OpenLDAP and cyrus-sasl authentication

james tan jamestan_98 at hotmail.com
Wed Sep 12 00:33:24 EDT 2007


Thanks.  I got it working with

ldap_filter: mail=%u
and I left the ldap_auth_method: bind unchanged.

The culprit also result from ldap's acl.
Thanks.

>From: Igor Brezac <igor at ipass.net>
>To: james tan <jamestan_98 at hotmail.com>
>CC: cyrus-sasl at lists.andrew.cmu.edu
>Subject: Re: OpenLDAP and cyrus-sasl authentication
>Date: Thu, 06 Sep 2007 08:06:30 -0400
>
>james tan wrote:
> > Hi,
> >
> > Version
> > LDAP openldap-2.3.27
> > cyrus-sasl-2.1.22
> >
> > I have been trying to figure out what is happening but failed for the
> > last few days.  I am sorry for the long email where I tried the
> > various debug output.  I just wonder where goes wrong?
> > I already have my ldap user created in ldbm, do I need anything like
> > sasldb2 again?  I am lost! :(
> >
> > I tried this but it failed.
> >
> > ./testsaslauthd -u tancentos2 at domain.com -p mypasswd
> >
> > saslauthd[6118] :do_auth         : auth failure:
> > [user=tancentos2 at domain.com] [service=imap] [realm=] [mech=ldap]
> > [reason=Unknown]
> > saslauthd[6118] :do_request      : response: NO
> >
> > The following are my configuration for saslauthd.conf
> > ldap_servers: ldap://127.0.0.1
> > ldap_search_base: o=hosting,dc=example,dc=tld
> > ldap_filter: (&(objectClass=VirtualMailAccount)(mail=%u@%r)))
> > ldap_bind_dn: cn=cyrus,dc=example,dc=tld
> > ldap_password: secret
> > ldap_auth_method: bind
>
>You need to use ldap_auth_method: custom or adjust your filter.   Please
>see cyrus-src/saslauthd/LDAP_SASLAUTHD
>
> > ldap_start_tls: no
> >
> >
> > I tried to debug with openldap, I got the follownig but I noticed that
> > the tancentos2 at domain.com is not passed to ldap but the binding looks
> > ok ?
> >
> > connection_get(13): got connid=1
> > connection_read(13): checking for input on id=1
> > ber_get_next
> > ber_get_next: tag 0x30 len 48 contents:
> > ber_get_next
> > ber_get_next on fd 13 failed errno=11 (Resource temporarily unavailable)
> > do_bind
> > ber_scanf fmt ({imt) ber:
> > ber_scanf fmt (m}) ber:
> >>>> dnPrettyNormal: <cn=cyrus,dc=example,dc=tld>
> > <<< dnPrettyNormal: <cn=cyrus,dc=example,dc=tld>,
> > <cn=cyrus,dc=example,dc=tld>
> > do_bind: version=3 dn="cn=cyrus,dc=example,dc=tld" method=128
> > dn2entry_r: dn: "cn=cyrus,dc=example,dc=tld"
> > => dn2id( "cn=cyrus,dc=example,dc=tld" )
> > ====> cache_find_entry_ndn2id("cn=cyrus,dc=example,dc=tld"): 34 (1 
>tries)
> > <= dn2id 34 (in cache)
> > => id2entry_r( 34 )
> > ====> cache_find_entry_id( 34 ) "cn=cyrus,dc=example,dc=tld" (found)
> > (1 tries)
> > <= id2entry_r( 34 ) 0x8b1ca98 (cache)
> > ====> cache_return_entry_r( 34 ): returned (0)
> > send_ldap_result: conn=1 op=0 p=3
> > send_ldap_response: msgid=1 tag=97 err=49
> > ber_flush: 14 bytes to sd 13
> >
> > Then, I tried
> > ldapsearch -LLL -s sub -v -x  "(mail=tancentos2 at domain.com)" -b
> > "o=hosting,dc=example,dc=tld" cn sn
> > it returns the cn and sn.
> > If I take away the "-x", then problem came.  The following are the
> > debug output from ldap
> > SASL [conn=2] Debug: DIGEST-MD5 server step 2
> > slap_sasl_getdn: u:id converted to uid=root,cn=DIGEST-MD5,cn=auth
> >>>> dnNormalize: <uid=root,cn=DIGEST-MD5,cn=auth>
> > <<< dnNormalize: <uid=root,cn=digest-md5,cn=auth>
> > ==>slap_sasl2dn: converting SASL name uid=root,cn=digest-md5,cn=auth
> > to a DN
> > slap_authz_regexp: converting SASL name uid=root,cn=digest-md5,cn=auth
> > <==slap_sasl2dn: Converted SASL name to <nothing>
> > SASL [conn=2] Error: unable to open Berkeley db /etc/sasldb2: No such
> > file or directory
> >
> > _________________________________________________________________
> > Get a FREE small business Web site and more from Microsoft® Office
> > Live! http://clk.atdmt.com/MRT/go/aub0930003811mrt/direct/01/
> >
>
>-Igor

_________________________________________________________________
Get an advanced look at the new version of MSN Messenger. 
http://get.live.com/messenger/overview



More information about the Cyrus-sasl mailing list