saslauthd : ldaps with Active Directory not working

Dan White dwhite at olp.net
Fri Mar 26 22:50:26 EDT 2010


On 25/03/10 11:03 +0100, MEURISSE CLAUDE wrote:
>The configuration works fine when I use LDAP between Cyrus SASLAUTHD and Active Directory.
>As soon as I turn on LDAPS in the saslauthd.conf, I receive an auth failure (invalid credentials)  :
>
>saslauthd[12276] :rel_accept_lock : released accept lock
>saslauthd[12277] :get_accept_lock : acquired accept lock
>saslauthd[12276] :do_auth         : auth failure: [user=myuser at luinternal.subsidiary.bank] [service=ldap] [realm=internal.subsidiary.bank] [mech=ldap] [reason=Unknown]
>saslauthd[12276] :do_request      : response: NO
>
>I can sucessfully bind in LDAPS with a standard LDAP Client (Like LDAP Browser/Editor 2.8.2 from Jarek Gawor)
>
>Here is my saslauthd.conf :
>
>ldap_servers: ldaps://internal.subsidiary.bank/
>ldap_search_base: OU=Standard,OU=User_Accounts,DC=internal,DC=subsidiary,DC=bank
>ldap_filter: (userPrincipalName=%u)
>
>ldap_bind_dn: CN=myuser,OU=Standard,OU=User_Accounts,DC=internal,DC=subsidiary,DC=bank
>ldap_password: secret
>ldap_tls_cacert_file: /tmp/cert.pem

Assuming you have compiled your saslauthd against the openldap library, you
can use ldapsearch to simulate the binds, with debugging set - assuming
LDAP_DEBUG was enabled during openldap compile:

echo "TLS_CACERT /tmp/cert.pem" >> ~/.ldaprc

ldapsearch -d -1 -x -H ldaps://internal/subsidiary.bank/ -D
CN=myuser,OU=Standard,OU=User_Accounts,DC=internal,DC=subsidiary,DC=bank -w
secret -b OU=Standard,OU=User_Accounts,DC=internal,DC=subsidiary,DC=bank
"(userPrincipal=myuser at luinternal.subsidiary.bank)" 

And then does saslauthd rebind using the user's DN and password? I'm not
sure.

-- 
Dan White


More information about the Cyrus-sasl mailing list