On 07/11/11 21:49 +0000, Gabriella Turek wrote:
Hello, I am trying to set up Cyrus sasl so I can use it for pass-through
authentication with OpenLDAP. The OS is SUSE sles11 and I thought I'd
start with what is already there preinstalled (v.2.1.22) I am trying to
authenticate against Active Directory 2008.
My configuration file looks like:
ldap_servers: ldap://hamwdc01.niwa.local/
ldap_search_base: DC=niwa=,DC=local
You have a typo here, with an extra equals sign.
ldap_scope: sub
ldap_sasl_mech: plain
Since you're not using ldap_use_sasl: yes, you should remove
ldap_sasl_mech from your config.
ldap_auth_method: bind
ldap_bind_dn: "CN=SDT Tester,OU=NIWA Staff Accounts,OU=User Accounts,DC=niwa,DC=local"
ldap_password: mypassword
ldap_filter: (dn=%u)
When I try authenticate using testsaslauthd I get:
Authentication failed for some-user: Bind to ldap server failed (invalid
user/password or insufficient access) (-7)
If I try a ldap_bind_dn of the form
sdttester@niwa.local<mailto:sdttester@niwa.local> in the config file I
get:
Authentication failed for some-user: Retry condition (ldap server
connection reset or broken) (-3)
You should be using the DN, when using 'ldap_auth_method: bind'.
This is all very puzzling, as I can ldapsearch perfectly fine with any
valid user I chose in either form (DN or userPrincipalName)
Is it possible that this installation of cyrus has not been compiled with
ldap support? I would expect a bit more feedback.
You can verify saslauthd was compiled with LDAP support with 'saslauthd
-v'. You use it by specifying '-a ldap' as a command line option.
Your saslauthd.conf file should typically go in /etc, but you can specify an
alternate location with '-O <path/file>'.
See saslauthd/LDAP_SASLAUTHD in the source for documentation.
You can simulate the function of saslauthd (in bind mode) with:
ldapsearch -x -H ldap://hamwdc01.niwa.local/ -D "CN=SDT Tester,OU=NIWA
Staff Accounts,OU=User Accounts,DC=niwa,DC=local" -w mypassword -b
"DC=niwa,DC=local" "(dn=testusername)" dn
and then with the returned dn:
ldapwhoami -x -H ldap://hamwdc01.niwa.local/ -D "$DN" -w <user_password>
and if successful, ldapwhoami should return the DN again. If so, then your
saslauthd.conf config is probably correct.
For further trouble shooting, you can add 'ldap_debug: -1' to your
saslauthd.conf, and start saslauthd in debug mode.
After verifying testsaslauthd is working, make sure that your OpenLDAP user
(-u option) has filesystem permissions to access the saslauthd mux.
For OpenLDAP pass-through documentation, see "14.5. Pass-Through
authentication" of the OpenLDAP Administrator's Guide.
--
Dan White
