SASL LDAP authentication

Jackie Hunt jackie at yuma.colostate.edu
Sun Sep 13 23:43:11 EDT 2009 

Hi all,

I am trying to get authenticated SMTP running here on campus, and we are 
wanting to authenticate against Active Directory.  We are running 
sendmail, and I've been able to get it to work using the UNIX password 
file.  However, I'm having trouble when I try to use ldap to authenticate.

I'm working on RedHat ES rel4 with cyrus-sasl 2.1.19.   My first 
question is whether or not cyrus-sasl-lib is required for this to work?  
It's not installed on my test box.  However, I tried another Linux 
system we have that does have cyrus-sasl-lib installed, and things still 
don't work.  I know I'm missing something crucial, so any help would be 
greatly appreciated.

When I run saslauthd -v I see:

saslauthd 2.1.19
authentication mechanisms: getpwent kerberos5 pam rimap shadow ldap

So, I'm assuming it has everything it needs compiled in to do ldap 
authentication.

I then edited the /etc/sysconfig/saslauthd file, and changed the 
MECH=pam line to MECH=ldap.

Then I created a /etc/saslauthd.conf file with the contents:

ldap_servers: ldap://129.82.xxx.xxx/
ldap_bind_dn: cn=xxxxx,ou=xxxxxxxxxxx,dc=ColoState,dc=edu
ldap_password: xxxxxxxx
ldap_filter: (sAMAccountName=%u)
ldap_search_base: dc=colostate,dc=edu
ldap_auth_method: bind

Then I start saslauthd the following command:

/usr/sbin/saslauthd -a ldap -d -O /etc/saslauthd.conf

Then I run a command to test it:

/usr/sbin/testsaslauthd -u jackie -p xxxxx

And the output I see is:

saslauthd[8045] :main            : num_procs  : 5
saslauthd[8045] :main            : mech_option: /etc/saslauthd.conf
saslauthd[8045] :main            : run_path   : /var/run/saslauthd
saslauthd[8045] :main            : auth_mech  : ldap
saslauthd[8045] :ipc_init        : using accept lock file: 
/var/run/saslauthd/mux.accept
saslauthd[8045] :detach_tty      : master pid is: 0
saslauthd[8045] :ipc_init        : listening on socket: 
/var/run/saslauthd/mux
saslauthd[8045] :main            : using process model
saslauthd[8046] :get_accept_lock : acquired accept lock
saslauthd[8045] :have_baby       : forked child: 8046
saslauthd[8045] :have_baby       : forked child: 8047
saslauthd[8045] :have_baby       : forked child: 8048
saslauthd[8045] :have_baby       : forked child: 8049
saslauthd[8046] :rel_accept_lock : released accept lock
saslauthd[8047] :get_accept_lock : acquired accept lock
saslauthd[8046] :do_auth         : auth failure: [user=jackie] 
[service=imap] [realm=] [mech=ldap] [reason=Unknown]
saslauthd[8046] :do_request      : response: NO
saslauthd[8047] :rel_accept_lock : released accept lock

I don't see where it is trying to authenticate as the ldap_bind I 
specified in the configuration file.  Should it do that first?

I would really appreciate any help.  I've been struggling with this for 
several days.

Thanks so much!

Jackie Hunt
Colorado State University

More information about the Cyrus-sasl mailing list