Need pointers on saslauthd + ldap
Simon Matter
simon.matter at ch.sauter-bc.com
Mon Sep 25 01:47:00 EDT 2006
> Hi all,
>
> Sorry if this is a long email!
>
> I'm trying to get my head around SASL, specifically setting up saslauthd
> with LDAP as the backend.
>
> Environment:
> ============
> Fedora Core 5
> OpenLDAP 2.3.19-4
> Cyrus SASL 2.1.21-10
>
> Objective:
> ==========
> I want to be able to setup and verify that Cyrus SASL is able to
> authenticate successfully.
>
> Background:
> ===========
> User information is stored in OpenLDAP. The LDAP directory tree looks
> like this:
>
> dc=aeonflux,dc=localdomain
> |
> +----+----------+
> | |
> o=domain1.tld o=domain2.tld
> |
> +----+----+
> | |
> ou=People ou=Groups
> |
> uid=john.doe,ou=People,o=domain1.tld,dc=aeonflux,dc=localdomain
> mail: john.doe at domain1.tld
>
> Note: I do not have IMAP installed and I want to test that saslauthd can
> authenticate correctly first before I install Cyrus IMAP.
>
> LDAP:
> =====
> I have setup OpenLDAP on localhost, non-SSL. I can verify that the user
> exists in the directory tree:
>
> [root at jadeblue ~]# ldapsearch -H ldap://localhost:389 -xv \
> -D "cn=ldaproot,dc=aeonflux,dc=localdomain" -W \
> -b "ou=People,o=domain1.tld,dc=aeonflux,dc=localdomain" \
> -LLL "(mail=john.doe at domain1.tld)" uid
>
> ldap_initialize( ldap://localhost:389 )
> Enter LDAP Password:
> filter: (mail=john.doe at domain1.tld)
> requesting: uid
> dn: uid=john.doe,ou=People,o=domain1.tld,dc=aeonflux,dc=localdomain
> uid: john.doe
>
> saslauthd:
> ==========
> By default, Fedora Core 5 starts saslauthd with PAM as the backend, so I
> had to change the startup file (/etc/sysconfig/saslauthd):
> MECH=ldap
>
> And I created the following file (/etc/saslauthd.conf):
> ldap_servers: ldap://localhost/
> ldap_auth_method: bind
> ldap_filter: mail=%u
> ldap_base: ou=People,o=domain1.tld,dc=aeonflux,dc=localdomain
^^^^^
Try:
ldap_search_base: ou=People,o=domain1.tld,dc=aeonflux,dc=localdomain
Simon
>
> Testing with testsaslauthd:
> ===========================
> And I tried authenticating using this command:
> testsaslauthd -u john.doe at domain1.tld -p pass123
>
> I get this:
> 0: NO "authentication failed"
>
> And in /var/log/messages, I get:
>
> Sep 25 13:26:26 jadeblue saslauthd[3099]: do_auth : auth
> failure: [user=john.doe at domain1.tld] [service=imap] [realm=] [mech=ldap]
> [reason=Unknown]
>
> Questions:
> ==========
> I'm pretty sure I am missing something here, and the clue is probably
> the "[service=imap]" in the logs.I haven't installed Cyrus IMAP
> installed (yet), so I'm not sure where the defaults are set. The thing
> is, I want to verify that saslauthd can see the users in my LDAP
> directory before I install Cyrus IMAP. Is this possible ?
>
>
> Thanks in advance, and again, sorry for the long email.
>
>
>
>
> --
> Pascal Chong
> email: chongym at cymulacrum.net
> web: http://cymulacrum.net
> pgp: http://cymulacrum.net/pgp/cymulacrum.asc
>
> "La science ne connaît pas de frontière parce que la connaissance
> appartient à lâhumanité. et que câest la flamme qui illumine le
> monde."
>
> -- Louis Pasteur
>
More information about the Cyrus-sasl
mailing list