problems with secure LDAP

tsg tsg at bugalux.com
Thu Jul 24 09:47:45 EDT 2003 

24 Июль 2003 13:36, Ana Ribas/Upcnet написал:
> Hi,
>
> I've been able to configure saslauthd with ldap authentication against my
> Lotus Domino eDirectory.
> My Cyrus IMAP server works fine too.
> I've created the mailboxes and the users can send and receive mail
> perfectly.
>
> Now, my following step is try to configure saslauthd for secure ldap.
> And, of course, it's my new problem.
>
> My configuration with ldaps is the next one:
>
> saslauthd.conf:

try following:
ldap_servers: ldaps://myserver.upc.es/
ldap_tls_check_peer: yes        #only if you are going to check both certs, 
server and client
ldap_tls_cacert_file: full path to the CA cert
ldap_tls_cert: /var/imap/server.pem  # better ho have different ones in real 
ldap_tls_key: /var/imap/server.pem   # production environment
and You LDAP server must listen to ldaps port (all setificates should be 
installed)

You can get all conf files to make secure mail server 
LDAP+Postfix+CyrusSASL+CyrusIMAP in 
www.bugalux.com/mbman/ 
Do not forget the last slash!


>       ldap_servers: ldap://myserver.upc.es:636/
>       ldap_port: 636
>       ldap_tls_check_peer: yes
>       ldap_tls_cacert_file: escert.pem
>       ldap_tls_cacert_dir: /var/imap/certs
>       ldap_tls_cert: /var/imap/server.pem
>       ldap_tls_key: /var/imap/server.pem
>
> And this is the response when I make the test and the ldapsearch:
> > saslauthd -a ldap
> > testsaslauthd -u juanito -p juanito
>
> 0: NO "authentication failed"
>
> > ldapsearch -v -p 636 -h myserver.upc.es -b "O=lcx" "(cn=usuari proves1)"
>
> ldap_init( myserver.upc.es, 636 )
> filter pattern: (cn=usuari proves1)
> returning: ALL
> filter is: ((cn=usuari proves1))
> ldap_result: Can't contact LDAP server
>
> The auth.log file results:
> Jul 24 12:49:52 delius saslauthd[22180]: [ID 285309 auth.info] detach_tty
>
> : master pid is: 22180
>
> Jul 24 12:49:52 delius saslauthd[22180]: [ID 285309 auth.info] ipc_init
>
> : listening on socket: /var/run/saslauthd/mux
>
> Jul 24 12:50:22 delius saslauthd[22181]: [ID 286158 auth.warning] Unable to
> set LDAP_OPT_X_TLS_CACERTFILE (Unknown error).
> Jul 24 12:50:22 delius saslauthd[22181]: [ID 948958 auth.warning] Unable to
> set LDAP_OPT_X_TLS_CACERTDIR (Unknown error).
> Jul 24 12:50:22 delius saslauthd[22181]: [ID 809616 auth.warning] Unable to
> set LDAP_OPT_X_TLS_REQUIRE_CERT (Unknown error).
> Jul 24 12:50:22 delius saslauthd[22181]: [ID 390630 auth.warning] Unable to
> set LDAP_OPT_X_TLS_CERTFILE (Unknown error).
> Jul 24 12:50:22 delius saslauthd[22181]: [ID 621624 auth.warning] Unable to
> set LDAP_OPT_X_TLS_KEYFILE (Unknown error).
> Jul 24 12:51:23 delius imapd[22194]: [ID 702911 auth.warning] Could not
> find a dlname line in .la file: libotp.la
> Jul 24 12:55:22 delius saslauthd[22181]: [ID 390612 auth.warning]
> ldap_simple_bind() failed as anonymous (Can't contact LDAP server)
> Jul 24 12:55:22 delius saslauthd[22181]: [ID 462440 auth.warning]
> lak_bind() failed
> Jul 24 12:55:22 delius saslauthd[22181]: [ID 285309 auth.info] do_auth
>
> : auth failure: [user=juanito] [service=imap] [realm=] [mech=ldap]
>
> [reason=Unknown]
>
> I'm sure the path and name of certificates are correct, but saslauthd seems
> unable to set them and I don't know why.
> When I compiled SASL 2.1.15 , days ago, I included the option
> --with-openssl=/usr/local/ssl
>
> What I can do now?
> Thanks in advance.
>
> - ANNA -

More information about the Info-cyrus mailing list