Re: SASL LDAP + TLS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mar 20, 2008, at 01:11, Dieter Kluenter wrote:


"David E. Wheeler" <david@xxxxxxxxxxxxxx> writes:


On Mar 19, 2008, at 15:02, Quanah Gibson-Mount wrote:


If you mean Postfix doing SASL anything to OpenLDAP, it doesn't
support SASL binds to LDAP.  I have a patch for that.


That sounds promising. However, Postfix does do SASL, and SASL does
talk to OpenLDAP (as I was able to find using testsaslauthd), but my
trouble is getting SASL to talk to OpenLDAP using SASL authentication
with TLS. My /etc/saslauthd.conf looks like this:


try auxprop ldapdb and apropriate settings in smtpd.conf to enable
postfix sasl authentication.
Thank you for your reply, Dieter. However, I haven't even got as far as trying to get postfix hooked up. I was first trying to make sure that saslauthd was working with LDAP using testsaslauthd. When saslauthd.conf looks like this: 

  ldap_servers: ldap://localhost/
  ldap_use_sasl: yes

It works:

% sudo testsaslauthd -u david -p '******'
0: OK "Success."

But when it looks like this:

  ldap_servers: ldap://localhost/
  ldap_use_sasl: yes
  ldap_start_tls: yes
  ldap_tls_cacert_file: /etc/ssl/certs/cacert.pem
  ldap_tls_cert: /etc/ssl/certs/clientcert.pem
  ldap_tls_key: /etc/ssl/certs/clientkey.pem

It doesn't work:

% sudo testsaslauthd -u david -p '******'
0: NO "authentication failed"

And this is what shows up in the auth.log:
Mar 19 13:11:48 sahlins saslauthd[8258]: start tls failed (Connect error). Mar 19 13:11:48 sahlins saslauthd[8258]: Authentication failed for david: Cannot connect to ldap server (configuration error) (-8) Mar 19 13:11:48 sahlins saslauthd[8258]: do_auth : auth failure: [user=david] [service=imap] [realm=] [mech=ldap] [reason=Unknown] 

The relevant slapd logging is here:

  http://kineticode.com/code/slapd.txt
I can't tell why starttls fails. :-( It works fine when I use ldapsearch -Y EXTERNAL -- it doesn't even prompt me for a password!
If you have any ideas what I might be missing (something in saslauthd.conf, surly!), I would greatly appreciate it. 

Thanks,

David

PS: I have these directives in slapd.conf:

TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /etc/ssl/certs/cacert.pem
TLSCertificateFile /etc/ssl/certs/servercert.pem
TLSCertificateKeyFile /etc/ssl/private/serverkey.pem
TLSVerifyClient allow

sasl-regexp
   uid=(.*),cn=digest-md5,cn=auth
   uid=$1,ou=people,dc=kineticode,dc=com
[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux