Hi All
Using settings as stated by Stéphane Gaubert there was a small step in the right direction.
--------------------------------------------------------------------------------------------------------------------------------------------------------
First Test:
Executing: sudo cyradm -u username localhost
output:
verify error:num=18:self signed certificate
IMAP Password:
Login failed: authentication failure at /usr/lib/x86_64-linux-gnu/perl5/5.30/Cyrus/IMAP/Admin.pm line 134.
cyradm: cannot authenticate to server as username
Executing: sudo journalctl -u cyrus-imapd.service
output:
inittls: Loading hard-coded DH parameters
Mar 14 16:46:52 mail3 cyrus/imap[4807]: starttls: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new) no authentication
Mar 14 16:46:58 mail3 cyrus/imap[4807]: badlogin: localhost [127.0.0.1] plaintext username SASL(-13): authentication failure: checkpass failed
Executing: sudo journalctl -u saslauthd.service
output:
Mar 14 16:46:58 mail3 saslauthd[3033]: ldap_simple_bind() failed -1 (Can't contact LDAP server).
Mar 14 16:46:58 mail3 saslauthd[3033]: Retrying authentication
Mar 14 16:46:58 mail3 saslauthd[3033]: ldap_simple_bind() failed -1 (Can't contact LDAP server).
Mar 14 16:46:58 mail3 saslauthd[3033]: Authentication failed for username: Retry condition (ldap server connection reset or broken) (-3)
Mar 14 16:46:58 mail3 saslauthd[3033]: : auth failure: [user=username] [service=imap] [realm=] [mech=ldap] [reason=Unknown]
Sniffer output (tcpdump + wireshark): NO TLSv packets NO hello packets
-------------------------------------------------------------------------------------------------------------------------------------------------------------
Second test:
Executing : ~$ ldapwhoami -x -H ldaps://xxxxx.xxx -D "CN=xxxx,CN=Users,DC=xxxxxxx,DC=xxx" -W
output: was correct
Sniffer output (tcpdump + wireshark): lot of TLSv1.3 related packets
Windows AD requested change cipher spec.
and cipher spec was changed to TLS_AES_256_GCM_SHA384 (0x1302)
--------------------------------------------------------------------------------------------------------------------------------------------------------------
Third test:
I switched OFF the Windows AD
Executing : ~$ ldapwhoami -x -H ldaps://xxxxx.xxx -D "CN=xxxx,CN=Users,DC=xxxxxxx,DC=xxx" -W
output:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
This suggests that ldapwhoami is using saslauthd
--------------------------------------------------------------------------------------------------------------------------------------------------------------
It is very strange that there were no TLSv packets not even a hello packet in the first test. this could be a bug?
Is there a way to force saslauthd to use TLS_AES_256_GCM_SHA384 (0x1302)
reg
