问题
Trying to use SASL AND LDAP to authenticate user in RedHat Linux. So far I've setup the saslauthd service and its up and running. My /etc/saslauthd.conf looks like follows:
ldap_servers: ldaps://test.ldap.server:1234
ldap_use_sasl: yes
ldap_mech: DIGEST-MD5
ldap_auth_method: fastbind
ldap_search_base: Ou=PeopleAuthSrch,DC=abc,DC=com
My /etc/sasl2/smtpd.conf looks like the following:
pwcheck_method: saslauthd
mech_list: plain login
Now when I try to test the authentication with following command:
testsaslauthd -u username -p password -f /var/run/saslauthd/mux
I get 0: NO "authentication failed"
and when i look at the logs it says:
Retrying authentication
do_auth :auth failure: [user:myuser] [service=imap] [realm=] [mech=ldap] [reason=unknown]
What am i missing here? thanks in advance!!
UPDATE:
installed OpenLdap to do a search with the following command:
ldapsearch -x -h ldaps://my.ldap.server:port -d8
for ldapsearch command to work i modified /etc/openldap/ldap.conf file as follows:
tls_reqcert allow
TLS_CACERTDIR /home/myuser/cacertss
LDAPTLS_CACERT /home/myuser/cacertss
It returns all the entries but i still cant authenticate using
testsaslauthd -u username -p password -f /var/run/saslauthd/mux
what do i need to do here to get this authenticated?
回答1:
After 5 days of struggle found out that the settings i used was for Active directory where i should be using settings for LDAP as following:
ldap_servers: ldaps://test.ldap.server:1234
ldap_search_base: Ou=PeopleAuthSrch,DC=abc,DC=com
ldap_filters: (uid=%u)
ldap_tls_cacert_file: /path/to/my/certificate
I did install cyrus-sasl-md5 as Bertold Kolics mentioned, i'm not sure if that played the part on authenticating the user.
回答2:
I went through the exercise of setting SASL setup with OpenLDAP and TLS on RedHat Linux 7.2 and I managed to get something similar working fine.
As I mentioned in my previous post, make sure that you have the cyrus-sasl-md5 package installed.
I would first try to get everything working without SSL. Only after you have your setup working without SSL move to the SSL part.
- You need to make sure that
saslauthdaccepts the CA certificate of the certificate used by the LDAP server. In particular,ldap_tls_cacert_fileoption in/etc/saslauthd.confis your friend - If you have SELinux enabled, make sure that
saslauthdcan access the certificate files. If you are unsure, tail the/var/log/audit/audit.logfile and look for entries with the "denied" keyword. I have found theaudit2allowtool a great way to enable access that was previously denied. You can also just disable SELinux temporarily using thesetenforce Permissivecommand
来源:https://stackoverflow.com/questions/36874163/sasl-ldap-authentication-failure