sasl authentication problems

Fred Blaise chapeaurouge at gmail.com
Wed Aug 24 13:01:54 EDT 2005 

Hello all

I am seeking help on sasl authentication against openldap.

Debian stable 3.1 on all servers.
On one server, I have slapd 2.2.23. It is used to authenticate samba
(works, same server), and a groupware on another server (works, 2nd server).

On the second server, I have a cyrus imap server, which uses the
following steps to (try to) authenticate against LDAP with sasl:
-> saslauthd (PAM method)
-> pam_ldap
-> ldap

I am trying to fix the cyrus SASL authentication against openLDAP, I guess.

When I run that, here is the error:
--------------------------------------------
OX1:~# ldapsearch -D "cn=manager,dc=ilr,dc=lu" -h ldapsmb-pdc.ilr.lu
-b "dc=ilr,dc=lu" "(uid=sp)"
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80)
       additional info: SASL(-13): user not found: no secret in database

The accompanying slapd debug output (-d 4)
------------------------------------------------------
send_ldap_result: err=0 matched="" text=""
connection_get(10)
connection_get(10)
SRCH "" 0 0    0 0 0
   filter: (objectClass=*)
   attrs: supportedSASLMechanisms
send_ldap_result: err=0 matched="" text=""
connection_get(10)
==> sasl_bind: dn="cn=manager,dc=ilr,dc=lu" mech=DIGEST-MD5 datalen=0
connection_get(10)
==> sasl_bind: dn="cn=manager,dc=ilr,dc=lu" mech=<continuing> datalen=278
SASL Canonicalize [conn=2]: authcid="root"
slap_sasl_getdn: id=root [len=4]
SASL Canonicalize [conn=2]: slapAuthcDN="cn=manager,dc=ilr,dc=lu"
base_candidates: base: "cn=manager,dc=ilr,dc=lu" (0x00000002)
send_ldap_result: err=0 matched="" text=""
SASL Canonicalize [conn=2]: authzid="root"
SASL [conn=2] Failure: no secret in database
send_ldap_result: err=80 matched="" text="SASL(-13): user not found:
no secret in database"


Here are the accepted methods on slapd:
--------------------------------------------------------
OX1:~# ldapsearch -x -b "" -s base supportedSASLMechanisms -ZZ
# extended LDIF
#
# LDAPv3
# base <> with scope base
# filter: (objectclass=*)
# requesting: supportedSASLMechanisms
#

#
dn:
supportedSASLMechanisms: NTLM
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
[...]

Here is my slapd.conf
------------------------------
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/misc.schema
include         /etc/ldap/schema/samba.schema
include         /etc/ldap/schema/openxchange.schema
schemacheck     on
pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd.args
loglevel        0
modulepath      /usr/lib/ldap
moduleload      back_bdb

backend         bdb
checkpoint 512 30

TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /etc/ldap/certs/cacert.pem
TLSCertificateFile /etc/ldap/certs/servercrt.pem
TLSCertificateKeyFile /etc/ldap/certs/serverkey.pem
TLSVerifyClient never

database        bdb

suffix          "dc=ilr,dc=lu"
directory       "/var/lib/ldap"

sasl-regexp
       uid=root,cn=(plain|digest-md5|login),cn=auth
       cn=Manager,dc=ilr,dc=lu

sasl-regexp
       uid=(.*),cn=(plain|digest-md5|login),cn=auth
       ldap:///dc=ilr,dc=lu??one?(uid=$1)

password-hash     {CLEARTEXT}

rootdn  "cn=Manager,dc=ilr,dc=lu"
rootpw "{SSHA}eT2FeQwOwgZx3UPS6jRzoCDwGvBHDyh3"

index   objectClass,uid,uidNumber,gidNumber,memberUid   eq
index   cn,mail,surname,givenname,                      eq,subinitial
index   sambaSID,sambaPrimaryGroupSID,sambaDomainName   eq

lastmod         on

access to attrs=userPassword
       by dn="cn=Manager,dc=ilr,dc=lu" write
       by anonymous auth
       by self write
       by * none

access to dn.base="" by * read

access to dn.subtree="ou=Users,ou=OxObjects,dc=ilr,dc=lu"
  by dn="cn=Manager,dc=ilr,dc=lu" write
  by self write
  by users write
  by anonymous read

access to dn.subtree="ou=Groups,ou=OxObjects,dc=ilr,dc=lu"
  by self write
  by users write
  by anonymous read

access to *
       by dn="cn=Manager,dc=ilr,dc=lu" write
       by * read

Here is my /etc/pam.d/imap on cyrus server
-----------------------------------------------------------
auth      sufficient   /lib/security/pam_ldap.so debug
account   sufficient   /lib/security/pam_ldap.so
password  require      /lib/security/pam_ldap.so

I am surely missing some details. Please let me know if something is
missing. If I am off-topic and need to repost to the sasl mailing,
please let me know as well.

Thanks a lot.

chap.

More information about the Info-cyrus mailing list