12

Trying to use SASL AND LDAP to authenticate user in RedHat Linux. So far I've setup the saslauthd service and its up and running. My /etc/saslauthd.conf looks like follows:

ldap_servers: ldaps://test.ldap.server:1234
ldap_use_sasl: yes
ldap_mech: DIGEST-MD5
ldap_auth_method: fastbind
ldap_search_base: Ou=PeopleAuthSrch,DC=abc,DC=com

My /etc/sasl2/smtpd.conf looks like the following:

pwcheck_method: saslauthd
mech_list: plain login

Now when I try to test the authentication with following command:

testsaslauthd -u username -p password -f /var/run/saslauthd/mux

I get 0: NO "authentication failed"

and when i look at the logs it says:

Retrying authentication
do_auth   :auth failure: [user:myuser]  [service=imap] [realm=] [mech=ldap] [reason=unknown]

What am i missing here? thanks in advance!!

UPDATE:

installed OpenLdap to do a search with the following command:

ldapsearch -x -h ldaps://my.ldap.server:port -d8

for ldapsearch command to work i modified /etc/openldap/ldap.conf file as follows:

tls_reqcert allow
TLS_CACERTDIR /home/myuser/cacertss
LDAPTLS_CACERT /home/myuser/cacertss

It returns all the entries but i still cant authenticate using

testsaslauthd -u username -p password -f /var/run/saslauthd/mux

what do i need to do here to get this authenticated?

Gurkha
  • 1,104
  • 4
  • 20
  • 37

2 Answers2

4

After 5 days of struggle found out that the settings i used was for Active directory where i should be using settings for LDAP as following:

ldap_servers: ldaps://test.ldap.server:1234
ldap_search_base: Ou=PeopleAuthSrch,DC=abc,DC=com
ldap_filters: (uid=%u)
ldap_tls_cacert_file: /path/to/my/certificate

I did install cyrus-sasl-md5 as Bertold Kolics mentioned, i'm not sure if that played the part on authenticating the user.

Gurkha
  • 1,104
  • 4
  • 20
  • 37
3

I went through the exercise of setting SASL setup with OpenLDAP and TLS on RedHat Linux 7.2 and I managed to get something similar working fine.

As I mentioned in my previous post, make sure that you have the cyrus-sasl-md5 package installed.

I would first try to get everything working without SSL. Only after you have your setup working without SSL move to the SSL part.

  • You need to make sure that saslauthd accepts the CA certificate of the certificate used by the LDAP server. In particular,
    ldap_tls_cacert_file option in /etc/saslauthd.conf is your friend
  • If you have SELinux enabled, make sure that saslauthd can access the certificate files. If you are unsure, tail the /var/log/audit/audit.log file and look for entries with the "denied" keyword. I have found the audit2allow tool a great way to enable access that was previously denied. You can also just disable SELinux temporarily using the setenforce Permissive command
Bertold Kolics
  • 892
  • 6
  • 11
  • i installed `cyrus-sasl-md5` restarted `saslauthd` and made sure `ldap_tls_cacert_file` points to the certificate used by the `ldap`. I also looked into `/var/log/audit/audit.log` and i dont see anything denied. However i still have the same problem. Log inside `/var/log/messages/` doesn't say much beside what i mentioned above. Any idea? – Gurkha May 01 '16 at 19:38
  • Does this work without SSL? It if does, then it is an SSL issue. You may also try updating the CA certificates trusted on the system by default. Look for the command `update-ca-certs` and/or poke around in the `/etc/pki/ca-trust/` directories. – Bertold Kolics May 04 '16 at 01:47