Need pointers on saslauthd + ldap

Chong Yu Meng chongym at cymulacrum.net
Mon Sep 25 01:34:39 EDT 2006 

Hi all,

Sorry if this is a long email! 

I'm trying to get my head around SASL, specifically setting up saslauthd
with LDAP as the backend. 

Environment:
============
Fedora Core 5
OpenLDAP 2.3.19-4
Cyrus SASL 2.1.21-10

Objective:
==========
I want to be able to setup and verify that Cyrus SASL is able to
authenticate successfully. 

Background:
===========
User information is stored in OpenLDAP. The LDAP directory tree looks
like this:

	dc=aeonflux,dc=localdomain 
		|
	   +----+----------+
	   |               |
	o=domain1.tld   o=domain2.tld
	   |
      +----+----+
      |         |
  ou=People   ou=Groups
      |
uid=john.doe,ou=People,o=domain1.tld,dc=aeonflux,dc=localdomain
mail: john.doe at domain1.tld

Note: I do not have IMAP installed and I want to test that saslauthd can
authenticate correctly first before I install Cyrus IMAP.

LDAP:
=====
I have setup OpenLDAP on localhost, non-SSL. I can verify that the user
exists in the directory tree:

[root at jadeblue ~]# ldapsearch -H ldap://localhost:389 -xv \
-D "cn=ldaproot,dc=aeonflux,dc=localdomain" -W \
-b "ou=People,o=domain1.tld,dc=aeonflux,dc=localdomain" \
-LLL "(mail=john.doe at domain1.tld)" uid

ldap_initialize( ldap://localhost:389 )
Enter LDAP Password: 
filter: (mail=john.doe at domain1.tld)
requesting: uid 
dn: uid=john.doe,ou=People,o=domain1.tld,dc=aeonflux,dc=localdomain
uid: john.doe

saslauthd:
==========
By default, Fedora Core 5 starts saslauthd with PAM as the backend, so I
had to change the startup file (/etc/sysconfig/saslauthd):
MECH=ldap

And I created the following file (/etc/saslauthd.conf):
ldap_servers: ldap://localhost/
ldap_auth_method: bind
ldap_filter: mail=%u
ldap_base: ou=People,o=domain1.tld,dc=aeonflux,dc=localdomain

Testing with testsaslauthd:
===========================
And I tried authenticating using this command:
testsaslauthd -u john.doe at domain1.tld -p pass123

I get this:
0: NO "authentication failed"

And in /var/log/messages, I get:

Sep 25 13:26:26 jadeblue saslauthd[3099]: do_auth         : auth
failure: [user=john.doe at domain1.tld] [service=imap] [realm=] [mech=ldap]
[reason=Unknown]

Questions:
==========
I'm pretty sure I am missing something here, and the clue is probably
the "[service=imap]" in the logs.I haven't installed Cyrus IMAP
installed (yet), so I'm not sure where the defaults are set. The thing
is, I want to verify that saslauthd can see the users in my LDAP
directory before I install Cyrus IMAP. Is this possible ?


Thanks in advance, and again, sorry for the long email.




-- 
Pascal Chong 
email:  chongym at cymulacrum.net 
web:    http://cymulacrum.net
pgp:    http://cymulacrum.net/pgp/cymulacrum.asc

"La science ne connaît pas de frontière parce que la connaissance
appartient à l’humanité. et que c’est la flamme qui illumine le monde."

-- Louis Pasteur
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : https://lists.andrew.cmu.edu/mailman/private/cyrus-sasl/attachments/20060925/ad32c112/attachment.bin

More information about the Cyrus-sasl mailing list