SASL LDAP + TLS
David E. Wheeler
david at kineticode.com
Thu Mar 20 12:21:45 EDT 2008
On Mar 20, 2008, at 01:11, Dieter Kluenter wrote:
> "David E. Wheeler" <david at kineticode.com> writes:
>
>> On Mar 19, 2008, at 15:02, Quanah Gibson-Mount wrote:
>>
>>> If you mean Postfix doing SASL anything to OpenLDAP, it doesn't
>>> support SASL binds to LDAP. I have a patch for that.
>>
>> That sounds promising. However, Postfix does do SASL, and SASL does
>> talk to OpenLDAP (as I was able to find using testsaslauthd), but my
>> trouble is getting SASL to talk to OpenLDAP using SASL authentication
>> with TLS. My /etc/saslauthd.conf looks like this:
>
> try auxprop ldapdb and apropriate settings in smtpd.conf to enable
> postfix sasl authentication.
Thank you for your reply, Dieter. However, I haven't even got as far
as trying to get postfix hooked up. I was first trying to make sure
that saslauthd was working with LDAP using testsaslauthd. When
saslauthd.conf looks like this:
ldap_servers: ldap://localhost/
ldap_use_sasl: yes
It works:
% sudo testsaslauthd -u david -p '******'
0: OK "Success."
But when it looks like this:
ldap_servers: ldap://localhost/
ldap_use_sasl: yes
ldap_start_tls: yes
ldap_tls_cacert_file: /etc/ssl/certs/cacert.pem
ldap_tls_cert: /etc/ssl/certs/clientcert.pem
ldap_tls_key: /etc/ssl/certs/clientkey.pem
It doesn't work:
% sudo testsaslauthd -u david -p '******'
0: NO "authentication failed"
And this is what shows up in the auth.log:
Mar 19 13:11:48 sahlins saslauthd[8258]: start tls failed (Connect
error).
Mar 19 13:11:48 sahlins saslauthd[8258]: Authentication failed for
david: Cannot connect to ldap server (configuration error) (-8)
Mar 19 13:11:48 sahlins saslauthd[8258]: do_auth : auth
failure: [user=david] [service=imap] [realm=] [mech=ldap]
[reason=Unknown]
The relevant slapd logging is here:
http://kineticode.com/code/slapd.txt
I can't tell why starttls fails. :-( It works fine when I use
ldapsearch -Y EXTERNAL -- it doesn't even prompt me for a password!
If you have any ideas what I might be missing (something in
saslauthd.conf, surly!), I would greatly appreciate it.
Thanks,
David
PS: I have these directives in slapd.conf:
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /etc/ssl/certs/cacert.pem
TLSCertificateFile /etc/ssl/certs/servercert.pem
TLSCertificateKeyFile /etc/ssl/private/serverkey.pem
TLSVerifyClient allow
sasl-regexp
uid=(.*),cn=digest-md5,cn=auth
uid=$1,ou=people,dc=kineticode,dc=com
More information about the Cyrus-sasl
mailing list