Hello all
I am seeking help on sasl authentication against openldap.
Debian stable 3.1 on all servers.
On one server, I have slapd 2.2.23. It is used to authenticate samba
(works, same server), and a groupware on another server (works, 2nd server).
On the second server, I have a cyrus imap server, which uses the
following steps to (try to) authenticate against LDAP with sasl:
-> saslauthd (PAM method)
-> pam_ldap
-> ldap
I am trying to fix the cyrus SASL authentication against openLDAP, I guess.
When I run that, here is the error:
--------------------------------------------
OX1:~# ldapsearch -D "cn=manager,dc=ilr,dc=lu" -h ldapsmb-pdc.ilr.lu
-b "dc=ilr,dc=lu" "(uid=sp)"
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80)
additional info: SASL(-13): user not found: no secret in database
The accompanying slapd debug output (-d 4)
------------------------------------------------------
send_ldap_result: err=0 matched="" text=""
connection_get(10)
connection_get(10)
SRCH "" 0 0 0 0 0
filter: (objectClass=*)
attrs: supportedSASLMechanisms
send_ldap_result: err=0 matched="" text=""
connection_get(10)
==> sasl_bind: dn="cn=manager,dc=ilr,dc=lu" mech=DIGEST-MD5 datalen=0
connection_get(10)
==> sasl_bind: dn="cn=manager,dc=ilr,dc=lu" mech=<continuing> datalen=278
SASL Canonicalize [conn=2]: authcid="root"
slap_sasl_getdn: id=root [len=4]
SASL Canonicalize [conn=2]: slapAuthcDN="cn=manager,dc=ilr,dc=lu"
base_candidates: base: "cn=manager,dc=ilr,dc=lu" (0x00000002)
send_ldap_result: err=0 matched="" text=""
SASL Canonicalize [conn=2]: authzid="root"
SASL [conn=2] Failure: no secret in database
send_ldap_result: err=80 matched="" text="SASL(-13): user not found:
no secret in database"
Here are the accepted methods on slapd:
--------------------------------------------------------
OX1:~# ldapsearch -x -b "" -s base supportedSASLMechanisms -ZZ
# extended LDIF
#
# LDAPv3
# base <> with scope base
# filter: (objectclass=*)
# requesting: supportedSASLMechanisms
#
#
dn:
supportedSASLMechanisms: NTLM
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
[...]
Here is my slapd.conf
------------------------------
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/samba.schema
include /etc/ldap/schema/openxchange.schema
schemacheck on
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd.args
loglevel 0
modulepath /usr/lib/ldap
moduleload back_bdb
backend bdb
checkpoint 512 30
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /etc/ldap/certs/cacert.pem
TLSCertificateFile /etc/ldap/certs/servercrt.pem
TLSCertificateKeyFile /etc/ldap/certs/serverkey.pem
TLSVerifyClient never
database bdb
suffix "dc=ilr,dc=lu"
directory "/var/lib/ldap"
sasl-regexp
uid=root,cn=(plain|digest-md5|login),cn=auth
cn=Manager,dc=ilr,dc=lu
sasl-regexp
uid=(.*),cn=(plain|digest-md5|login),cn=auth
ldap:///dc=ilr,dc=lu??one?(uid=$1)
password-hash {CLEARTEXT}
rootdn "cn=Manager,dc=ilr,dc=lu"
rootpw "{SSHA}eT2FeQwOwgZx3UPS6jRzoCDwGvBHDyh3"
index objectClass,uid,uidNumber,gidNumber,memberUid eq
index cn,mail,surname,givenname, eq,subinitial
index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
lastmod on
access to attrs=userPassword
by dn="cn=Manager,dc=ilr,dc=lu" write
by anonymous auth
by self write
by * none
access to dn.base="" by * read
access to dn.subtree="ou=Users,ou=OxObjects,dc=ilr,dc=lu"
by dn="cn=Manager,dc=ilr,dc=lu" write
by self write
by users write
by anonymous read
access to dn.subtree="ou=Groups,ou=OxObjects,dc=ilr,dc=lu"
by self write
by users write
by anonymous read
access to *
by dn="cn=Manager,dc=ilr,dc=lu" write
by * read
Here is my /etc/pam.d/imap on cyrus server
-----------------------------------------------------------
auth sufficient /lib/security/pam_ldap.so debug
account sufficient /lib/security/pam_ldap.so
password require /lib/security/pam_ldap.so
I am surely missing some details. Please let me know if something is
missing. If I am off-topic and need to repost to the sasl mailing,
please let me know as well.
Thanks a lot.
chap.
----
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
