Re: Help with Cyrus configuration - testsaslauthd not working

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 07/11/11 21:49 +0000, Gabriella Turek wrote:
Hello, I am trying to set up Cyrus sasl so I can use it for pass-through
authentication with OpenLDAP. The OS is SUSE sles11 and I thought I'd
start with what is already there preinstalled (v.2.1.22) I am trying to
authenticate against Active Directory 2008.
My configuration file looks like:

ldap_servers: ldap://hamwdc01.niwa.local/
ldap_search_base: DC=niwa=,DC=local

You have a typo here, with an extra equals sign.

ldap_scope: sub
ldap_sasl_mech: plain

Since you're not using ldap_use_sasl: yes, you should remove
ldap_sasl_mech from your config.

ldap_auth_method: bind
ldap_bind_dn: "CN=SDT Tester,OU=NIWA Staff Accounts,OU=User Accounts,DC=niwa,DC=local"
ldap_password: mypassword
ldap_filter: (dn=%u)

When I try authenticate using testsaslauthd I get:
Authentication failed for some-user: Bind to ldap server failed (invalid
user/password or insufficient access) (-7)

If I try a ldap_bind_dn of the form
sdttester@niwa.local<mailto:sdttester@niwa.local> in the config file I
get:
Authentication failed for some-user: Retry condition (ldap server
connection reset or broken) (-3)

You should be using the DN, when using 'ldap_auth_method: bind'.

This is all very puzzling, as I can ldapsearch perfectly fine with any
valid user I chose in either form (DN or userPrincipalName)

Is it possible that this installation of cyrus has not been compiled with
ldap support? I would expect a bit more feedback.

You can verify saslauthd was compiled with LDAP support with 'saslauthd
-v'. You use it by specifying '-a ldap' as a command line option.

Your saslauthd.conf file should typically go in /etc, but you can specify an
alternate location with '-O <path/file>'.

See saslauthd/LDAP_SASLAUTHD in the source for documentation.

You can simulate the function of saslauthd (in bind mode) with:

ldapsearch -x -H ldap://hamwdc01.niwa.local/ -D "CN=SDT Tester,OU=NIWA
Staff Accounts,OU=User Accounts,DC=niwa,DC=local" -w mypassword -b
"DC=niwa,DC=local" "(dn=testusername)" dn

and then with the returned dn:

ldapwhoami -x -H ldap://hamwdc01.niwa.local/ -D "$DN" -w <user_password>

and if successful, ldapwhoami should return the DN again. If so, then your
saslauthd.conf config is probably correct.

For further trouble shooting, you can add 'ldap_debug: -1' to your
saslauthd.conf, and start saslauthd in debug mode.

After verifying testsaslauthd is working, make sure that your OpenLDAP user
(-u option) has filesystem permissions to access the saslauthd mux.

For OpenLDAP pass-through documentation, see "14.5. Pass-Through
authentication" of the OpenLDAP Administrator's Guide.

--
Dan White


[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux