Configuring saslauthd for ldap

Patrick Ben Koetter p at state-of-mind.de
Thu Jul 23 00:22:26 EDT 2009 

Your log indicates its a TLS negotioation failure. Does it work if you don't
use TLS? If not, fix that. If it does, increase logging in slapd until you see
why TLS fails.

p at rick



* Olivier Nicole <on at cs.ait.ac.th>:
> I am stuck with the following problem and I don't know where to find
> information/what to do.
> 
> I am trying Cyrus-sasl for authentication in Postfix.
> 
> I have installed on FreeBSD:
> 
> cyrus-sasl-2.1.23   RFC 2222 SASL (Simple Authentication and Security Layer)
> cyrus-sasl-ldapdb-2.1.23 SASL LDAPDB auxprop plugin
> cyrus-sasl-saslauthd-2.1.23 SASL authentication server for cyrus-sasl2
> 
> My ldap server accepts anonymous bind on the standard port (389) and
> simple bind on SSL port (636).
> 
> How to configure saslauthd to be able to authenticate to ldap server?
> 
> I have been trying many configuration for saslauthd, but without
> success (while at same time I have several services that bind
> succesfully to the ldap server).
> 
> My latest saslauthd.conf is:
> 
> ldap_auth_method: fastbind
> ldap_servers: ldaps://ldap.cs.ait.ac.th/
> ldap_version: 3
> ldap_timeout: 10
> ldap_time_limit: 10
> ldap_scope: one
> ldap_search_base: ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th 
> # ldap_filter: (&(uid=%U) (csimAccountPermission=mail))
> ldap_filter: uid=%u,ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th 
> ldap_tls_cacert_file: /usr/local/ssl/ca/ait-itserv.crt 
> ldap_use_sasl: no
> ldap_start_tls: no
> ldap_version: 3
> #ldap_bind_dn: cn=Manager,dc=cs,dc=ait,dc=ac,dc=th
> #ldap_bind_pw: XXXXXX
> # ldap_group_dn: ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th
> 
> >From the ldap server logs, it seems it binds properly, but then is
> trying many other bind that does not success:
> 
> Jul 23 08:56:03 ldap slapd[37776]: conn=3321 fd=34 ACCEPT from IP=192.41.170.50:58534 (IP=192.41.170.6:636)
> Jul 23 08:56:03 ldap slapd[37776]: conn=3321 fd=34 closed (TLS negotiation failure)
> Jul 23 08:56:03 ldap slapd[37776]: conn=3322 fd=34 ACCEPT from IP=192.41.170.50:52393 (IP=192.41.170.6:636)
> Jul 23 08:56:04 ldap slapd[37776]: conn=3323 fd=36 ACCEPT from IP=192.41.170.50:53526 (IP=192.41.170.6:636)
> Jul 23 08:56:04 ldap slapd[37776]: conn=3323 fd=36 closed (TLS negotiation failure)
> Jul 23 08:56:04 ldap slapd[37776]: conn=3324 fd=36 ACCEPT from IP=192.41.170.50:56136 (IP=192.41.170.6:636)
> 
> So my configuration must be wrong, but I can see what I should be
> using instead.
> 
> TIA,
> 
> Olivier

-- 
All technical answers asked privately will be automatically answered on
the list and archived for public access unless privacy is explicitely
required and justified.

saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>

More information about the Cyrus-sasl mailing list