saslauthd + ldap can't connect TLS/SSL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


I've been unable to get saslauthd to connect to an OpenLDAP server using TLS/SSL.

Here are the errors from /var/log/auth.log:

Jun 29 13:50:51 edm-cmfe01 saslauthd[228571]: ldapdb
Jun 29 13:50:51 edm-cmfe01 saslauthd[228571]: _sasl_plugin_load failed on sasl_canonuser_init Jun 29 13:50:51 edm-cmfe01 saslauthd[228571]: start tls failed (Connect error). Jun 29 13:50:51 edm-cmfe01 saslauthd[228571]: Authentication failed for nels@xxxxxxx/ Cannot connect to ldap server (configuration error) (-8)

System is AlmaLinux 8, using openldap-ltp 2.5.x packages for the server, cyrus-sasl-*-2.1.27 packages.

ldap_servers:           ldaps://
ldap_id:                root
ldap_password:          <password>
ldap_use_sasl:          yes
ldap_mech:              DIGEST-MD5
ldap_search_base:       o=top
ldap_filter:            (mailLocalAddress=%U@%r)
ldap_start_tls:         no
ldap_tls_cacert_dir:    /etc/pki/tls/certs
ldap_tls_check_peer:    no

If I switch to ldap:// and enable start_tls, the result is the same.

If I use ldap:// and disable start_tls, everything works (meaning, I can configure Sendmail, cyrus-imapd, etc. with pwcheck_method: saslauthd and successfully authenticate).

Note that slapd is properly configured with a valid certificate chain, and for eg. ldapsearch will connect to either ldaps:// or ldap:// with start_tls enabled and no errors.

Presumably I'm missing a directive; I did go through LDAP_SASLAUTHD in the Cyrus SASL documentation pretty thoroughly.

Nels Lindquist

Cyrus: SASL
Delivery options:

[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux