SASL over LDAP don't work

Howard Chu hyc at highlandsun.com
Tue Dec 11 02:19:01 EST 2007 

Guus Leeuw jr. wrote:
> Y’ello,
> 
> First of all, make sure to read the LDAP Admin Guide at www.openldap.org 
> <http://www.openldap.org>!

Always good advice, yes.

> Then, make sure to double check with Turbo’s KRB + SASL + OpenLDAP Howto 
> at www.bayour.com <http://www.bayour.com>. (Forget about the KRB stuff 
> there, he’s got some very good hints at testing the security install etc.)

Obsolete.

> As a general rule, you don’t want LDAP to be your password database, 
> instead you want LDAP to use SASL to connect to something more useful 
> like Kerberos or RADIUS or a combination or something else. This is 
> simply because LDAP is not meant to be a password database, but rather 
> an information store (as in: the telephone book in your country doesn’t 
> list the PIN code for the people’s bank cards...).

"An information store" can store passwords as well as anything else. Given 
that frequently Kerberos KDCs and RADIUS servers store their info in LDAP, I 
don't think the above point is valid.

> If all else fails, you can always post the exact error you are getting, 
> increase debug levels all over the place, and make sure to cut and paste 
> the relevant log entries to the mailing list. A query akin your own 
> query will not necessarily give any useful hints to other people as to 
> why things would fail in your particular situation.

In this case he needs to read the Cyrus SASL docs more closely, or pay more 
attention to what he's typing. "auxprop_plugin: ldap" is not the same as 
"auxprop_plugin: ldapdb". He's mixing the docs/configs for two completely 
different LDAP mechanisms.

> 
> Regards,
> 
> Guus
> 
> *From:* cyrus-sasl-bounces at lists.andrew.cmu.edu 
> [mailto:cyrus-sasl-bounces at lists.andrew.cmu.edu] *On Behalf Of *NguyenHuynh
> *Sent:* 11 December 2007 04:24
> *To:* cyrus-sasl at lists.andrew.cmu.edu
> *Subject:* SASL over LDAP don't work
> 
> SASL over LDAP
> 
> I’m trying to using SASL over LDAP for authentication but I don’t still 
> work yet
> 
> Details:
> 
> OS: FreeBSD
> 
> Packages:
> 
> cyrus-sasl-2.1.22 RFC 2222 SASL (Simple Authentication and Security Layer)
> 
> cyrus-sasl-ldapdb-2.1.22 SASL LDAPDB auxprop plugin
> 
> cyrus-sasl-saslauthd-2.1.22 SASL authentication server for cyrus-sasl2
> 
> postfix-current-2.5.20071006,4 A secure alternative to widely-used Sendmail
> 
> Configure SASL in *main.cf* for postfix:
> 
> ………………..
> 
> smtpd_sasl_auth_enable = yes
> 
> smtpd_recipient_restrictions = permit_sasl_authenticated, 
> reject_unauth_destination, permit_mynetworks, reject
> 
> smtpd_sasl_authenticated_header = yes
> 
> ………………..
> 
> Configure SASL for authentication:
> 
> #vi /usr/local/lib/sasl2/smtpd.conf
> 
> pwcheck_method: saslauthd
> 
> auxprop_plugin: ldap
> 
> mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
> 
> Configure LDAP server’s details for SASL-ldapdb:
> 
> #vi /usr/local/etc/saslauthd.conf
> 
> ldap_servers: ldap://192.168.1.70
> 
> ldap_search_base: dc=yescall,dc=com,dc=vn
> 
> ldap_bind_dn: cn=admin,dc=yescall,dc=com,dc=vn
> 
> ldap_password: 123
> 
> ldap_filter: (&(objectClass=qmailUser)(mail=%u)(accountStatus=active))
> 
> the details of one node in my LDAP
> 
> dn: cn=huynhnguyen,dc=yescall.com.vn,o=hosting,dc=yescall,dc=com,dc=vn
> 
> accountStatus: active
> 
> cn: huynhnguyen
> 
> homeDirectory: /vmail/hosting/yescall.com.vn/huynhnguyen
> 
> mailMessageStore: /vmail/hosting/yescall.com.vn/huynhnguyen/Maildir/
> 
> objectClass: top
> 
> objectClass: person
> 
> objectClass: organizationalPerson
> 
> objectClass: inetOrgPerson
> 
> objectClass: qmailUser
> 
> objectClass: CourierMailAccount
> 
> sn: Nguyen Dac Huynh2
> 
> structuralObjectClass: inetOrgPerson
> 
> entryUUID: f069f88e-1c17-102c-93d5-25c7f79a19b1
> 
> creatorsName: cn=admin,dc=yescall,dc=com,dc=vn
> 
> createTimestamp: 20071031161319Z
> 
> mailHost: mail.mikorn.com
> 
> userPassword:: aWtvcm40MTI4NA==
> 
> mail: huynhnguyen at yescall.com.vn
> 
> entryCSN: 20071205114520.832948Z#000000#000#000000
> 
> modifiersName: cn=admin,dc=yescall,dc=com,dc=vn
> 
> modifyTimestamp: 20071205114520Z
> 
> Start saslauthd:
> 
> #saslauthd -a ldap /usr/local/etc/saslauthd.conf
> 
> I always have authentication fails when using testsaslauth
> 
> My problems:
> 
> - Must I have a schema in LDAP for SASL only?
> 
> - Does it neccessary to change my node in LDAP to another structure 
> which is suitable with SASL
> 
> - How can I use ldap_filter better in this case?
> 
> Could anybody help me to solve this problem?
> 
> I’m a newbie in OpenSource.
> 
> I’m not good in English. Sorry if any problem
> 
> Thank you for your careness
> 
> Thanks & Best Regards,
> 
> Nguyen Dac Huynh
> 
> System Engineer
> 
> Mirae Ikorn Co., Ltd
> 


-- 
   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP     http://www.openldap.org/project/

More information about the Cyrus-sasl mailing list