saslauthd : ldaps with Active Directory not working

MEURISSE CLAUDE claude.meurisse at bgl.lu
Thu Mar 25 06:03:41 EDT 2010 

Hello,

I want to achieve the following configuration:

LDAPClient -- (ldap) --> OpenLDAP -- (pass-throug Authentication) --> Cyrus SASLAUTHD -- (ldaps) --> Active Directory

The configuration works fine when I use LDAP between Cyrus SASLAUTHD and Active Directory.
As soon as I turn on LDAPS in the saslauthd.conf, I receive an auth failure (invalid credentials)  :

saslauthd[12276] :rel_accept_lock : released accept lock
saslauthd[12277] :get_accept_lock : acquired accept lock
saslauthd[12276] :do_auth         : auth failure: [user=myuser at luinternal.subsidiary.bank] [service=ldap] [realm=internal.subsidiary.bank] [mech=ldap] [reason=Unknown]
saslauthd[12276] :do_request      : response: NO

I can sucessfully bind in LDAPS with a standard LDAP Client (Like LDAP Browser/Editor 2.8.2 from Jarek Gawor)
Note that I only want to bind over an encrypted channel.  No need to do client authentication against the AD LDAP.

Here is my saslauthd.conf :

ldap_servers: ldaps://internal.subsidiary.bank/
ldap_search_base: OU=Standard,OU=User_Accounts,DC=internal,DC=subsidiary,DC=bank
ldap_filter: (userPrincipalName=%u)

ldap_bind_dn: CN=myuser,OU=Standard,OU=User_Accounts,DC=internal,DC=subsidiary,DC=bank
ldap_password: secret
ldap_tls_cacert_file: /tmp/cert.pem

I have verified the Root CA in /tmp/cert.pem and I can successfully view it.  The AD LDAP server certificate is well signed by this Root CA.

Where am I wrong in the configuration ?
How can I enable more tracing on the saslauthd daemon ?

All components running on Solaris 10.

/usr/local/sbin/saslauthd -v
saslauthd 2.1.21
authentication mechanisms: getpwent pam rimap shadow ldap


Claude.

============================================
Internet communications are not secure and therefore BGL BNP Paribas does not accept legal responsibility for the contents of this message. The information contained in this e-mail is confidential and may be legally privileged. It is intended solely for the addressee. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Nothing in the message is capable or intended to create any legally binding obligations on either party and it is not intended to provide legal advice.
============================================

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20100325/40005025/attachment.html

More information about the Cyrus-sasl mailing list