saslauthd with openldap

Paul van der Vlis paul at vandervlis.nl
Fri Apr 19 09:10:16 EDT 2013 

On 19-04-13 14:06, Marc Patermann wrote:
> Paul,
> 
> Paul van der Vlis schrieb (19.04.2013 11:58 Uhr):
> 
>> I am trying to get saslauthd working
> While this is not IMAPd related, why don't your try a SASL list?

I am not a member of it. I have tried to post to it via Gmane but my
mail was refused...

>> to authenticate on openLDAP with
>> passwords stored with a MD5 hash (base64 encoded) in the field
>> UserPassword. The passwords are created with smb-ldap so I think it's
>> normal that they are base64 encoded.
> Is SASL auxprop ldapdb not an option for you?

I am a Cyrus user for about 10 years, and I have always used saslauthd.
Most of the time using PAM, but sometimes LDAP to Microsoft AD and to
Novell. But I have never authenticated to OpenLDAP before.

>> "testsaslauthd -u mailtest -p secret" gives always "authentication
>> failed".  In auth.log I see always: "Bind failed".
>>
>> I've tried many options in saslauthd.conf, at the moment it's this:
>> --------
>> ldap_servers: ldap://192.168.28.240/
>> ldap_auth_method: custom
>> ldap_bind_dn: uid=admin,dc=domain,dc=local
>> ldap_bind_pw: secret
>> ldap_search_base: ou=Users,dc=domain,dc=local
>> ldap_filter: cn=%u
>> --------
> what does
> # ldapsearch -H ldap://192.168.28.240/ -x -D
> uid=admin,dc=domain,dc=local -w secret -B ou=Users,dc=domain,dc=local
> cn=oneOfYourUsernames
> for you?

It first gave an error because -B has to be -b, after the changing it,
it says "ldap_bind: Invalid credentials (49)".  Hmmmm.

But because I had another working ldapsearch string, I looked at the
differences and I found the solution!

This was wrong:
ldap_bind_dn: uid=admin,dc=domain,dc=local
This is right:
ldap_bind_dn: cn=admin,dc=domain,dc=local

Many thanks for your help!

>> I am using cyrus-sasl2 version 2.1.25.dfsg1-6 from Debian Wheezy.
>> LDAP is on an old machine (Ubuntu 8.04, slapd version 2.4.7).
> FYI: For a production use LDAP server it is best advice from the
> openldap developers to use the lastest version, which is 2.4.35.

This is an environment what should be replaced but what is in production
for many years and for many people. I am only hired for the mailserver..

With regards,
Paul van der Vlis.



-- 
Paul van der Vlis Linux systeembeheer, Groningen
http://www.vandervlis.nl

More information about the Info-cyrus mailing list