On Thu, 9 Mar 2006, Aleksandar Milivojevic wrote:
OK, I got the newer cyrus-sasl installed on the imap server, with ldap
module. I've placed this into imapd.conf:
sasl_pwcheck_method: auxprop
sasl_auxprop_plugin: ldapdb
sasl_ldapdb_uri: ldaps://ldap.foobar.com/
And things were still failing. slapd.log showed clinet conencting and
disconnected right away, without attempting to bind. Figured it was the
certificate verification problem. I don't see in options.html file from
cyrus-sasl docs that there's option for ldapdb to specify CA certificate
directly in imapd.conf file, so I created /etc/openldap/ldap.conf as follows:
BASE dc=foobar,dc=com
URI ldaps://ldap.foobar.com
TLS_CACERT /usr/share/ssl/certs/cacert.pem
The cacert.pem contains certificate of CA used to sign LDAP server's
certificate. The exact same ldap.conf works perfectly for all other
programs/servers/tools/whatever. However, seems that ldap SASL module chokes
on TLS_CACERT line. If it is present in ldap.conf file (and only if it is
present), I get following in system log:
Mar 9 14:07:32 mail imap[10643]: Unexpectedly missing a prompt result
The LDAP server itslef offers only simple bind, SASL PLAIN and SASL LOGIN,
and requires SSL or TLS to use them.
Using ldapsearch (from the same box cyrus-imapd is running on), I can
authenticate correctly, so I know that LDAP server is configured as it should
be:
$ ldapsearch -U foobar -H ldaps://ldap.foobar.com/ -W '(uid=foobar)'
Enter LDAP Password:
SASL/LOGIN authentication started
SASL username: foobar
SASL SSF: 0
# extended LDIF follows...
Same thing if I try StartTLS using -ZZ instead of ldaps URI. Also all works
fine if I try simple bind either over SSL or using StartTLS.
You need to configure proxy authorization in order for ldapdb to work.
This is noted in the cyrus-sasl docs (options.html). If you have trouble
configuring proxy authorization, I suggest you move this discussion to the
openldap software list.
BTW, would it be possible to use simple bind with ldapdb cyrus-sasl module?
Simple bind ovar SSL/TLS would work for me. It would even simplify things on
LDAP server side since I wouldn't need to support SASL on it.
There may be some complexity on the openldap server side, but the client
config becomes far more simple.
--
Igor
----
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
