saslauthd : ldaps with Active Directory not working
MEURISSE CLAUDE
claude.meurisse at bgl.lu
Thu Mar 25 06:03:41 EDT 2010
Hello,
I want to achieve the following configuration:
LDAPClient -- (ldap) --> OpenLDAP -- (pass-throug Authentication) --> Cyrus SASLAUTHD -- (ldaps) --> Active Directory
The configuration works fine when I use LDAP between Cyrus SASLAUTHD and Active Directory.
As soon as I turn on LDAPS in the saslauthd.conf, I receive an auth failure (invalid credentials) :
saslauthd[12276] :rel_accept_lock : released accept lock
saslauthd[12277] :get_accept_lock : acquired accept lock
saslauthd[12276] :do_auth : auth failure: [user=myuser at luinternal.subsidiary.bank] [service=ldap] [realm=internal.subsidiary.bank] [mech=ldap] [reason=Unknown]
saslauthd[12276] :do_request : response: NO
I can sucessfully bind in LDAPS with a standard LDAP Client (Like LDAP Browser/Editor 2.8.2 from Jarek Gawor)
Note that I only want to bind over an encrypted channel. No need to do client authentication against the AD LDAP.
Here is my saslauthd.conf :
ldap_servers: ldaps://internal.subsidiary.bank/
ldap_search_base: OU=Standard,OU=User_Accounts,DC=internal,DC=subsidiary,DC=bank
ldap_filter: (userPrincipalName=%u)
ldap_bind_dn: CN=myuser,OU=Standard,OU=User_Accounts,DC=internal,DC=subsidiary,DC=bank
ldap_password: secret
ldap_tls_cacert_file: /tmp/cert.pem
I have verified the Root CA in /tmp/cert.pem and I can successfully view it. The AD LDAP server certificate is well signed by this Root CA.
Where am I wrong in the configuration ?
How can I enable more tracing on the saslauthd daemon ?
All components running on Solaris 10.
/usr/local/sbin/saslauthd -v
saslauthd 2.1.21
authentication mechanisms: getpwent pam rimap shadow ldap
Claude.
============================================
Internet communications are not secure and therefore BGL BNP Paribas does not accept legal responsibility for the contents of this message. The information contained in this e-mail is confidential and may be legally privileged. It is intended solely for the addressee. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Nothing in the message is capable or intended to create any legally binding obligations on either party and it is not intended to provide legal advice.
============================================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20100325/40005025/attachment.html
More information about the Cyrus-sasl
mailing list