SASL LDAP + TLS

David E. Wheeler david at kineticode.com
Wed Mar 19 16:18:06 EDT 2008 

Howdy,

I'm trying to get SASL working with OpenLDAP + TLS. I got it working  
without TLS with these settings:

slapd.conf:
----------
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /etc/ssl/certs/cacert.pem
TLSCertificateFile /etc/ssl/certs/servercert.pem
TLSCertificateKeyFile /etc/ssl/private/serverkey.pem
TLSVerifyClient allow

sasl-regexp
     uid=(.*),cn=digest-md5,cn=auth
     uid=$1,ou=people,dc=kineticode,dc=com

saslauthd.conf:
--------------
ldap_servers: ldap://localhost/
ldap_use_sasl: yes

This works great with testsaslauthd:

% sudo testsaslauthd -u david -p '******'
0: OK "Success."

However, when I add these lines to saslauthd.conf, it fails:

ldap_start_tls: yes
ldap_tls_cacert_file: /etc/ssl/certs/cacert.pem
ldap_tls_cert: /etc/ssl/certs/clientcert.pem
ldap_tls_key: /etc/ssl/certs/clientkey.pem

Here's the test:

% sudo testsaslauthd -u david -p '******'
0: NO "authentication failed"

Here's what shows up in the auth.log:

Mar 19 13:11:48 sahlins sudo:    david : TTY=pts/0 ; PWD=/home/david ;  
USER=root ; COMMAND=/usr/sbin/testsaslauthd -u david -p *******
Mar 19 13:11:48 sahlins saslauthd[8258]: start tls failed (Connect  
error).
Mar 19 13:11:48 sahlins saslauthd[8258]: Authentication failed for  
david: Cannot connect to ldap server (configuration error) (-8)
Mar 19 13:11:48 sahlins saslauthd[8258]: do_auth         : auth  
failure: [user=david] [service=imap] [realm=] [mech=ldap]  
[reason=Unknown]

For some reason startls fails. However, when I create ~/.ldaprc with  
these lines:

TLS_CERT        /etc/ssl/certs/clientcert.pem
TLS_KEY         /etc/ssl/certs/clientkey.pem
SASL_MECH       EXTERNAL

Then I can successfully auth using ldapsearch:

% ldapsearch -U david -v '(&(objectClass=inetLocalMailRecipient) 
(uid=david))' -ZZ
ldap_initialize( <DEFAULT> )
SASL/EXTERNAL authentication started
SASL username: CN=*.kineticode.com,OU=Kineticode,O=Kineticode\2C  
Inc.,ST=Oregon,C=US
SASL SSF: 0
filter: (&(objectClass=inetLocalMailRecipient)(uid=david))
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: (&(objectClass=inetLocalMailRecipient)(uid=david))
# requesting: ALL
#

# david, people, kineticode.com
dn: uid=david,ou=people,dc=kineticode,dc=com
<snip/>
# search result
search: 3
result: 0 Success

So please, can anyone tell me what I'm missing? From the docs I gather  
that I have to have a client certificate and key for sasl external to  
use (and I assume that external is what testsaslauthd does), so I  
created the cert and key and it seems to work with ldapsearch (without  
even requiring a password!) but not testsaslauthd. :-(

FWIW, where I'm going with this is supporting Postfix SMTP Auth, which  
uses SASL.

Thanks,

David

More information about the Cyrus-sasl mailing list