Your log indicates its a TLS negotioation failure. Does it work if you don't use TLS? If not, fix that. If it does, increase logging in slapd until you see why TLS fails. p@rick * Olivier Nicole <on@xxxxxxxxxxxx>: > I am stuck with the following problem and I don't know where to find > information/what to do. > > I am trying Cyrus-sasl for authentication in Postfix. > > I have installed on FreeBSD: > > cyrus-sasl-2.1.23 RFC 2222 SASL (Simple Authentication and Security Layer) > cyrus-sasl-ldapdb-2.1.23 SASL LDAPDB auxprop plugin > cyrus-sasl-saslauthd-2.1.23 SASL authentication server for cyrus-sasl2 > > My ldap server accepts anonymous bind on the standard port (389) and > simple bind on SSL port (636). > > How to configure saslauthd to be able to authenticate to ldap server? > > I have been trying many configuration for saslauthd, but without > success (while at same time I have several services that bind > succesfully to the ldap server). > > My latest saslauthd.conf is: > > ldap_auth_method: fastbind > ldap_servers: ldaps://ldap.cs.ait.ac.th/ > ldap_version: 3 > ldap_timeout: 10 > ldap_time_limit: 10 > ldap_scope: one > ldap_search_base: ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th > # ldap_filter: (&(uid=%U) (csimAccountPermission=mail)) > ldap_filter: uid=%u,ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th > ldap_tls_cacert_file: /usr/local/ssl/ca/ait-itserv.crt > ldap_use_sasl: no > ldap_start_tls: no > ldap_version: 3 > #ldap_bind_dn: cn=Manager,dc=cs,dc=ait,dc=ac,dc=th > #ldap_bind_pw: XXXXXX > # ldap_group_dn: ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th > > >From the ldap server logs, it seems it binds properly, but then is > trying many other bind that does not success: > > Jul 23 08:56:03 ldap slapd[37776]: conn=3321 fd=34 ACCEPT from IP=192.41.170.50:58534 (IP=192.41.170.6:636) > Jul 23 08:56:03 ldap slapd[37776]: conn=3321 fd=34 closed (TLS negotiation failure) > Jul 23 08:56:03 ldap slapd[37776]: conn=3322 fd=34 ACCEPT from IP=192.41.170.50:52393 (IP=192.41.170.6:636) > Jul 23 08:56:04 ldap slapd[37776]: conn=3323 fd=36 ACCEPT from IP=192.41.170.50:53526 (IP=192.41.170.6:636) > Jul 23 08:56:04 ldap slapd[37776]: conn=3323 fd=36 closed (TLS negotiation failure) > Jul 23 08:56:04 ldap slapd[37776]: conn=3324 fd=36 ACCEPT from IP=192.41.170.50:56136 (IP=192.41.170.6:636) > > So my configuration must be wrong, but I can see what I should be > using instead. > > TIA, > > Olivier -- All technical answers asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
