Help with Cyrus configuration - testsaslauthd not working

Dan White dwhite at olp.net
Mon Nov 7 18:11:52 EST 2011 

On 07/11/11 21:49 +0000, Gabriella Turek wrote:
>Hello, I am trying to set up Cyrus sasl so I can use it for pass-through
>authentication with OpenLDAP. The OS is SUSE sles11 and I thought I'd
>start with what is already there preinstalled (v.2.1.22) I am trying to
>authenticate against Active Directory 2008.
>My configuration file looks like:
>
>ldap_servers: ldap://hamwdc01.niwa.local/
>ldap_search_base: DC=niwa=,DC=local

You have a typo here, with an extra equals sign.

>ldap_scope: sub
>ldap_sasl_mech: plain

Since you're not using ldap_use_sasl: yes, you should remove
ldap_sasl_mech from your config.

>ldap_auth_method: bind
>ldap_bind_dn: "CN=SDT Tester,OU=NIWA Staff Accounts,OU=User Accounts,DC=niwa,DC=local"
>ldap_password: mypassword
>ldap_filter: (dn=%u)
>
>When I try authenticate using testsaslauthd I get:
>>Authentication failed for some-user: Bind to ldap server failed (invalid
>>user/password or insufficient access) (-7)
>
>If I try a ldap_bind_dn of the form
>sdttester at niwa.local<mailto:sdttester at niwa.local> in the config file I
>get:
>Authentication failed for some-user: Retry condition (ldap server
>connection reset or broken) (-3)

You should be using the DN, when using 'ldap_auth_method: bind'.

>This is all very puzzling, as I can ldapsearch perfectly fine with any
>valid user I chose in either form (DN or userPrincipalName)
>
>Is it possible that this installation of cyrus has not been compiled with
>ldap support? I would expect a bit more feedback.

You can verify saslauthd was compiled with LDAP support with 'saslauthd
-v'. You use it by specifying '-a ldap' as a command line option.

Your saslauthd.conf file should typically go in /etc, but you can specify an
alternate location with '-O <path/file>'.

See saslauthd/LDAP_SASLAUTHD in the source for documentation.

You can simulate the function of saslauthd (in bind mode) with:

ldapsearch -x -H ldap://hamwdc01.niwa.local/ -D "CN=SDT Tester,OU=NIWA
Staff Accounts,OU=User Accounts,DC=niwa,DC=local" -w mypassword -b
"DC=niwa,DC=local" "(dn=testusername)" dn

and then with the returned dn:

ldapwhoami -x -H ldap://hamwdc01.niwa.local/ -D "$DN" -w <user_password>

and if successful, ldapwhoami should return the DN again. If so, then your
saslauthd.conf config is probably correct.

For further trouble shooting, you can add 'ldap_debug: -1' to your
saslauthd.conf, and start saslauthd in debug mode.

After verifying testsaslauthd is working, make sure that your OpenLDAP user
(-u option) has filesystem permissions to access the saslauthd mux.

For OpenLDAP pass-through documentation, see "14.5. Pass-Through
authentication" of the OpenLDAP Administrator's Guide.

-- 
Dan White

More information about the Cyrus-sasl mailing list