ldap auxprop plugin on centos4/rhel4?

Igor Brezac igor at ipass.net
Fri Mar 10 13:12:54 EST 2006

On Thu, 9 Mar 2006, Aleksandar Milivojevic wrote:

> OK, I got the newer cyrus-sasl installed on the imap server, with ldap 
> module.  I've placed this into imapd.conf:
> sasl_pwcheck_method: auxprop
> sasl_auxprop_plugin: ldapdb
> sasl_ldapdb_uri: ldaps://ldap.foobar.com/
> And things were still failing.  slapd.log showed clinet conencting and 
> disconnected right away, without attempting to bind.  Figured it was the 
> certificate verification problem.  I don't see in options.html file from 
> cyrus-sasl docs that there's option for ldapdb to specify CA certificate 
> directly in imapd.conf file, so I created /etc/openldap/ldap.conf as follows:
> BASE            dc=foobar,dc=com
> URI             ldaps://ldap.foobar.com
> TLS_CACERT      /usr/share/ssl/certs/cacert.pem
> The cacert.pem contains certificate of CA used to sign LDAP server's 
> certificate.  The exact same ldap.conf works perfectly for all other 
> programs/servers/tools/whatever.  However, seems that ldap SASL module chokes 
> on TLS_CACERT line.  If it is present in ldap.conf file (and only if it is 
> present), I get following in system log:
> Mar  9 14:07:32 mail imap[10643]: Unexpectedly missing a prompt result
> The LDAP server itslef offers only simple bind, SASL PLAIN and SASL LOGIN, 
> and requires SSL or TLS to use them.
> Using ldapsearch (from the same box cyrus-imapd is running on), I can 
> authenticate correctly, so I know that LDAP server is configured as it should 
> be:
> $ ldapsearch -U foobar -H ldaps://ldap.foobar.com/ -W '(uid=foobar)'
> Enter LDAP Password:
> SASL/LOGIN authentication started
> SASL username: foobar
> # extended LDIF follows...
> Same thing if I try StartTLS using -ZZ instead of ldaps URI.  Also all works 
> fine if I try simple bind either over SSL or using StartTLS.

You need to configure proxy authorization in order for ldapdb to work. 
This is noted in the cyrus-sasl docs (options.html).  If you have trouble 
configuring proxy authorization, I suggest you move this discussion to the 
openldap software list.

> BTW, would it be possible to use simple bind with ldapdb cyrus-sasl module? 
> Simple bind ovar SSL/TLS would work for me.  It would even simplify things on 
> LDAP server side since I wouldn't need to support SASL on it.

There may be some complexity on the openldap server side, but the client 
config becomes far more simple.


More information about the Info-cyrus mailing list