SASL over LDAP don't work

Tue Dec 11 01:56:45 EST 2007

Y'ello,

First of all, make sure to read the LDAP Admin Guide at www.openldap.org!

Then, make sure to double check with Turbo's KRB + SASL + OpenLDAP Howto at
www.bayour.com. (Forget about the KRB stuff there, he's got some very good
hints at testing the security install etc.)

As a general rule, you don't want LDAP to be your password database, instead
you want LDAP to use SASL to connect to something more useful like Kerberos
or RADIUS or a combination or something else. This is simply because LDAP is
not meant to be a password database, but rather an information store (as in:
the telephone book in your country doesn't list the PIN code for the
people's bank cards...).

If all else fails, you can always post the exact error you are getting,
increase debug levels all over the place, and make sure to cut and paste the
relevant log entries to the mailing list. A query akin your own query will
not necessarily give any useful hints to other people as to why things would
fail in your particular situation.

Regards,

Guus

From: cyrus-sasl-bounces at lists.andrew.cmu.edu
[mailto:cyrus-sasl-bounces at lists.andrew.cmu.edu] On Behalf Of NguyenHuynh
Sent: 11 December 2007 04:24
To: cyrus-sasl at lists.andrew.cmu.edu
Subject: SASL over LDAP don't work

SASL over LDAP 

I'm trying to using SASL over LDAP for authentication but I don't still work
yet

Details: 

OS: FreeBSD

Packages: 

cyrus-sasl-2.1.22   RFC 2222 SASL (Simple Authentication and Security Layer)

cyrus-sasl-ldapdb-2.1.22 SASL LDAPDB auxprop plugin

cyrus-sasl-saslauthd-2.1.22 SASL authentication server for cyrus-sasl2

postfix-current-2.5.20071006,4 A secure alternative to widely-used Sendmail

Configure SASL in  main.cf for postfix:

........

smtpd_sasl_auth_enable = yes

smtpd_recipient_restrictions = permit_sasl_authenticated,
reject_unauth_destination,     permit_mynetworks, reject

smtpd_sasl_authenticated_header = yes

........

Configure SASL for authentication: 

#vi /usr/local/lib/sasl2/smtpd.conf

pwcheck_method: saslauthd

auxprop_plugin: ldap

mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5

Configure LDAP server's details for SASL-ldapdb:           

#vi /usr/local/etc/saslauthd.conf

ldap_servers: ldap://192.168.1.70

ldap_search_base:       dc=yescall,dc=com,dc=vn

ldap_bind_dn:   cn=admin,dc=yescall,dc=com,dc=vn

ldap_password:  123

ldap_filter:    (&(objectClass=qmailUser)(mail=%u)(accountStatus=active))

the details of one node in my LDAP

dn: cn=huynhnguyen,dc=yescall.com.vn,o=hosting,dc=yescall,dc=com,dc=vn

accountStatus: active

cn: huynhnguyen

homeDirectory: /vmail/hosting/yescall.com.vn/huynhnguyen

mailMessageStore: /vmail/hosting/yescall.com.vn/huynhnguyen/Maildir/

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: inetOrgPerson

objectClass: qmailUser

objectClass: CourierMailAccount

sn: Nguyen Dac Huynh2

structuralObjectClass: inetOrgPerson

entryUUID: f069f88e-1c17-102c-93d5-25c7f79a19b1

creatorsName: cn=admin,dc=yescall,dc=com,dc=vn

createTimestamp: 20071031161319Z

mailHost: mail.mikorn.com

userPassword:: aWtvcm40MTI4NA==

mail: huynhnguyen at yescall.com.vn

entryCSN: 20071205114520.832948Z#000000#000#000000

modifiersName: cn=admin,dc=yescall,dc=com,dc=vn

modifyTimestamp: 20071205114520Z

Start saslauthd:

#saslauthd -a ldap /usr/local/etc/saslauthd.conf

I always have authentication fails when using testsaslauth

My problems: 

- Must I have a schema in LDAP for SASL only?

- Does it neccessary to change my node in LDAP to another structure which is
suitable with SASL

- How can I use ldap_filter better in this case? 

Could anybody help me to solve this problem?

I'm a newbie in OpenSource.

I'm not good in English. Sorry if  any problem

Thank you for your careness

Thanks & Best Regards,

Nguyen Dac Huynh

System Engineer

Mirae Ikorn Co., Ltd

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.andrew.cmu.edu/mailman/private/cyrus-sasl/attachments/20071211/952d21f1/attachment-0001.html 