SASL LDAP + TLS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Howdy,

I'm trying to get SASL working with OpenLDAP + TLS. I got it working without TLS with these settings:

slapd.conf:
----------
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /etc/ssl/certs/cacert.pem
TLSCertificateFile /etc/ssl/certs/servercert.pem
TLSCertificateKeyFile /etc/ssl/private/serverkey.pem
TLSVerifyClient allow

sasl-regexp
    uid=(.*),cn=digest-md5,cn=auth
    uid=$1,ou=people,dc=kineticode,dc=com

saslauthd.conf:
--------------
ldap_servers: ldap://localhost/
ldap_use_sasl: yes

This works great with testsaslauthd:

% sudo testsaslauthd -u david -p '******'
0: OK "Success."

However, when I add these lines to saslauthd.conf, it fails:

ldap_start_tls: yes
ldap_tls_cacert_file: /etc/ssl/certs/cacert.pem
ldap_tls_cert: /etc/ssl/certs/clientcert.pem
ldap_tls_key: /etc/ssl/certs/clientkey.pem

Here's the test:

% sudo testsaslauthd -u david -p '******'
0: NO "authentication failed"

Here's what shows up in the auth.log:

Mar 19 13:11:48 sahlins sudo: david : TTY=pts/0 ; PWD=/home/david ; USER=root ; COMMAND=/usr/sbin/testsaslauthd -u david -p ******* Mar 19 13:11:48 sahlins saslauthd[8258]: start tls failed (Connect error). Mar 19 13:11:48 sahlins saslauthd[8258]: Authentication failed for david: Cannot connect to ldap server (configuration error) (-8) Mar 19 13:11:48 sahlins saslauthd[8258]: do_auth : auth failure: [user=david] [service=imap] [realm=] [mech=ldap] [reason=Unknown]

For some reason startls fails. However, when I create ~/.ldaprc with these lines:

TLS_CERT        /etc/ssl/certs/clientcert.pem
TLS_KEY         /etc/ssl/certs/clientkey.pem
SASL_MECH       EXTERNAL

Then I can successfully auth using ldapsearch:

% ldapsearch -U david -v '(&(objectClass=inetLocalMailRecipient) (uid=david))' -ZZ
ldap_initialize( <DEFAULT> )
SASL/EXTERNAL authentication started
SASL username: CN=*.kineticode.com,OU=Kineticode,O=Kineticode\2C Inc.,ST=Oregon,C=US
SASL SSF: 0
filter: (&(objectClass=inetLocalMailRecipient)(uid=david))
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: (&(objectClass=inetLocalMailRecipient)(uid=david))
# requesting: ALL
#

# david, people, kineticode.com
dn: uid=david,ou=people,dc=kineticode,dc=com
<snip/>
# search result
search: 3
result: 0 Success

So please, can anyone tell me what I'm missing? From the docs I gather that I have to have a client certificate and key for sasl external to use (and I assume that external is what testsaslauthd does), so I created the cert and key and it seems to work with ldapsearch (without even requiring a password!) but not testsaslauthd. :-(

FWIW, where I'm going with this is supporting Postfix SMTP Auth, which uses SASL.

Thanks,

David

[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux