OpenLDAP and cyrus-sasl authentication

Igor Brezac igor at ipass.net
Thu Sep 6 08:06:30 EDT 2007


james tan wrote:
> Hi,
>
> Version
> LDAP openldap-2.3.27
> cyrus-sasl-2.1.22
>
> I have been trying to figure out what is happening but failed for the
> last few days.  I am sorry for the long email where I tried the
> various debug output.  I just wonder where goes wrong?
> I already have my ldap user created in ldbm, do I need anything like
> sasldb2 again?  I am lost! :(
>
> I tried this but it failed.
>
> ./testsaslauthd -u tancentos2 at domain.com -p mypasswd
>
> saslauthd[6118] :do_auth         : auth failure:
> [user=tancentos2 at domain.com] [service=imap] [realm=] [mech=ldap]
> [reason=Unknown]
> saslauthd[6118] :do_request      : response: NO
>
> The following are my configuration for saslauthd.conf
> ldap_servers: ldap://127.0.0.1
> ldap_search_base: o=hosting,dc=example,dc=tld
> ldap_filter: (&(objectClass=VirtualMailAccount)(mail=%u@%r)))
> ldap_bind_dn: cn=cyrus,dc=example,dc=tld
> ldap_password: secret
> ldap_auth_method: bind

You need to use ldap_auth_method: custom or adjust your filter.   Please
see cyrus-src/saslauthd/LDAP_SASLAUTHD

> ldap_start_tls: no
>
>
> I tried to debug with openldap, I got the follownig but I noticed that
> the tancentos2 at domain.com is not passed to ldap but the binding looks
> ok ?
>
> connection_get(13): got connid=1
> connection_read(13): checking for input on id=1
> ber_get_next
> ber_get_next: tag 0x30 len 48 contents:
> ber_get_next
> ber_get_next on fd 13 failed errno=11 (Resource temporarily unavailable)
> do_bind
> ber_scanf fmt ({imt) ber:
> ber_scanf fmt (m}) ber:
>>>> dnPrettyNormal: <cn=cyrus,dc=example,dc=tld>
> <<< dnPrettyNormal: <cn=cyrus,dc=example,dc=tld>,
> <cn=cyrus,dc=example,dc=tld>
> do_bind: version=3 dn="cn=cyrus,dc=example,dc=tld" method=128
> dn2entry_r: dn: "cn=cyrus,dc=example,dc=tld"
> => dn2id( "cn=cyrus,dc=example,dc=tld" )
> ====> cache_find_entry_ndn2id("cn=cyrus,dc=example,dc=tld"): 34 (1 tries)
> <= dn2id 34 (in cache)
> => id2entry_r( 34 )
> ====> cache_find_entry_id( 34 ) "cn=cyrus,dc=example,dc=tld" (found)
> (1 tries)
> <= id2entry_r( 34 ) 0x8b1ca98 (cache)
> ====> cache_return_entry_r( 34 ): returned (0)
> send_ldap_result: conn=1 op=0 p=3
> send_ldap_response: msgid=1 tag=97 err=49
> ber_flush: 14 bytes to sd 13
>
> Then, I tried
> ldapsearch -LLL -s sub -v -x  "(mail=tancentos2 at domain.com)" -b
> "o=hosting,dc=example,dc=tld" cn sn
> it returns the cn and sn.
> If I take away the "-x", then problem came.  The following are the
> debug output from ldap
> SASL [conn=2] Debug: DIGEST-MD5 server step 2
> slap_sasl_getdn: u:id converted to uid=root,cn=DIGEST-MD5,cn=auth
>>>> dnNormalize: <uid=root,cn=DIGEST-MD5,cn=auth>
> <<< dnNormalize: <uid=root,cn=digest-md5,cn=auth>
> ==>slap_sasl2dn: converting SASL name uid=root,cn=digest-md5,cn=auth
> to a DN
> slap_authz_regexp: converting SASL name uid=root,cn=digest-md5,cn=auth
> <==slap_sasl2dn: Converted SASL name to <nothing>
> SASL [conn=2] Error: unable to open Berkeley db /etc/sasldb2: No such
> file or directory
>
> _________________________________________________________________
> Get a FREE small business Web site and more from Microsoft® Office
> Live! http://clk.atdmt.com/MRT/go/aub0930003811mrt/direct/01/
>

-Igor


More information about the Cyrus-sasl mailing list