Hi Dan, Awesome I got it to work, but I have a couple of comments to add for future reference: 1) I was using quotes around the ldap_bind_dn, because it has blanks in it, but by looking at wireshark I realized that the string is also being quoted by saslauthd so I was ending up with double quotes and therefore an invalid DN 2) The ldap_filter has to read (distinguishedName=%u), there is no "dn" attribute in Active Directory. If that's not correct then authentication also fails, because - as it was pointed out in some other list I was reading - authentication is a two pass affair. First it binds the ldap_bind_dn user with which it does a search for the authenticating user. Then, the result of that search is used to bind the authenticating user. Since the DN is required for binding, the filter must return the distinguishedName in case of AD.
On 8/11/11 12:11 PM, "Dan White" dwhite@olp.net wrote:
On 07/11/11 21:49 +0000, Gabriella Turek wrote:
Hello, I am trying to set up Cyrus sasl so I can use it for pass-through authentication with OpenLDAP. The OS is SUSE sles11 and I thought I'd start with what is already there preinstalled (v.2.1.22) I am trying to authenticate against Active Directory 2008. My configuration file looks like:
ldap_servers: ldap://hamwdc01.niwa.local/ ldap_search_base: DC=niwa=,DC=local
You have a typo here, with an extra equals sign.
ldap_scope: sub ldap_sasl_mech: plain
Since you're not using ldap_use_sasl: yes, you should remove ldap_sasl_mech from your config.
ldap_auth_method: bind ldap_bind_dn: "CN=SDT Tester,OU=NIWA Staff Accounts,OU=User Accounts,DC=niwa,DC=local" ldap_password: mypassword ldap_filter: (dn=%u)
When I try authenticate using testsaslauthd I get:
Authentication failed for some-user: Bind to ldap server failed (invalid user/password or insufficient access) (-7)
If I try a ldap_bind_dn of the form sdttester@niwa.localmailto:sdttester@niwa.local in the config file I get: Authentication failed for some-user: Retry condition (ldap server connection reset or broken) (-3)
You should be using the DN, when using 'ldap_auth_method: bind'.
This is all very puzzling, as I can ldapsearch perfectly fine with any valid user I chose in either form (DN or userPrincipalName)
Is it possible that this installation of cyrus has not been compiled with ldap support? I would expect a bit more feedback.
You can verify saslauthd was compiled with LDAP support with 'saslauthd -v'. You use it by specifying '-a ldap' as a command line option.
Your saslauthd.conf file should typically go in /etc, but you can specify an alternate location with '-O <path/file>'.
See saslauthd/LDAP_SASLAUTHD in the source for documentation.
You can simulate the function of saslauthd (in bind mode) with:
ldapsearch -x -H ldap://hamwdc01.niwa.local/ -D "CN=SDT Tester,OU=NIWA Staff Accounts,OU=User Accounts,DC=niwa,DC=local" -w mypassword -b "DC=niwa,DC=local" "(dn=testusername)" dn
and then with the returned dn:
ldapwhoami -x -H ldap://hamwdc01.niwa.local/ -D "$DN" -w <user_password>
and if successful, ldapwhoami should return the DN again. If so, then your saslauthd.conf config is probably correct.
For further trouble shooting, you can add 'ldap_debug: -1' to your saslauthd.conf, and start saslauthd in debug mode.
After verifying testsaslauthd is working, make sure that your OpenLDAP user (-u option) has filesystem permissions to access the saslauthd mux.
For OpenLDAP pass-through documentation, see "14.5. Pass-Through authentication" of the OpenLDAP Administrator's Guide.
-- Dan White
openldap-technical@openldap.org
-
Gabriella Turek