ldap auxprop plugin on centos4/rhel4?
alex at milivojevic.org
Thu Mar 9 15:59:43 EST 2006
OK, I got the newer cyrus-sasl installed on the imap server, with ldap
module. I've placed this into imapd.conf:
And things were still failing. slapd.log showed clinet conencting and
disconnected right away, without attempting to bind. Figured it was
the certificate verification problem. I don't see in options.html file
from cyrus-sasl docs that there's option for ldapdb to specify CA
certificate directly in imapd.conf file, so I created
/etc/openldap/ldap.conf as follows:
The cacert.pem contains certificate of CA used to sign LDAP server's
certificate. The exact same ldap.conf works perfectly for all other
programs/servers/tools/whatever. However, seems that ldap SASL module
chokes on TLS_CACERT line. If it is present in ldap.conf file (and
only if it is present), I get following in system log:
Mar 9 14:07:32 mail imap: Unexpectedly missing a prompt result
The LDAP server itslef offers only simple bind, SASL PLAIN and SASL
LOGIN, and requires SSL or TLS to use them.
Using ldapsearch (from the same box cyrus-imapd is running on), I can
authenticate correctly, so I know that LDAP server is configured as it
$ ldapsearch -U foobar -H ldaps://ldap.foobar.com/ -W '(uid=foobar)'
Enter LDAP Password:
SASL/LOGIN authentication started
SASL username: foobar
SASL SSF: 0
# extended LDIF follows...
Same thing if I try StartTLS using -ZZ instead of ldaps URI. Also all
works fine if I try simple bind either over SSL or using StartTLS.
BTW, would it be possible to use simple bind with ldapdb cyrus-sasl
module? Simple bind ovar SSL/TLS would work for me. It would even
simplify things on LDAP server side since I wouldn't need to support
SASL on it.
See Ya' later, alligator!
This message was sent using IMP, the Internet Messaging Program.
More information about the Info-cyrus