Igor, Thanks, changing the ldap_password to cleartext worked. Is there a good reference to read on setting up sasl with auxprop plugin for use with cyrus-imap amd postfix? thanks Shelley On Tue, 4 Dec 2007, Igor Brezac wrote: Shelley Waltz wrote: > I am still having an issue trying to use LDAP authentication > with a simple bind. > > I have > [root@roadrunner ~]# rpm -qa|grep sasl > cyrus-sasl-lib-2.1.22-4 > cyrus-sasl-2.1.22-4 > cyrus-sasl-devel-2.1.22-4 > cyrus-sasl-plain-2.1.22-4 > cyrus-sasl-ldap-2.1.22-4 > cyrus-sasl-md5-2.1.22-4 > [root@roadrunner ~]# rpm -qa|grep openldap > openldap-clients-2.3.27-8.el5_1.1 > openldap-2.3.27-8.el5_1.1 > openldap-servers-2.3.27-8.el5_1.1 > openldap-devel-2.3.27-8.el5_1.1 > > and the the following configuration > > /etc/slapd.conf > # > # See slapd.conf(5) for details on configuration options. > # This file should NOT be world readable. > # > include /etc/openldap/schema/core.schema > include /etc/openldap/schema/cosine.schema > include /etc/openldap/schema/inetorgperson.schema > include /etc/openldap/schema/cabm-person.schema > include /etc/openldap/schema/nis.schema > #include /etc/openldap/slapd.acls > > # Allow LDAPv2 client connections. This is NOT the default. > allow bind_v2 > > # Do not enable referrals until AFTER you have a working directory > # service AND an understanding of referrals. > #referral ldap://root.openldap.org > > pidfile /var/run/openldap/slapd.pid > argsfile /var/run/openldap/slapd.args > > # Load dynamic backend modules: > # modulepath /usr/lib/openldap > # moduleload back_bdb.la > # moduleload back_ldap.la > # moduleload back_ldbm.la > # moduleload back_passwd.la > # moduleload back_shell.la > > # The next three lines allow use of TLS for encrypting connections using a > # dummy test certificate which you can generate by changing to > # /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on > # slapd.pem so that the ldap user or group can read it. Your client > software > # may balk at self-signed certificates, however. > TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt > TLSCertificateFile /etc/pki/tls/certs/slapdcert.pem > TLSCertificateKeyFile /etc/pki/tls/certs/slapdkey.pem > > # Sample security restrictions > # Require integrity protection (prevent hijacking) > # Require 112-bit (3DES or better) encryption for updates > # Require 63-bit encryption for simple bind > # security ssf=1 update_ssf=112 simple_bind=64 > > # Sample access control policy: > # Root DSE: allow anyone to read it > # Subschema (sub)entry DSE: allow anyone to read it > # Other DSEs: > # Allow self write access > # Allow authenticated users read access > # Allow anonymous users to authenticate > # Directives needed to implement policy: > #access to dn.base="" by * read > #access to dn.base="cn=Subschema" by * read > #access to * > # by self write > # by users read > # by anonymous auth > # > # if no access controls are present, the default policy > # allows anyone and everyone to read anything but restricts > # updates to rootdn. (e.g., "access to * by * read") > # > #rootdn can always read and write EVERYTHING! > > ####################################################################### > # ldbm and/or bdb database definitions > ####################################################################### > > database bdb > suffix "dc=cabm.rutgers,dc=edu" > rootdn "cn=roadrunner.cabm.rutgers.edu,dc=cabm.rutgers,dc=edu" > checkpoint 1024 30 > # Cleartext passwords, especially for the rootdn, should > # be avoided. See slappasswd(8) and slapd.conf(5) for details. > # Use of strong authentication encouraged. > # rootpw secret > # rootpw {crypt}ijFYNcSNctBYg > rootpw {MD5}s1VGPKQuI+rRKYM1jtPp+g== > password-hash {CRYPT} > password-crypt-salt-format "$1$%s > > # The database directory MUST exist prior to running slapd AND > # should only be accessible by the slapd and slap tools. > # Mode 700 recommended. > directory /var/lib/ldap > > # Indices to maintain for this database > index objectClass eq,pres > index ou,cn,mail,surname,givenname eq,pres,sub > index uidNumber,gidNumber,loginShell eq,pres > index uid,memberUid eq,pres,sub > index nisMapName,nisMapEntry eq,pres,sub > > > /etc/saslauthd.conf > ldap_servers: ldap://localhost/ > ldap_version: 3 > ldap_timeout: 10 > ldap_timelimit: 10 > ldap_cache_ttl: 30 > ldap_cache_mem: 32768 ldap_cache are not valid options. See 'man saslauthd' for caching options. > ldap_restart: yes > ldap_scope: sub > ldap_search_base: dc=cabm.rutgers,dc=edu > ldap_auth_method: bind > ldap_bind_dn: cn=roadrunner.cabm.rutgers.edu,dc=cabm.rutgers,dc=edu > ldap_password: {MD5}s1VGPKQuI+rRKYM1jtPp+g== ldap_password needs to be clear text. I suggest you use sasl and the ldapdb auxprop plugin. I hope this helps. -Igor > ldap_filter: mail=%u > ldap_debug: 128 > ldap_verbose: 1 > ldap_ssl: no > > I have a similar configuration running with much older versions of > openldap/sasl. > > The objective is to have my imapd/smtp server autheticate users > using uid/userPassword from my LDAP database in PLAINTEXT with TLS. > The uid in my LDAP database is simple the username without any domain > attached. The userPassword is in {CRYPT} in the LDAP database. > > I have the certificates installed and working and an ldapsearch > > ldapsearch -x -W -ZZ -b 'dc=cabm.rutgers,dc=edu' -H ldap:/// -D > 'cn=roadrunner.cabm.rutgers.edu,dc=cabm.rutgers,dc=edu' '(objectclass=*)' > > asks for the rootdn password and produces the listing. > > When I try the testsaslauthd with a uid/userPassword from my LDAP databse, > however, the authentication fails ... > > testsaslauthd -u shelley -p mypassword > 0: NO "authentication failed" > > and in /var/log/secure ... > Dec 4 09:56:18 roadrunner saslauthd[6164]: Authentication failed for > shelley: Bind to ldap server failed (invalid user/password or insufficient > access) (-7) > Dec 4 09:56:18 roadrunner saslauthd[6164]: do_auth : auth failure: > [user=shelley] [service=imap] [realm=] [mech=ldap] [reason=Unknown] > > and in the debug from -d 128 ldap log ... > => access_allowed: auth access to > "cn=roadrunner.cabm.rutgers.edu,dc=cabm.rutgers,dc=edu" "userPassword" > requested > => access_allowed: backend default auth access granted to "(anonymous)" > > I allowed the default acls for LDAP, which should allow the rootdn to bind > and verify the password. > > What is the issue here, the ldap_filter? I do not have virtual domains, > just a single domain. I have the following in > /etc/imapd.conf > [root@roadrunner etc]# cat /etc/imapd.conf > configdirectory: /var/lib/imap > partition-default: /var/spool/imap > admins: cyrus > sievedir: /var/lib/imap/sieve > sendmail: /usr/sbin/sendmail > hashimapspool: true > allowplaintext: yes > sasl_pwcheck_method: saslauthd > sasl_mech_list: PLAIN > tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem > tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem > tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt > > S.Waltz
