same SASL config that works on CentOS5 & 6 fails on CentOS7

Dan White dwhite at olp.net
Fri Sep 28 14:36:33 EDT 2018


On 09/27/18 16:04 -0400, Paul Raines wrote:
>I have a saslauthd server running on a CentOS6 system that I want
>to upgrade to CentOS7.  On the CentOS6 system I have /etc/saslauthd.conf
>set as (domain changed):
>
>ldap_servers: ldaps://ldap.foobar.org
>ldap_use_sasl: yes
>ldap_mech: DIGEST-MD5
>
>and saslauthd is run as
>
>/usr/sbin/saslauthd -m /run/saslauthd -a ldap -O /etc/saslauthd.conf
>
>The LDAP server is the LDAP portal of the corporate AD server.
>
>This works fine as 'testsaslauthd -s ldap ...' succeeds.  This
>same config worked when it was on a CentOS5 system.
>
>When I set up this identical config on a test CentOS7 system the
>testsaslauthd always fails.  Debug output is
>
>Aug 24 11:05:42 hound saslauthd[118834]: DIGEST-MD5 client step 2
>Aug 24 11:05:42 hound saslauthd[118834]: DIGEST-MD5 parse_server_challenge()
>Aug 24 11:05:42 hound saslauthd[118834]: DIGEST-MD5 ask_user_info()
>Aug 24 11:05:42 hound saslauthd[118834]: DIGEST-MD5 client step 2
>Aug 24 11:05:42 hound saslauthd[118834]: DIGEST-MD5 ask_user_info()
>Aug 24 11:05:42 hound saslauthd[118834]: DIGEST-MD5 make_client_response()
>Aug 24 11:05:42 hound saslauthd[118834]: Authentication failed for 
>per2: Bind to ldap server failed (invalid user/password or 
>insufficient access) (-7)
>Aug 24 11:05:42 hound saslauthd[118834]: do_auth         : auth 
>failure: [user=per2] [service=ldap] [realm=] [mech=ldap] 
>[reason=Unknown]
>
>I have tried ldap_auth_method with 'bind' and 'fastbind' and
>ldap_use_sasl set to no, but every combo fails.
>
>It does work to use a /etc/saslauthd.conf with explicit credentials such
>as
>
>ldap_servers: ldaps://ldap.foobar.org
>ldap_search_base: dc=foobar,dc=org
>ldap_filter: (sAMAccountName=%u)
>ldap_bind_dn: cn=myuid,cn=users,dc=foobar,dc=org
>ldap_password: *********
>
>but I don't like putting my password in a config file and also having 
>to remember to change it everytime the password changes in AD
>
>Does anyone have any ideas why the initial setup does not work
>in CentOS7?

Check your DNS settings.

Trouble shoot this by using the ldap client utilities directly:

ldapwhoami -d -1 -H ldaps://ldap.foobar.org -Y DIGEST-MD5 -U per2 -W


More information about the Cyrus-sasl mailing list