SASL LDAP + TLS

David E. Wheeler david at kineticode.com
Thu Mar 20 12:21:45 EDT 2008 

On Mar 20, 2008, at 01:11, Dieter Kluenter wrote:

> "David E. Wheeler" <david at kineticode.com> writes:
>
>> On Mar 19, 2008, at 15:02, Quanah Gibson-Mount wrote:
>>
>>> If you mean Postfix doing SASL anything to OpenLDAP, it doesn't
>>> support SASL binds to LDAP.  I have a patch for that.
>>
>> That sounds promising. However, Postfix does do SASL, and SASL does
>> talk to OpenLDAP (as I was able to find using testsaslauthd), but my
>> trouble is getting SASL to talk to OpenLDAP using SASL authentication
>> with TLS. My /etc/saslauthd.conf looks like this:
>
> try auxprop ldapdb and apropriate settings in smtpd.conf to enable
> postfix sasl authentication.

Thank you for your reply, Dieter. However, I haven't even got as far  
as trying to get postfix hooked up. I was first trying to make sure  
that saslauthd was working with LDAP using testsaslauthd. When  
saslauthd.conf looks like this:

   ldap_servers: ldap://localhost/
   ldap_use_sasl: yes

It works:

% sudo testsaslauthd -u david -p '******'
0: OK "Success."

But when it looks like this:

   ldap_servers: ldap://localhost/
   ldap_use_sasl: yes
   ldap_start_tls: yes
   ldap_tls_cacert_file: /etc/ssl/certs/cacert.pem
   ldap_tls_cert: /etc/ssl/certs/clientcert.pem
   ldap_tls_key: /etc/ssl/certs/clientkey.pem

It doesn't work:

% sudo testsaslauthd -u david -p '******'
0: NO "authentication failed"

And this is what shows up in the auth.log:

Mar 19 13:11:48 sahlins saslauthd[8258]: start tls failed (Connect  
error).
Mar 19 13:11:48 sahlins saslauthd[8258]: Authentication failed for  
david: Cannot connect to ldap server (configuration error) (-8)
Mar 19 13:11:48 sahlins saslauthd[8258]: do_auth         : auth  
failure: [user=david] [service=imap] [realm=] [mech=ldap]  
[reason=Unknown]

The relevant slapd logging is here:

   http://kineticode.com/code/slapd.txt

I can't tell why starttls fails. :-( It works fine when I use  
ldapsearch -Y EXTERNAL -- it doesn't even prompt me for a password!

If you have any ideas what I might be missing (something in  
saslauthd.conf, surly!), I would greatly appreciate it.

Thanks,

David

PS: I have these directives in slapd.conf:

TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /etc/ssl/certs/cacert.pem
TLSCertificateFile /etc/ssl/certs/servercert.pem
TLSCertificateKeyFile /etc/ssl/private/serverkey.pem
TLSVerifyClient allow

sasl-regexp
    uid=(.*),cn=digest-md5,cn=auth
    uid=$1,ou=people,dc=kineticode,dc=com

More information about the Cyrus-sasl mailing list