SASL over LDAP don't work
Guus Leeuw jr.
guus.leeuw at guusleeuwit.com
Tue Dec 11 01:56:45 EST 2007
Y'ello,
First of all, make sure to read the LDAP Admin Guide at www.openldap.org!
Then, make sure to double check with Turbo's KRB + SASL + OpenLDAP Howto at
www.bayour.com. (Forget about the KRB stuff there, he's got some very good
hints at testing the security install etc.)
As a general rule, you don't want LDAP to be your password database, instead
you want LDAP to use SASL to connect to something more useful like Kerberos
or RADIUS or a combination or something else. This is simply because LDAP is
not meant to be a password database, but rather an information store (as in:
the telephone book in your country doesn't list the PIN code for the
people's bank cards...).
If all else fails, you can always post the exact error you are getting,
increase debug levels all over the place, and make sure to cut and paste the
relevant log entries to the mailing list. A query akin your own query will
not necessarily give any useful hints to other people as to why things would
fail in your particular situation.
Regards,
Guus
From: cyrus-sasl-bounces at lists.andrew.cmu.edu
[mailto:cyrus-sasl-bounces at lists.andrew.cmu.edu] On Behalf Of NguyenHuynh
Sent: 11 December 2007 04:24
To: cyrus-sasl at lists.andrew.cmu.edu
Subject: SASL over LDAP don't work
SASL over LDAP
I'm trying to using SASL over LDAP for authentication but I don't still work
yet
Details:
OS: FreeBSD
Packages:
cyrus-sasl-2.1.22 RFC 2222 SASL (Simple Authentication and Security Layer)
cyrus-sasl-ldapdb-2.1.22 SASL LDAPDB auxprop plugin
cyrus-sasl-saslauthd-2.1.22 SASL authentication server for cyrus-sasl2
postfix-current-2.5.20071006,4 A secure alternative to widely-used Sendmail
Configure SASL in main.cf for postfix:
........
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,
reject_unauth_destination, permit_mynetworks, reject
smtpd_sasl_authenticated_header = yes
........
Configure SASL for authentication:
#vi /usr/local/lib/sasl2/smtpd.conf
pwcheck_method: saslauthd
auxprop_plugin: ldap
mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
Configure LDAP server's details for SASL-ldapdb:
#vi /usr/local/etc/saslauthd.conf
ldap_servers: ldap://192.168.1.70
ldap_search_base: dc=yescall,dc=com,dc=vn
ldap_bind_dn: cn=admin,dc=yescall,dc=com,dc=vn
ldap_password: 123
ldap_filter: (&(objectClass=qmailUser)(mail=%u)(accountStatus=active))
the details of one node in my LDAP
dn: cn=huynhnguyen,dc=yescall.com.vn,o=hosting,dc=yescall,dc=com,dc=vn
accountStatus: active
cn: huynhnguyen
homeDirectory: /vmail/hosting/yescall.com.vn/huynhnguyen
mailMessageStore: /vmail/hosting/yescall.com.vn/huynhnguyen/Maildir/
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: qmailUser
objectClass: CourierMailAccount
sn: Nguyen Dac Huynh2
structuralObjectClass: inetOrgPerson
entryUUID: f069f88e-1c17-102c-93d5-25c7f79a19b1
creatorsName: cn=admin,dc=yescall,dc=com,dc=vn
createTimestamp: 20071031161319Z
mailHost: mail.mikorn.com
userPassword:: aWtvcm40MTI4NA==
mail: huynhnguyen at yescall.com.vn
entryCSN: 20071205114520.832948Z#000000#000#000000
modifiersName: cn=admin,dc=yescall,dc=com,dc=vn
modifyTimestamp: 20071205114520Z
Start saslauthd:
#saslauthd -a ldap /usr/local/etc/saslauthd.conf
I always have authentication fails when using testsaslauth
My problems:
- Must I have a schema in LDAP for SASL only?
- Does it neccessary to change my node in LDAP to another structure which is
suitable with SASL
- How can I use ldap_filter better in this case?
Could anybody help me to solve this problem?
I'm a newbie in OpenSource.
I'm not good in English. Sorry if any problem
Thank you for your careness
Thanks & Best Regards,
Nguyen Dac Huynh
System Engineer
Mirae Ikorn Co., Ltd
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.andrew.cmu.edu/mailman/private/cyrus-sasl/attachments/20071211/952d21f1/attachment-0001.html
More information about the Cyrus-sasl
mailing list