Need pointers on saslauthd + ldap

Simon Matter simon.matter at ch.sauter-bc.com
Mon Sep 25 01:47:00 EDT 2006


> Hi all,
>
> Sorry if this is a long email!
>
> I'm trying to get my head around SASL, specifically setting up saslauthd
> with LDAP as the backend.
>
> Environment:
> ============
> Fedora Core 5
> OpenLDAP 2.3.19-4
> Cyrus SASL 2.1.21-10
>
> Objective:
> ==========
> I want to be able to setup and verify that Cyrus SASL is able to
> authenticate successfully.
>
> Background:
> ===========
> User information is stored in OpenLDAP. The LDAP directory tree looks
> like this:
>
> 	dc=aeonflux,dc=localdomain
> 		|
> 	   +----+----------+
> 	   |               |
> 	o=domain1.tld   o=domain2.tld
> 	   |
>       +----+----+
>       |         |
>   ou=People   ou=Groups
>       |
> uid=john.doe,ou=People,o=domain1.tld,dc=aeonflux,dc=localdomain
> mail: john.doe at domain1.tld
>
> Note: I do not have IMAP installed and I want to test that saslauthd can
> authenticate correctly first before I install Cyrus IMAP.
>
> LDAP:
> =====
> I have setup OpenLDAP on localhost, non-SSL. I can verify that the user
> exists in the directory tree:
>
> [root at jadeblue ~]# ldapsearch -H ldap://localhost:389 -xv \
> -D "cn=ldaproot,dc=aeonflux,dc=localdomain" -W \
> -b "ou=People,o=domain1.tld,dc=aeonflux,dc=localdomain" \
> -LLL "(mail=john.doe at domain1.tld)" uid
>
> ldap_initialize( ldap://localhost:389 )
> Enter LDAP Password:
> filter: (mail=john.doe at domain1.tld)
> requesting: uid
> dn: uid=john.doe,ou=People,o=domain1.tld,dc=aeonflux,dc=localdomain
> uid: john.doe
>
> saslauthd:
> ==========
> By default, Fedora Core 5 starts saslauthd with PAM as the backend, so I
> had to change the startup file (/etc/sysconfig/saslauthd):
> MECH=ldap
>
> And I created the following file (/etc/saslauthd.conf):
> ldap_servers: ldap://localhost/
> ldap_auth_method: bind
> ldap_filter: mail=%u
> ldap_base: ou=People,o=domain1.tld,dc=aeonflux,dc=localdomain
    ^^^^^

Try:
ldap_search_base: ou=People,o=domain1.tld,dc=aeonflux,dc=localdomain

Simon

>
> Testing with testsaslauthd:
> ===========================
> And I tried authenticating using this command:
> testsaslauthd -u john.doe at domain1.tld -p pass123
>
> I get this:
> 0: NO "authentication failed"
>
> And in /var/log/messages, I get:
>
> Sep 25 13:26:26 jadeblue saslauthd[3099]: do_auth         : auth
> failure: [user=john.doe at domain1.tld] [service=imap] [realm=] [mech=ldap]
> [reason=Unknown]
>
> Questions:
> ==========
> I'm pretty sure I am missing something here, and the clue is probably
> the "[service=imap]" in the logs.I haven't installed Cyrus IMAP
> installed (yet), so I'm not sure where the defaults are set. The thing
> is, I want to verify that saslauthd can see the users in my LDAP
> directory before I install Cyrus IMAP. Is this possible ?
>
>
> Thanks in advance, and again, sorry for the long email.
>
>
>
>
> --
> Pascal Chong
> email:  chongym at cymulacrum.net
> web:    http://cymulacrum.net
> pgp:    http://cymulacrum.net/pgp/cymulacrum.asc
>
> "La science ne connaît pas de frontière parce que la connaissance
> appartient à l’humanité. et que c’est la flamme qui illumine le
> monde."
>
> -- Louis Pasteur
>


More information about the Cyrus-sasl mailing list