Awesome I got it to work, but I have a couple of comments to add for
1) I was using quotes around the ldap_bind_dn, because it has blanks in
it, but by looking at wireshark I realized that the string is also being
quoted by saslauthd so
I was ending up with double quotes and therefore an invalid DN
2) The ldap_filter has to read (distinguishedName=%u), there is no "dn"
Active Directory. If that's not correct then authentication also fails,
because - as it was pointed out in some other list I was reading -
authentication is a two pass affair. First it binds the ldap_bind_dn user
with which it does a search for the authenticating user. Then, the result
of that search is used to bind the authenticating user. Since the DN is
required for binding, the filter must return the distinguishedName in case
On 8/11/11 12:11 PM, "Dan White" <dwhite(a)olp.net> wrote:
On 07/11/11 21:49 +0000, Gabriella Turek wrote:
>Hello, I am trying to set up Cyrus sasl so I can use it for pass-through
>authentication with OpenLDAP. The OS is SUSE sles11 and I thought I'd
>start with what is already there preinstalled (v.2.1.22) I am trying to
>authenticate against Active Directory 2008.
>My configuration file looks like:
You have a typo here, with an extra equals sign.
Since you're not using ldap_use_sasl: yes, you should remove
ldap_sasl_mech from your config.
>ldap_bind_dn: "CN=SDT Tester,OU=NIWA Staff Accounts,OU=User
>When I try authenticate using testsaslauthd I get:
>>Authentication failed for some-user: Bind to ldap server failed (invalid
>>user/password or insufficient access) (-7)
>If I try a ldap_bind_dn of the form
>firstname.lastname@example.org<mailto:email@example.com> in the config file I
>Authentication failed for some-user: Retry condition (ldap server
>connection reset or broken) (-3)
You should be using the DN, when using 'ldap_auth_method: bind'.
>This is all very puzzling, as I can ldapsearch perfectly fine with any
>valid user I chose in either form (DN or userPrincipalName)
>Is it possible that this installation of cyrus has not been compiled with
>ldap support? I would expect a bit more feedback.
You can verify saslauthd was compiled with LDAP support with 'saslauthd
-v'. You use it by specifying '-a ldap' as a command line option.
Your saslauthd.conf file should typically go in /etc, but you can specify
alternate location with '-O <path/file>'.
See saslauthd/LDAP_SASLAUTHD in the source for documentation.
You can simulate the function of saslauthd (in bind mode) with:
ldapsearch -x -H ldap://hamwdc01.niwa.local/ -D "CN=SDT Tester,OU=NIWA
Staff Accounts,OU=User Accounts,DC=niwa,DC=local" -w mypassword -b
"DC=niwa,DC=local" "(dn=testusername)" dn
and then with the returned dn:
ldapwhoami -x -H ldap://hamwdc01.niwa.local/ -D "$DN" -w <user_password>
and if successful, ldapwhoami should return the DN again. If so, then your
saslauthd.conf config is probably correct.
For further trouble shooting, you can add 'ldap_debug: -1' to your
saslauthd.conf, and start saslauthd in debug mode.
After verifying testsaslauthd is working, make sure that your OpenLDAP
(-u option) has filesystem permissions to access the saslauthd mux.
For OpenLDAP pass-through documentation, see "14.5. Pass-Through
authentication" of the OpenLDAP Administrator's Guide.