Trying to use SASL
AND LDAP
to authenticate user in RedHat Linux
. So far I've setup the saslauthd
service and its up and running. My /etc/saslauthd.conf
looks like follows:
ldap_servers: ldaps://test.ldap.server:1234
ldap_use_sasl: yes
ldap_mech: DIGEST-MD5
ldap_auth_method: fastbind
ldap_search_base: Ou=PeopleAuthSrch,DC=abc,DC=com
My /etc/sasl2/smtpd.conf
looks like the following:
pwcheck_method: saslauthd
mech_list: plain login
Now when I try to test the authentication with following command:
testsaslauthd -u username -p password -f /var/run/saslauthd/mux
I get 0: NO "authentication failed"
and when i look at the logs it says:
Retrying authentication
do_auth :auth failure: [user:myuser] [service=imap] [realm=] [mech=ldap] [reason=unknown]
What am i missing here? thanks in advance!!
UPDATE:
installed OpenLdap to do a search with the following command:
ldapsearch -x -h ldaps://my.ldap.server:port -d8
for ldapsearch command to work i modified /etc/openldap/ldap.conf
file as follows:
tls_reqcert allow
TLS_CACERTDIR /home/myuser/cacertss
LDAPTLS_CACERT /home/myuser/cacertss
It returns all the entries but i still cant authenticate using
testsaslauthd -u username -p password -f /var/run/saslauthd/mux
what do i need to do here to get this authenticated?
After 5 days of struggle found out that the settings i used was for
Active directory
where i should be using settings forLDAP
as following:I did install
cyrus-sasl-md5
as Bertold Kolics mentioned, i'm not sure if that played the part on authenticating the user.I went through the exercise of setting SASL setup with OpenLDAP and TLS on RedHat Linux 7.2 and I managed to get something similar working fine.
As I mentioned in my previous post, make sure that you have the
cyrus-sasl-md5
package installed.I would first try to get everything working without SSL. Only after you have your setup working without SSL move to the SSL part.
saslauthd
accepts the CA certificate of the certificate used by the LDAP server. In particular,ldap_tls_cacert_file
option in/etc/saslauthd.conf
is your friendsaslauthd
can access the certificate files. If you are unsure, tail the/var/log/audit/audit.log
file and look for entries with the "denied" keyword. I have found theaudit2allow
tool a great way to enable access that was previously denied. You can also just disable SELinux temporarily using thesetenforce Permissive
command