I've been unable to get saslauthd to connect to an OpenLDAP server using
TLS/SSL.
Here are the errors from /var/log/auth.log:
Jun 29 13:50:51 edm-cmfe01 saslauthd[228571]: ldapdb
Jun 29 13:50:51 edm-cmfe01 saslauthd[228571]: _sasl_plugin_load failed
on sasl_canonuser_init
Jun 29 13:50:51 edm-cmfe01 saslauthd[228571]: start tls failed (Connect
error).
Jun 29 13:50:51 edm-cmfe01 saslauthd[228571]: Authentication failed for
nels@xxxxxxx/maei.ca: Cannot connect to ldap server (configuration
error) (-8)
System is AlmaLinux 8, using openldap-ltp 2.5.x packages for the server,
cyrus-sasl-*-2.1.27 packages.
ldap_servers: ldaps://edm-ldap.maei.ca/
ldap_id: root
ldap_password: <password>
ldap_use_sasl: yes
ldap_mech: DIGEST-MD5
ldap_default_realm: maei.ca
ldap_search_base: o=top
ldap_filter: (mailLocalAddress=%U@%r)
ldap_start_tls: no
ldap_tls_cacert_dir: /etc/pki/tls/certs
ldap_tls_check_peer: no
If I switch to ldap:// and enable start_tls, the result is the same.
If I use ldap:// and disable start_tls, everything works (meaning, I can
configure Sendmail, cyrus-imapd, etc. with pwcheck_method: saslauthd and
successfully authenticate).
Note that slapd is properly configured with a valid certificate chain,
and for eg. ldapsearch will connect to either ldaps:// or ldap:// with
start_tls enabled and no errors.
Presumably I'm missing a directive; I did go through LDAP_SASLAUTHD in
the Cyrus SASL documentation pretty thoroughly.
Nels Lindquist
----
<nlindq@xxxxxxx>
------------------------------------------
Cyrus: SASL
Permalink: https://cyrus.topicbox.com/groups/sasl/T27640ad37ae21468-Mb697d332718b1f7ad6de2a66
Delivery options: https://cyrus.topicbox.com/groups/sasl/subscription
