Re: OpenLDAP and cyrus-sasl authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




Thanks.  I got it working with

ldap_filter: mail=%u
and I left the ldap_auth_method: bind unchanged.

The culprit also result from ldap's acl.
Thanks.

From: Igor Brezac <igor@xxxxxxxxx>
To: james tan <jamestan_98@xxxxxxxxxxx>
CC: cyrus-sasl@xxxxxxxxxxxxxxxxxxxx
Subject: Re: OpenLDAP and cyrus-sasl authentication
Date: Thu, 06 Sep 2007 08:06:30 -0400

james tan wrote:
> Hi,
>
> Version
> LDAP openldap-2.3.27
> cyrus-sasl-2.1.22
>
> I have been trying to figure out what is happening but failed for the
> last few days.  I am sorry for the long email where I tried the
> various debug output.  I just wonder where goes wrong?
> I already have my ldap user created in ldbm, do I need anything like
> sasldb2 again?  I am lost! :(
>
> I tried this but it failed.
>
> ./testsaslauthd -u tancentos2@xxxxxxxxxx -p mypasswd
>
> saslauthd[6118] :do_auth         : auth failure:
> [user=tancentos2@xxxxxxxxxx] [service=imap] [realm=] [mech=ldap]
> [reason=Unknown]
> saslauthd[6118] :do_request      : response: NO
>
> The following are my configuration for saslauthd.conf
> ldap_servers: ldap://127.0.0.1
> ldap_search_base: o=hosting,dc=example,dc=tld
> ldap_filter: (&(objectClass=VirtualMailAccount)(mail=%u@%r)))
> ldap_bind_dn: cn=cyrus,dc=example,dc=tld
> ldap_password: secret
> ldap_auth_method: bind

You need to use ldap_auth_method: custom or adjust your filter.   Please
see cyrus-src/saslauthd/LDAP_SASLAUTHD

> ldap_start_tls: no
>
>
> I tried to debug with openldap, I got the follownig but I noticed that
> the tancentos2@xxxxxxxxxx is not passed to ldap but the binding looks
> ok ?
>
> connection_get(13): got connid=1
> connection_read(13): checking for input on id=1
> ber_get_next
> ber_get_next: tag 0x30 len 48 contents:
> ber_get_next
> ber_get_next on fd 13 failed errno=11 (Resource temporarily unavailable)
> do_bind
> ber_scanf fmt ({imt) ber:
> ber_scanf fmt (m}) ber:
>>>> dnPrettyNormal: <cn=cyrus,dc=example,dc=tld>
> <<< dnPrettyNormal: <cn=cyrus,dc=example,dc=tld>,
> <cn=cyrus,dc=example,dc=tld>
> do_bind: version=3 dn="cn=cyrus,dc=example,dc=tld" method=128
> dn2entry_r: dn: "cn=cyrus,dc=example,dc=tld"
> => dn2id( "cn=cyrus,dc=example,dc=tld" )
> ====> cache_find_entry_ndn2id("cn=cyrus,dc=example,dc=tld"): 34 (1 tries)
> <= dn2id 34 (in cache)
> => id2entry_r( 34 )
> ====> cache_find_entry_id( 34 ) "cn=cyrus,dc=example,dc=tld" (found)
> (1 tries)
> <= id2entry_r( 34 ) 0x8b1ca98 (cache)
> ====> cache_return_entry_r( 34 ): returned (0)
> send_ldap_result: conn=1 op=0 p=3
> send_ldap_response: msgid=1 tag=97 err=49
> ber_flush: 14 bytes to sd 13
>
> Then, I tried
> ldapsearch -LLL -s sub -v -x  "(mail=tancentos2@xxxxxxxxxx)" -b
> "o=hosting,dc=example,dc=tld" cn sn
> it returns the cn and sn.
> If I take away the "-x", then problem came.  The following are the
> debug output from ldap
> SASL [conn=2] Debug: DIGEST-MD5 server step 2
> slap_sasl_getdn: u:id converted to uid=root,cn=DIGEST-MD5,cn=auth
>>>> dnNormalize: <uid=root,cn=DIGEST-MD5,cn=auth>
> <<< dnNormalize: <uid=root,cn=digest-md5,cn=auth>
> ==>slap_sasl2dn: converting SASL name uid=root,cn=digest-md5,cn=auth
> to a DN
> slap_authz_regexp: converting SASL name uid=root,cn=digest-md5,cn=auth
> <==slap_sasl2dn: Converted SASL name to <nothing>
> SASL [conn=2] Error: unable to open Berkeley db /etc/sasldb2: No such
> file or directory
>
> _________________________________________________________________
> Get a FREE small business Web site and more from Microsoft® Office
> Live! http://clk.atdmt.com/MRT/go/aub0930003811mrt/direct/01/
>

-Igor

_________________________________________________________________
Get an advanced look at the new version of MSN Messenger. http://get.live.com/messenger/overview


[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux