Need pointers on saslauthd + ldap

Chong Yu Meng chongym at
Mon Sep 25 01:34:39 EDT 2006

Hi all,

Sorry if this is a long email! 

I'm trying to get my head around SASL, specifically setting up saslauthd
with LDAP as the backend. 

Fedora Core 5
OpenLDAP 2.3.19-4
Cyrus SASL 2.1.21-10

I want to be able to setup and verify that Cyrus SASL is able to
authenticate successfully. 

User information is stored in OpenLDAP. The LDAP directory tree looks
like this:

	   |               |
	o=domain1.tld   o=domain2.tld
      |         |
  ou=People   ou=Groups
mail: john.doe at domain1.tld

Note: I do not have IMAP installed and I want to test that saslauthd can
authenticate correctly first before I install Cyrus IMAP.

I have setup OpenLDAP on localhost, non-SSL. I can verify that the user
exists in the directory tree:

[root at jadeblue ~]# ldapsearch -H ldap://localhost:389 -xv \
-D "cn=ldaproot,dc=aeonflux,dc=localdomain" -W \
-b "ou=People,o=domain1.tld,dc=aeonflux,dc=localdomain" \
-LLL "(mail=john.doe at domain1.tld)" uid

ldap_initialize( ldap://localhost:389 )
Enter LDAP Password: 
filter: (mail=john.doe at domain1.tld)
requesting: uid 
dn: uid=john.doe,ou=People,o=domain1.tld,dc=aeonflux,dc=localdomain
uid: john.doe

By default, Fedora Core 5 starts saslauthd with PAM as the backend, so I
had to change the startup file (/etc/sysconfig/saslauthd):

And I created the following file (/etc/saslauthd.conf):
ldap_servers: ldap://localhost/
ldap_auth_method: bind
ldap_filter: mail=%u
ldap_base: ou=People,o=domain1.tld,dc=aeonflux,dc=localdomain

Testing with testsaslauthd:
And I tried authenticating using this command:
testsaslauthd -u john.doe at domain1.tld -p pass123

I get this:
0: NO "authentication failed"

And in /var/log/messages, I get:

Sep 25 13:26:26 jadeblue saslauthd[3099]: do_auth         : auth
failure: [user=john.doe at domain1.tld] [service=imap] [realm=] [mech=ldap]

I'm pretty sure I am missing something here, and the clue is probably
the "[service=imap]" in the logs.I haven't installed Cyrus IMAP
installed (yet), so I'm not sure where the defaults are set. The thing
is, I want to verify that saslauthd can see the users in my LDAP
directory before I install Cyrus IMAP. Is this possible ?

Thanks in advance, and again, sorry for the long email.

Pascal Chong 
email:  chongym at 

"La science ne connaît pas de frontière parce que la connaissance
appartient à l’humanité. et que c’est la flamme qui illumine le monde."

-- Louis Pasteur
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the Cyrus-sasl mailing list