problems with secure LDAP

Igor Brezac igor at ipass.net
Thu Jul 24 09:07:30 EDT 2003 

On Thu, 24 Jul 2003, Ana Ribas/Upcnet wrote:

> Hi,
>
> I've been able to configure saslauthd with ldap authentication against my
> Lotus Domino eDirectory.
> My Cyrus IMAP server works fine too.
> I've created the mailboxes and the users can send and receive mail
> perfectly.
>
> Now, my following step is try to configure saslauthd for secure ldap.
> And, of course, it's my new problem.
>
> My configuration with ldaps is the next one:
>
> saslauthd.conf:
>       ldap_servers: ldap://myserver.upc.es:636/

You need
ldap_servers: ldaps://myserver.upc.es/

>       ldap_port: 636

This is not a valid option.

>       ldap_tls_check_peer: yes
>       ldap_tls_cacert_file: escert.pem
>       ldap_tls_cacert_dir: /var/imap/certs
>       ldap_tls_cert: /var/imap/server.pem
>       ldap_tls_key: /var/imap/server.pem

I would try without these options first.

> And this is the response when I make the test and the ldapsearch:
>
> > saslauthd -a ldap
> > testsaslauthd -u juanito -p juanito
> 0: NO "authentication failed"
>
> > ldapsearch -v -p 636 -h myserver.upc.es -b "O=lcx" "(cn=usuari proves1)"
> ldap_init( myserver.upc.es, 636 )
> filter pattern: (cn=usuari proves1)
> returning: ALL
> filter is: ((cn=usuari proves1))
> ldap_result: Can't contact LDAP server

Are you sure your ldap server accepts ssl connections?  If you cannot make
ldapsearch work, saslauthd will not work either...

>
> The auth.log file results:
> Jul 24 12:49:52 delius saslauthd[22180]: [ID 285309 auth.info] detach_tty
> : master pid is: 22180
> Jul 24 12:49:52 delius saslauthd[22180]: [ID 285309 auth.info] ipc_init
> : listening on socket: /var/run/saslauthd/mux
> Jul 24 12:50:22 delius saslauthd[22181]: [ID 286158 auth.warning] Unable to
> set LDAP_OPT_X_TLS_CACERTFILE (Unknown error).
> Jul 24 12:50:22 delius saslauthd[22181]: [ID 948958 auth.warning] Unable to
> set LDAP_OPT_X_TLS_CACERTDIR (Unknown error).
> Jul 24 12:50:22 delius saslauthd[22181]: [ID 809616 auth.warning] Unable to
> set LDAP_OPT_X_TLS_REQUIRE_CERT (Unknown error).
> Jul 24 12:50:22 delius saslauthd[22181]: [ID 390630 auth.warning] Unable to
> set LDAP_OPT_X_TLS_CERTFILE (Unknown error).
> Jul 24 12:50:22 delius saslauthd[22181]: [ID 621624 auth.warning] Unable to
> set LDAP_OPT_X_TLS_KEYFILE (Unknown error).
> Jul 24 12:51:23 delius imapd[22194]: [ID 702911 auth.warning] Could not
> find a dlname line in .la file: libotp.la
> Jul 24 12:55:22 delius saslauthd[22181]: [ID 390612 auth.warning]
> ldap_simple_bind() failed as anonymous (Can't contact LDAP server)
> Jul 24 12:55:22 delius saslauthd[22181]: [ID 462440 auth.warning]
> lak_bind() failed
> Jul 24 12:55:22 delius saslauthd[22181]: [ID 285309 auth.info] do_auth
> : auth failure: [user=juanito] [service=imap] [realm=] [mech=ldap]
> [reason=Unknown]
>
> I'm sure the path and name of certificates are correct, but saslauthd seems
> unable to set them and I don't know why.
> When I compiled SASL 2.1.15 , days ago, I included the option
> --with-openssl=/usr/local/ssl
>
> What I can do now?
> Thanks in advance.
>
> - ANNA -
>
>
>
>

-- 
Igor

More information about the Info-cyrus mailing list