On 09/27/18 16:04 -0400, Paul Raines wrote:
I have a saslauthd server running on a CentOS6 system that I want
to upgrade to CentOS7. On the CentOS6 system I have /etc/saslauthd.conf
set as (domain changed):
ldap_servers: ldaps://ldap.foobar.org
ldap_use_sasl: yes
ldap_mech: DIGEST-MD5
and saslauthd is run as
/usr/sbin/saslauthd -m /run/saslauthd -a ldap -O /etc/saslauthd.conf
The LDAP server is the LDAP portal of the corporate AD server.
This works fine as 'testsaslauthd -s ldap ...' succeeds. This
same config worked when it was on a CentOS5 system.
When I set up this identical config on a test CentOS7 system the
testsaslauthd always fails. Debug output is
Aug 24 11:05:42 hound saslauthd[118834]: DIGEST-MD5 client step 2
Aug 24 11:05:42 hound saslauthd[118834]: DIGEST-MD5 parse_server_challenge()
Aug 24 11:05:42 hound saslauthd[118834]: DIGEST-MD5 ask_user_info()
Aug 24 11:05:42 hound saslauthd[118834]: DIGEST-MD5 client step 2
Aug 24 11:05:42 hound saslauthd[118834]: DIGEST-MD5 ask_user_info()
Aug 24 11:05:42 hound saslauthd[118834]: DIGEST-MD5 make_client_response()
Aug 24 11:05:42 hound saslauthd[118834]: Authentication failed for
per2: Bind to ldap server failed (invalid user/password or
insufficient access) (-7)
Aug 24 11:05:42 hound saslauthd[118834]: do_auth : auth
failure: [user=per2] [service=ldap] [realm=] [mech=ldap]
[reason=Unknown]
I have tried ldap_auth_method with 'bind' and 'fastbind' and
ldap_use_sasl set to no, but every combo fails.
It does work to use a /etc/saslauthd.conf with explicit credentials such
as
ldap_servers: ldaps://ldap.foobar.org
ldap_search_base: dc=foobar,dc=org
ldap_filter: (sAMAccountName=%u)
ldap_bind_dn: cn=myuid,cn=users,dc=foobar,dc=org
ldap_password: *********
but I don't like putting my password in a config file and also having
to remember to change it everytime the password changes in AD
Does anyone have any ideas why the initial setup does not work
in CentOS7?
Check your DNS settings.
Trouble shoot this by using the ldap client utilities directly:
ldapwhoami -d -1 -H ldaps://ldap.foobar.org -Y DIGEST-MD5 -U per2 -W