SASL LDAP + TLS
David E. Wheeler
david at kineticode.com
Wed Mar 19 16:18:06 EDT 2008
Howdy,
I'm trying to get SASL working with OpenLDAP + TLS. I got it working
without TLS with these settings:
slapd.conf:
----------
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /etc/ssl/certs/cacert.pem
TLSCertificateFile /etc/ssl/certs/servercert.pem
TLSCertificateKeyFile /etc/ssl/private/serverkey.pem
TLSVerifyClient allow
sasl-regexp
uid=(.*),cn=digest-md5,cn=auth
uid=$1,ou=people,dc=kineticode,dc=com
saslauthd.conf:
--------------
ldap_servers: ldap://localhost/
ldap_use_sasl: yes
This works great with testsaslauthd:
% sudo testsaslauthd -u david -p '******'
0: OK "Success."
However, when I add these lines to saslauthd.conf, it fails:
ldap_start_tls: yes
ldap_tls_cacert_file: /etc/ssl/certs/cacert.pem
ldap_tls_cert: /etc/ssl/certs/clientcert.pem
ldap_tls_key: /etc/ssl/certs/clientkey.pem
Here's the test:
% sudo testsaslauthd -u david -p '******'
0: NO "authentication failed"
Here's what shows up in the auth.log:
Mar 19 13:11:48 sahlins sudo: david : TTY=pts/0 ; PWD=/home/david ;
USER=root ; COMMAND=/usr/sbin/testsaslauthd -u david -p *******
Mar 19 13:11:48 sahlins saslauthd[8258]: start tls failed (Connect
error).
Mar 19 13:11:48 sahlins saslauthd[8258]: Authentication failed for
david: Cannot connect to ldap server (configuration error) (-8)
Mar 19 13:11:48 sahlins saslauthd[8258]: do_auth : auth
failure: [user=david] [service=imap] [realm=] [mech=ldap]
[reason=Unknown]
For some reason startls fails. However, when I create ~/.ldaprc with
these lines:
TLS_CERT /etc/ssl/certs/clientcert.pem
TLS_KEY /etc/ssl/certs/clientkey.pem
SASL_MECH EXTERNAL
Then I can successfully auth using ldapsearch:
% ldapsearch -U david -v '(&(objectClass=inetLocalMailRecipient)
(uid=david))' -ZZ
ldap_initialize( <DEFAULT> )
SASL/EXTERNAL authentication started
SASL username: CN=*.kineticode.com,OU=Kineticode,O=Kineticode\2C
Inc.,ST=Oregon,C=US
SASL SSF: 0
filter: (&(objectClass=inetLocalMailRecipient)(uid=david))
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: (&(objectClass=inetLocalMailRecipient)(uid=david))
# requesting: ALL
#
# david, people, kineticode.com
dn: uid=david,ou=people,dc=kineticode,dc=com
<snip/>
# search result
search: 3
result: 0 Success
So please, can anyone tell me what I'm missing? From the docs I gather
that I have to have a client certificate and key for sasl external to
use (and I assume that external is what testsaslauthd does), so I
created the cert and key and it seems to work with ldapsearch (without
even requiring a password!) but not testsaslauthd. :-(
FWIW, where I'm going with this is supporting Postfix SMTP Auth, which
uses SASL.
Thanks,
David
More information about the Cyrus-sasl
mailing list