Trying to use SASL AND LDAP to authenticate user in RedHat Linux. So far I've setup the saslauthd service and its up and running. My /etc/saslauthd.conf looks like follows:
ldap_servers: ldaps://test.ldap.server:1234
ldap_use_sasl: yes
ldap_mech: DIGEST-MD5
ldap_auth_method: fastbind
ldap_search_base: Ou=PeopleAuthSrch,DC=abc,DC=com
My /etc/sasl2/smtpd.conf looks like the following:
pwcheck_method: saslauthd
mech_list: plain login
Now when I try to test the authentication with following command:
testsaslauthd -u username -p password -f /var/run/saslauthd/mux
I get 0: NO "authentication failed"
and when i look at the logs it says:
Retrying authentication
do_auth :auth failure: [user:myuser] [service=imap] [realm=] [mech=ldap] [reason=unknown]
What am i missing here? thanks in advance!!
UPDATE:
installed OpenLdap to do a search with the following command:
ldapsearch -x -h ldaps://my.ldap.server:port -d8
for ldapsearch command to work i modified /etc/openldap/ldap.conf file as follows:
tls_reqcert allow
TLS_CACERTDIR /home/myuser/cacertss
LDAPTLS_CACERT /home/myuser/cacertss
It returns all the entries but i still cant authenticate using
testsaslauthd -u username -p password -f /var/run/saslauthd/mux
what do i need to do here to get this authenticated?
I went through the exercise of setting SASL setup with OpenLDAP and TLS on RedHat Linux 7.2 and I managed to get something similar working fine.
As I mentioned in my previous post, make sure that you have the cyrus-sasl-md5 package installed.
I would first try to get everything working without SSL. Only after you have your setup working without SSL move to the SSL part.
- You need to make sure that
saslauthd accepts the CA certificate of
the certificate used by the LDAP server. In particular,
ldap_tls_cacert_file option in /etc/saslauthd.conf is your friend
- If you have SELinux enabled, make sure that
saslauthd can access the certificate files. If you are unsure, tail the /var/log/audit/audit.log file and look for entries with the "denied" keyword. I have found the audit2allow tool a great way to enable access that was previously denied. You can also just disable SELinux temporarily using the setenforce Permissive command
After 5 days of struggle found out that the settings i used was for Active directory where i should be using settings for LDAP as following:
ldap_servers: ldaps://test.ldap.server:1234
ldap_search_base: Ou=PeopleAuthSrch,DC=abc,DC=com
ldap_filters: (uid=%u)
ldap_tls_cacert_file: /path/to/my/certificate
I did install cyrus-sasl-md5 as Bertold Kolics mentioned, i'm not sure if that played the part on authenticating the user.
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 啃猪蹄的小仙女 的文章《SASL LDAP authentication failure》','https://www.manongdao.com/article-392155.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}