<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7654.12">
<TITLE>saslauthd : ldaps with Active Directory not working</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/rtf format -->
<P><SPAN LANG="fr-be"><FONT SIZE=2 FACE="Arial">Hello,</FONT></SPAN>
</P>
<P><SPAN LANG="fr-be"><FONT SIZE=2 FACE="Arial">I want to achieve the following configuration:</FONT></SPAN>
</P>
<P><SPAN LANG="fr-be"><FONT SIZE=2 FACE="Arial">LDAPClient -- (ldap) --> OpenLDAP -- (pass-throug Authentication) --> Cyrus SASLAUTHD -- (ldaps) --> Active Directory</FONT></SPAN>
</P>
<P><SPAN LANG="fr-be"><FONT SIZE=2 FACE="Arial">The configuration works fine when I use LDAP between Cyrus SASLAUTHD and Active Directory.<BR>
As soon as I turn on LDAPS in the saslauthd.conf, I receive an auth failure (invalid credentials) :</FONT></SPAN>
</P>
<P><SPAN LANG="fr-be"><FONT SIZE=2 FACE="Arial">saslauthd[12276] :rel_accept_lock : released accept lock</FONT></SPAN>
<BR><SPAN LANG="fr-be"><FONT SIZE=2 FACE="Arial">saslauthd[12277] :get_accept_lock : acquired accept lock</FONT></SPAN>
<BR><SPAN LANG="fr-be"><FONT SIZE=2 FACE="Arial">saslauthd[12276] :do_auth : auth failure: [user=myuser@luinternal.subsidiary.bank] [service=ldap] [realm=internal.subsidiary.bank] [mech=ldap] [reason=Unknown]</FONT></SPAN></P>
<P><SPAN LANG="fr-be"><FONT SIZE=2 FACE="Arial">saslauthd[12276] :do_request : response: NO<BR>
</FONT></SPAN>
<BR><SPAN LANG="fr-be"><FONT SIZE=2 FACE="Arial">I can sucessfully bind in LDAPS with a standard LDAP Client (Like LDAP Browser/Editor 2.8.2 from Jarek Gawor)</FONT></SPAN>
<BR><SPAN LANG="fr-be"><FONT SIZE=2 FACE="Arial">Note that I only want to bind over an encrypted channel. No need to do client authentication against the AD LDAP.</FONT></SPAN>
<BR>
<BR><SPAN LANG="fr-be"><FONT SIZE=2 FACE="Arial">Here is my saslauthd.conf :</FONT></SPAN>
</P>
<P><SPAN LANG="fr-be"><FONT SIZE=2 FACE="Arial">ldap_servers: ldaps://internal.subsidiary.bank/</FONT></SPAN>
<BR><SPAN LANG="fr-be"><FONT SIZE=2 FACE="Arial">ldap_search_base: OU=Standard,OU=User_Accounts,DC=internal,DC=subsidiary,DC=bank</FONT></SPAN>
<BR><SPAN LANG="fr-be"><FONT SIZE=2 FACE="Arial">ldap_filter: (userPrincipalName=%u)</FONT></SPAN>
</P>
<P><SPAN LANG="fr-be"><FONT SIZE=2 FACE="Arial">ldap_bind_dn: CN=myuser,OU=Standard,OU=User_Accounts,DC=internal,DC=subsidiary,DC=bank</FONT></SPAN>
<BR><SPAN LANG="fr-be"><FONT SIZE=2 FACE="Arial">ldap_password: secret</FONT></SPAN>
<BR><SPAN LANG="fr-be"><FONT SIZE=2 FACE="Arial">ldap_tls_cacert_file: /tmp/cert.pem</FONT></SPAN>
</P>
<P><SPAN LANG="fr-be"><FONT SIZE=2 FACE="Arial">I have verified the Root CA in /tmp/cert.pem and I can successfully view it. The AD LDAP server certificate is well signed by this Root CA.</FONT></SPAN></P>
<P><SPAN LANG="fr-be"><FONT SIZE=2 FACE="Arial">Where am I wrong in the configuration ?</FONT></SPAN>
<BR><SPAN LANG="fr-be"><FONT SIZE=2 FACE="Arial">How can I enable more tracing on the saslauthd daemon ?</FONT></SPAN>
<BR>
<BR><SPAN LANG="fr-be"><FONT SIZE=2 FACE="Arial">All components running on Solaris 10.</FONT></SPAN>
</P>
<P><SPAN LANG="fr-be"><FONT SIZE=2 FACE="Arial">/usr/local/sbin/saslauthd -v</FONT></SPAN>
<BR><SPAN LANG="fr-be"><FONT SIZE=2 FACE="Arial">saslauthd 2.1.21</FONT></SPAN>
<BR><SPAN LANG="fr-be"><FONT SIZE=2 FACE="Arial">authentication mechanisms: getpwent pam rimap shadow ldap</FONT></SPAN>
<BR>
<BR>
<BR><SPAN LANG="fr-be"><FONT SIZE=2 FACE="Arial">Claude.</FONT></SPAN>
</P>
<p><span style="font-family:'Arial';font-size:8pt;">============================================</span></p>
<p><span style="font-family:'Arial';font-size:8pt;">Internet communications are not secure and therefore BGL BNP Paribas does not accept legal responsibility for the contents of this message. The information contained in this e-mail is confidential and may be legally privileged. It is intended solely for the addressee. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Nothing in the message is capable or intended to create any legally binding obligations on either party and it is not intended to provide legal advice.</span></p>
<p><span style="font-family:'Arial';font-size:8pt;">============================================</span></p>
<p><span style="font-family:'Arial';font-size:8pt;"> </span></p></BODY>
</HTML>