same SASL config that works on CentOS5 & 6 fails on CentOS7

Paul Raines raines at nmr.mgh.harvard.edu
Thu Sep 27 16:04:02 EDT 2018 

I have a saslauthd server running on a CentOS6 system that I want
to upgrade to CentOS7.  On the CentOS6 system I have /etc/saslauthd.conf
set as (domain changed):

ldap_servers: ldaps://ldap.foobar.org
ldap_use_sasl: yes
ldap_mech: DIGEST-MD5

and saslauthd is run as

/usr/sbin/saslauthd -m /run/saslauthd -a ldap -O /etc/saslauthd.conf

The LDAP server is the LDAP portal of the corporate AD server.

This works fine as 'testsaslauthd -s ldap ...' succeeds.  This
same config worked when it was on a CentOS5 system.

When I set up this identical config on a test CentOS7 system the
testsaslauthd always fails.  Debug output is

Aug 24 11:05:42 hound saslauthd[118834]: DIGEST-MD5 client step 2
Aug 24 11:05:42 hound saslauthd[118834]: DIGEST-MD5 parse_server_challenge()
Aug 24 11:05:42 hound saslauthd[118834]: DIGEST-MD5 ask_user_info()
Aug 24 11:05:42 hound saslauthd[118834]: DIGEST-MD5 client step 2
Aug 24 11:05:42 hound saslauthd[118834]: DIGEST-MD5 ask_user_info()
Aug 24 11:05:42 hound saslauthd[118834]: DIGEST-MD5 make_client_response()
Aug 24 11:05:42 hound saslauthd[118834]: Authentication failed for per2: Bind 
to ldap server failed (invalid user/password or insufficient access) (-7)
Aug 24 11:05:42 hound saslauthd[118834]: do_auth         : auth failure: 
[user=per2] [service=ldap] [realm=] [mech=ldap] [reason=Unknown]

I have tried ldap_auth_method with 'bind' and 'fastbind' and
ldap_use_sasl set to no, but every combo fails.

It does work to use a /etc/saslauthd.conf with explicit credentials such
as

ldap_servers: ldaps://ldap.foobar.org
ldap_search_base: dc=foobar,dc=org
ldap_filter: (sAMAccountName=%u)
ldap_bind_dn: cn=myuid,cn=users,dc=foobar,dc=org
ldap_password: *********

but I don't like putting my password in a config file and also having to 
remember to change it everytime the password changes in AD

Does anyone have any ideas why the initial setup does not work
in CentOS7?


---------------------------------------------------------------
Paul Raines                     http://help.nmr.mgh.harvard.edu
MGH/MIT/HMS Athinoula A. Martinos Center for Biomedical Imaging
149 (2301) 13th Street     Charlestown, MA 02129	    USA

More information about the Cyrus-sasl mailing list