SASL LDAP authentication

Martin Schweizer schweizer.martin at gmail.com
Mon Sep 14 01:02:53 EDT 2009


Hello Jack

I was in the same situation as you in the past two months. My goal was
to authenticate between my FreeBSD mail servers  (Cyrus imapd /
sendmail) and Active Directory. I find that the best way was to
authenticate by KerberosV (by saslauthd -a kerberos5 or -a pam). Now
all is workig as expected (after really hard work...). After the work
was done I've written a small tutorial (until now only in
german...:-))). Do you are interessted?

Regards,



2009/9/14 Jackie Hunt <jackie at yuma.colostate.edu>:
> Hi all,
>
> I am trying to get authenticated SMTP running here on campus, and we are
> wanting to authenticate against Active Directory.  We are running sendmail,
> and I've been able to get it to work using the UNIX password file.  However,
> I'm having trouble when I try to use ldap to authenticate.
>
> I'm working on RedHat ES rel4 with cyrus-sasl 2.1.19.   My first question is
> whether or not cyrus-sasl-lib is required for this to work?  It's not
> installed on my test box.  However, I tried another Linux system we have
> that does have cyrus-sasl-lib installed, and things still don't work.  I
> know I'm missing something crucial, so any help would be greatly
> appreciated.
>
> When I run saslauthd -v I see:
>
> saslauthd 2.1.19
> authentication mechanisms: getpwent kerberos5 pam rimap shadow ldap
>
> So, I'm assuming it has everything it needs compiled in to do ldap
> authentication.
>
> I then edited the /etc/sysconfig/saslauthd file, and changed the MECH=pam
> line to MECH=ldap.
>
> Then I created a /etc/saslauthd.conf file with the contents:
>
> ldap_servers: ldap://129.82.xxx.xxx/
> ldap_bind_dn: cn=xxxxx,ou=xxxxxxxxxxx,dc=ColoState,dc=edu
> ldap_password: xxxxxxxx
> ldap_filter: (sAMAccountName=%u)
> ldap_search_base: dc=colostate,dc=edu
> ldap_auth_method: bind
>
> Then I start saslauthd the following command:
>
> /usr/sbin/saslauthd -a ldap -d -O /etc/saslauthd.conf
>
> Then I run a command to test it:
>
> /usr/sbin/testsaslauthd -u jackie -p xxxxx
>
> And the output I see is:
>
> saslauthd[8045] :main            : num_procs  : 5
> saslauthd[8045] :main            : mech_option: /etc/saslauthd.conf
> saslauthd[8045] :main            : run_path   : /var/run/saslauthd
> saslauthd[8045] :main            : auth_mech  : ldap
> saslauthd[8045] :ipc_init        : using accept lock file:
> /var/run/saslauthd/mux.accept
> saslauthd[8045] :detach_tty      : master pid is: 0
> saslauthd[8045] :ipc_init        : listening on socket:
> /var/run/saslauthd/mux
> saslauthd[8045] :main            : using process model
> saslauthd[8046] :get_accept_lock : acquired accept lock
> saslauthd[8045] :have_baby       : forked child: 8046
> saslauthd[8045] :have_baby       : forked child: 8047
> saslauthd[8045] :have_baby       : forked child: 8048
> saslauthd[8045] :have_baby       : forked child: 8049
> saslauthd[8046] :rel_accept_lock : released accept lock
> saslauthd[8047] :get_accept_lock : acquired accept lock
> saslauthd[8046] :do_auth         : auth failure: [user=jackie]
> [service=imap] [realm=] [mech=ldap] [reason=Unknown]
> saslauthd[8046] :do_request      : response: NO
> saslauthd[8047] :rel_accept_lock : released accept lock
>
> I don't see where it is trying to authenticate as the ldap_bind I specified
> in the configuration file.  Should it do that first?
>
> I would really appreciate any help.  I've been struggling with this for
> several days.
>
> Thanks so much!
>
> Jackie Hunt
> Colorado State University
>



-- 
Martin Schweizer
schweizer.martin at gmail.com
Tel.: +41 32 512 48 54 (VoIP)
Fax: +1 619 3300587


More information about the Cyrus-sasl mailing list