ldapdb auxprop configuration

Fri Jan 2 14:06:59 EST 2009

I'm trying set up cyrus-imap using the ldapdb auxprop. I guess I've the 
LDAP part up and running, but somehow imap does not really request for 
authentication. So probably I still have something messed in the 
configuration, which apparently has changed with respect to my last 
install a couple of years ago.

Any ideas for systematic troubleshooting are welcome.
Regards,
 - lars.

This is the sasl related part of the imap configuration:
hermod:~# grep sasl /etc/imapd.conf | grep -v '^#' | grep -v '^\s*$'
sasl_mech_list: PLAIN DIGEST-MD5 CRAM-MD5
sasl_pwcheck_method: auxprop
sasl_auxprop_plugin: ldapdb
sasl_ldapdb_uri: ldaps://hel.mgr
sasl_ldapdb_id: mailadmin
sasl_ldapdb_pw: *********
sasl_ldapdb_mech: DIGEST-MD5
sasl_auto_transition: no

The following is running as expected:
hermod:~# ldapwhoami -U mailadmin -X u:cyrus -W -Y DIGEST-MD5 -H 
ldaps://hel.mgr
Enter LDAP Password:
SASL/DIGEST-MD5 authentication started
SASL username: u:cyrus
SASL SSF: 128
SASL data security layer installed.
dn:uid=cyrus,ou=mailbox,dc=mgr

and of course:
ldapsearch -U mailadmin -X u:cyrus -W -Y DIGEST-MD5 -b 
"ou=mailbox,dc=mgr" "(uid=cyrus)" 
returns the password of cyrus, which is kept as plaintext inside the 
LDAP repositiory. ldapsearch returns the base64 encoded plain password.

However using this same password the following happens:
hermod:~# imtest -v -u cyrus -a cyrus -p imap -m DIGEST-MD5 hermod.mgr
S: * OK hermod.mgr Cyrus IMAP4 v2.2.13-Debian-2.2.13-14+b3 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID 
NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT 
THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE STARTTLS 
AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR
S: C01 OK Completed
C: A01 AUTHENTICATE DIGEST-MD5
S: + 
bm9uY2U9IlBMREhNY0JjbG1XOUt2dk5FQWQrb0R5cmZ3YjY3cHcyb1VIWHhacDE0dXc9IixyZWFsbT0iaGVybW9kLm1nciIscW9wPSJhdXRoLGF1dGgtaW50LGF1dGgtY29uZiIsY2lwaGVyPSJyYzQtNDAscmM0LTU2LHJjNCxkZXMsM2RlcyIsbWF4YnVmPTQwOTYsY2hhcnNldD11dGYtOCxhbGdvcml0aG09bWQ1LXNlc3M=
Please enter your password:
C: 
dXNlcm5hbWU9ImN5cnVzIixyZWFsbT0iaGVybW9kLm1nciIsbm9uY2U9IlBMREhNY0JjbG1XOUt2dk5FQWQrb0R5cmZ3YjY3cHcyb1VIWHhacDE0dXc9Iixjbm9uY2U9IkVZR2hkY1UvZy9vU0J5VkNsMkhSVWt3NWVuMTlOR3puWU9PQjZuSUpPams9IixuYz0wMDAwMDAwMSxxb3A9YXV0aC1jb25mLGNpcGhlcj1yYzQsbWF4YnVmPTEwMjQsZGlnZXN0LXVyaT0iaW1hcC9oZXJtb2QubWdyIixyZXNwb25zZT00Yjk3OWJhMTU0NWUzZDBkMTJiYWNlNjY4NTk4YjhjZA==
failure: prot layer failure

The detailed log of slapd has the following for this request:
slap_listener_activate(10):
 >>> slap_listener(ldaps:///)
conn=15 fd=24 ACCEPT from IP=172.16.6.5:53956 (IP=0.0.0.0:636)
connection_get(24): got connid=15
connection_read(24): checking for input on id=15
connection_get(24): got connid=15
connection_read(24): checking for input on id=15
connection_get(24): got connid=15
connection_read(24): checking for input on id=15
connection_get(24): got connid=15
connection_read(24): checking for input on id=15
connection_read(24): unable to get TLS client DN, error=49 id=15
conn=15 fd=24 TLS established tls_ssf=128 ssf=128
connection_get(24): got connid=15
connection_read(24): checking for input on id=15
ber_get_next
ber_get_next on fd 24 failed errno=0 (Success)
connection_closing: readying conn=15 sd=24 for close
connection_close: conn=15 sd=24
conn=15 fd=24 closed (connection lost)

So apparently imapd-ldapdb connects and establishes SSL. For the rest 
I'm unsure, but it seems like it does not talk to LDAP anymore and 
terminates, i.e. there is no authentication happening. The result is the 
same for trying telnet localhost imap2 and a login for cyrus.