                       sub

TLSCACertificateFile /etc/openldap/cacert.pem
TLSCertificateFile /etc/openldap/servercrt.pem
TLSCertificateKeyFile /etc/openldap/serverkey.pem
TLSVerifyClient demand

When I try this:
testsaslauthd -u test at mycompany.it -p test

I get in openldap.log:

Apr 13 13:33:47 ldap slapd[904]: conn=2657 fd=22 ACCEPT from
IP=127.0.0.1:38506 (IP=0.0.0.0:389)
Apr 13 13:33:47 ldap slapd[904]: conn=2657 op=0 SRCH base="" scope=0
deref=0 filter="(objectClass=*)"
Apr 13 13:33:47 ldap slapd[904]: conn=2657 op=0 SRCH
attr=supportedSASLMechanisms
Apr 13 13:33:47 ldap slapd[904]: conn=2657 op=0 SEARCH RESULT tag=101
err=0 nentries=1 text=
Apr 13 13:33:47 ldap slapd[904]: conn=2657 op=1 BIND dn="" method=163
Apr 13 13:33:47 ldap slapd[904]: conn=2657 op=1 RESULT tag=97 err=14 text=
Apr 13 13:33:47 ldap slapd[904]: conn=2657 op=2 BIND dn="" method=163
Apr 13 13:33:47 ldap slapd[904]: SASL [conn=2657] Failure: no secret in
database
Apr 13 13:33:47 ldap slapd[904]: conn=2657 op=2 RESULT tag=97 err=49
text=SASL(-13): user not found: no secret in database

and in "saslauthd -d" messages:

saslauthd[15464] :main            : num_procs  : 5
saslauthd[15464] :main            : mech_option: NULL
saslauthd[15464] :main            : run_path   : /var/run/saslauthd/
saslauthd[15464] :main            : auth_mech  : ldap
saslauthd[15464] :ipc_init        : using accept lock file:
/var/run/saslauthd//mux.accept
saslauthd[15464] :detach_tty      : master pid is: 0
saslauthd[15464] :ipc_init        : listening on socket:
/var/run/saslauthd//mux
saslauthd[15464] :main            : using process model
saslauthd[15465] :get_accept_lock : acquired accept lock
saslauthd[15464] :have_baby       : forked child: 15465
saslauthd[15464] :have_baby       : forked child: 15466
saslauthd[15464] :have_baby       : forked child: 15467
saslauthd[15464] :have_baby       : forked child: 15468
saslauthd[15465] :rel_accept_lock : released accept lock
request done: ld 0x153e2880 msgid 1
request done: ld 0x153e2880 msgid 2
saslauthd[15466] :get_accept_lock : acquired accept lock
request done: ld 0x153e2880 msgid 3
saslauthd[15465] :do_auth         : auth failure:
[user=test at mycompany.it] [service=imap] [realm=] [mech=ldap]
[reason=Unknown]
saslauthd[15465] :do_request      : response: NO


What's wrong? I searched all over the world but nothing.

Thanks in advance!


-------------- next part --------------
A non-text attachment was scrubbed...
Name: giovanni_malfara.vcf
Type: text/x-vcard
Size: 249 bytes
Desc: not available
Url : http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20100413/716f21b6/attachment.vcf

More information about the Cyrus-sasl mailing list