Unable to get SASL working correctly

Kevin Fries kevin at hcico.com
Fri Jun 11 15:31:43 EDT 2004

I feel like I am going around in circles with LDAP and SASL!  This stuff 
is not as much fun as the travel brochure said it would be :-)

Here is what I have:
  - Fedora Core 2
  - OpenLDAP (from rpm)
     - openldap-servers-2.1.29-1
     - openldap-devel-2.1.29-1
     - openldap-clients-2.1.29-1
     - openldap-2.1.29-1
  - SASL (from rpm)
     - cyrus-sasl-devel-2.1.18-2
     - cyrus-sasl-plain-2.1.18-2
     - cyrus-sasl-2.1.18-2
     - cyrus-sasl-md5-2.1.18-2
  - Other Software (from rpm)
     - postfix-2.0.18-4
     - courier-imap-
     - squirrelmail-1.4.2-3
     - nss_ldap-217-1

What I am doing now:
I have postfix operating on two servers, one as local delivery, and the 
other in a backup MX role.  The PADL tools are being used to pull 
accounts from my LDAP server, and present them as local accounts

# getent passwd kevin
kevin:x:999:999:Kevin Fries:/home/kevin:/bin/bash

No problem.  Postfix, Courier, vsFTP, Squirrelmail, SAMBA, etc pick up 
the local accounts and authenticate everyone via PAM.

Here is what I am trying to do:
I would prefer to remove the PADL libraries and have each of these 
programs authenticate directly against the LDAP information in a sealed 
system (no system accounts).  I figured the first step towards this was 
to work over my mail and IMAP servers.  Courier is causing me all kinds 
of headaches, and I would love to dump it for Cyrus IMAP.  But in order 
to do that, I need to have Cyrus-SASL authenticating to my user accounts 
in LDAP first.

However, I can not even get saslauthd to work correctly!  when I use 
testsaslauthd to validate an account, here is the results:

# testsaslauthd -u kevin -p sanitized
0: NO "authentication failed"

A check of the error logs, displays:
do_auth         : auth failure: [user=kevin] [service=imap] [realm=] 
[mech=ldap] [reason=Unknown]

"reason=Unknown", well at least the error message is clear, lol

Needless to say, the basic ldap tools don't work right without the -x 
(send in plain text) which I am trying to avoid.

# ldapsearch "uid=kevin"
ldap_sasl_interactive_bind_s: No such object (32)

I am not trying to get cute here.  I just want OpenLDAP to store all my 
user data, and SASL to authenticate against it.  Once that is in place, 
it open a new set of options such as SMTP-AUTH for the Postfix server 
(hopefully against CRAM-MD5 or some other highly encrypted mechanism) 
and Cyrus IMAP.

But, until I can get the simple working, the more complex is simply out 
of the question.  Can anyone point me in the right direction.  Some 
documentation, or How-to that does not include Kerberos (yeah found lots 
of those) and is discussing the direction I am trying to go?

Here are my conf files:
# cat /etc/sysconfig/saslauthd

# cat /etc/saslauthd.conf
ldap_servers: ldap://
ldap_bind_dn: cn=manager,dc=example,dc=com
ldap_bind_ps: privledged

# cat /etc/openldap/slapd.conf
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/samba.schema
include         /etc/openldap/schema/pureftpd.schema
include         /etc/openldap/schema/postfix.schema
include         /etc/openldap/schema/mozillaAbPersonObsolete.schema
include         /etc/openldap/schema/qmail.schema

defaultsearchbase "dc=example,dc=com"

access to dn=".*,dc=example,dc=com" attr=userPassword
        by dn="cn=Manager,dc=example,dc=com" write
        by self write
        by * auth

access to dn=".*,dc=example,dc=com" attr=mail
        by dn="cn=Manager,dc=example,dc=com" write
        by self write
        by * read

access to dn=".*,ou=People,dc=example,dc=com"
        by * read

access to dn=".*,dc=example,dc=com"
        by self write
        by * read

database        ldbm
dbcachesize     2000000
suffix          "dc=example,dc=com"
rootdn          "cn=Manager,dc=example,dc=com"
rootpw          privledged
directory       /var/lib/ldap

index   objectClass              eq

index   cn                       pres,sub,eq
index   sn                       pres,sub,eq
index   uid                      pres,sub,eq
index   displayName              pres,sub,eq

index   uidNumber                eq
index   gidNumber                eq
index   memberUid                eq

index   sambaSID                 eq
index   sambaPrimaryGroupSID     eq
index   sambaDomainName          eq
index   default                  sub

index   mailAlternateAddress     eq
index   mail                     sub,eq
index   givenName                sub,eq

# cat /etc/ldap.conf
base dc=example,dc=com
rootbinddn cn=manager,dc=example,dc=com
scope sub
pam_filter objectclass=posixaccount
ssl no
pam_password md5

Kevin Fries
Network Administrator
Hydrologic Consultants, Inc of Colorado
(303) 969-8033    FAX: (303) 969-8357

Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

More information about the Info-cyrus mailing list