Configuring saslauthd for ldap

Olivier Nicole on at cs.ait.ac.th
Wed Jul 22 21:58:29 EDT 2009 

Hi,

I am stuck with the following problem and I don't know where to find
information/what to do.

I am trying Cyrus-sasl for authentication in Postfix.

I have installed on FreeBSD:

cyrus-sasl-2.1.23   RFC 2222 SASL (Simple Authentication and Security Layer)
cyrus-sasl-ldapdb-2.1.23 SASL LDAPDB auxprop plugin
cyrus-sasl-saslauthd-2.1.23 SASL authentication server for cyrus-sasl2

My ldap server accepts anonymous bind on the standard port (389) and
simple bind on SSL port (636).

How to configure saslauthd to be able to authenticate to ldap server?

I have been trying many configuration for saslauthd, but without
success (while at same time I have several services that bind
succesfully to the ldap server).

My latest saslauthd.conf is:

ldap_auth_method: fastbind
ldap_servers: ldaps://ldap.cs.ait.ac.th/
ldap_version: 3
ldap_timeout: 10
ldap_time_limit: 10
ldap_scope: one
ldap_search_base: ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th 
# ldap_filter: (&(uid=%U) (csimAccountPermission=mail))
ldap_filter: uid=%u,ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th 
ldap_tls_cacert_file: /usr/local/ssl/ca/ait-itserv.crt 
ldap_use_sasl: no
ldap_start_tls: no
ldap_version: 3
#ldap_bind_dn: cn=Manager,dc=cs,dc=ait,dc=ac,dc=th
#ldap_bind_pw: XXXXXX
# ldap_group_dn: ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th

>From the ldap server logs, it seems it binds properly, but then is
trying many other bind that does not success:

Jul 23 08:56:03 ldap slapd[37776]: conn=3321 fd=34 ACCEPT from IP=192.41.170.50:58534 (IP=192.41.170.6:636)
Jul 23 08:56:03 ldap slapd[37776]: conn=3321 fd=34 closed (TLS negotiation failure)
Jul 23 08:56:03 ldap slapd[37776]: conn=3322 fd=34 ACCEPT from IP=192.41.170.50:52393 (IP=192.41.170.6:636)
Jul 23 08:56:04 ldap slapd[37776]: conn=3323 fd=36 ACCEPT from IP=192.41.170.50:53526 (IP=192.41.170.6:636)
Jul 23 08:56:04 ldap slapd[37776]: conn=3323 fd=36 closed (TLS negotiation failure)
Jul 23 08:56:04 ldap slapd[37776]: conn=3324 fd=36 ACCEPT from IP=192.41.170.50:56136 (IP=192.41.170.6:636)

So my configuration must be wrong, but I can see what I should be
using instead.

TIA,

Olivier

More information about the Cyrus-sasl mailing list