ldap auxprop plugin on centos4/rhel4?

Aleksandar Milivojevic alex at milivojevic.org
Thu Mar 9 15:59:43 EST 2006

OK, I got the newer cyrus-sasl installed on the imap server, with ldap 
module.  I've placed this into imapd.conf:

sasl_pwcheck_method: auxprop
sasl_auxprop_plugin: ldapdb
sasl_ldapdb_uri: ldaps://ldap.foobar.com/

And things were still failing.  slapd.log showed clinet conencting and 
disconnected right away, without attempting to bind.  Figured it was 
the certificate verification problem.  I don't see in options.html file 
from cyrus-sasl docs that there's option for ldapdb to specify CA 
certificate directly in imapd.conf file, so I created 
/etc/openldap/ldap.conf as follows:

BASE            dc=foobar,dc=com
URI             ldaps://ldap.foobar.com
TLS_CACERT      /usr/share/ssl/certs/cacert.pem

The cacert.pem contains certificate of CA used to sign LDAP server's 
certificate.  The exact same ldap.conf works perfectly for all other 
programs/servers/tools/whatever.  However, seems that ldap SASL module 
chokes on TLS_CACERT line.  If it is present in ldap.conf file (and 
only if it is present), I get following in system log:

Mar  9 14:07:32 mail imap[10643]: Unexpectedly missing a prompt result

The LDAP server itslef offers only simple bind, SASL PLAIN and SASL 
LOGIN, and requires SSL or TLS to use them.

Using ldapsearch (from the same box cyrus-imapd is running on), I can 
authenticate correctly, so I know that LDAP server is configured as it 
should be:

$ ldapsearch -U foobar -H ldaps://ldap.foobar.com/ -W '(uid=foobar)'
Enter LDAP Password:
SASL/LOGIN authentication started
SASL username: foobar
# extended LDIF follows...

Same thing if I try StartTLS using -ZZ instead of ldaps URI.  Also all 
works fine if I try simple bind either over SSL or using StartTLS.

BTW, would it be possible to use simple bind with ldapdb cyrus-sasl 
module?  Simple bind ovar SSL/TLS would work for me.  It would even 
simplify things on LDAP server side since I wouldn't need to support 
SASL on it.

See Ya' later, alligator!

This message was sent using IMP, the Internet Messaging Program.

More information about the Info-cyrus mailing list