Re: LDAP simple bind

From: Shelley Waltz (no email)
Date: Tue Dec 04 2007 - 12:54:10 EST

  • Next message: Igor Brezac: "Re: LDAP simple bind"

    Igor,
    Thanks, changing the ldap_password to cleartext worked.
    Is there a good reference to read on setting up sasl
    with auxprop plugin for use with cyrus-imap amd postfix?
    thanks
    Shelley

    On Tue, 4 Dec 2007, Igor Brezac wrote:

       Shelley Waltz wrote:
    > I am still having an issue trying to use LDAP authentication
    > with a simple bind.
    >
    > I have
    > [root at roadrunner ~]# rpm -qa|grep sasl
    > cyrus-sasl-lib-2.1.22-4
    > cyrus-sasl-2.1.22-4
    > cyrus-sasl-devel-2.1.22-4
    > cyrus-sasl-plain-2.1.22-4
    > cyrus-sasl-ldap-2.1.22-4
    > cyrus-sasl-md5-2.1.22-4
    > [root at roadrunner ~]# rpm -qa|grep openldap
    > openldap-clients-2.3.27-8.el5_1.1
    > openldap-2.3.27-8.el5_1.1
    > openldap-servers-2.3.27-8.el5_1.1
    > openldap-devel-2.3.27-8.el5_1.1
    >
    > and the the following configuration
    >
    > /etc/slapd.conf
    > #
    > # See slapd.conf(5) for details on configuration options.
    > # This file should NOT be world readable.
    > #
    > include /etc/openldap/schema/core.schema
    > include /etc/openldap/schema/cosine.schema
    > include /etc/openldap/schema/inetorgperson.schema
    > include /etc/openldap/schema/cabm-person.schema
    > include /etc/openldap/schema/nis.schema
    > #include /etc/openldap/slapd.acls
    >
    > # Allow LDAPv2 client connections. This is NOT the default.
    > allow bind_v2
    >
    > # Do not enable referrals until AFTER you have a working directory
    > # service AND an understanding of referrals.
    > #referral ldap://root.openldap.org
    >
    > pidfile /var/run/openldap/slapd.pid
    > argsfile /var/run/openldap/slapd.args
    >
    > # Load dynamic backend modules:
    > # modulepath /usr/lib/openldap
    > # moduleload back_bdb.la
    > # moduleload back_ldap.la
    > # moduleload back_ldbm.la
    > # moduleload back_passwd.la
    > # moduleload back_shell.la
    >
    > # The next three lines allow use of TLS for encrypting connections using a
    > # dummy test certificate which you can generate by changing to
    > # /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on
    > # slapd.pem so that the ldap user or group can read it. Your client
    > software
    > # may balk at self-signed certificates, however.
    > TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
    > TLSCertificateFile /etc/pki/tls/certs/slapdcert.pem
    > TLSCertificateKeyFile /etc/pki/tls/certs/slapdkey.pem
    >
    > # Sample security restrictions
    > # Require integrity protection (prevent hijacking)
    > # Require 112-bit (3DES or better) encryption for updates
    > # Require 63-bit encryption for simple bind
    > # security ssf=1 update_ssf=112 simple_bind=64
    >
    > # Sample access control policy:
    > # Root DSE: allow anyone to read it
    > # Subschema (sub)entry DSE: allow anyone to read it
    > # Other DSEs:
    > # Allow self write access
    > # Allow authenticated users read access
    > # Allow anonymous users to authenticate
    > # Directives needed to implement policy:
    > #access to dn.base="" by * read
    > #access to dn.base="cn=Subschema" by * read
    > #access to *
    > # by self write
    > # by users read
    > # by anonymous auth
    > #
    > # if no access controls are present, the default policy
    > # allows anyone and everyone to read anything but restricts
    > # updates to rootdn. (e.g., "access to * by * read")
    > #
    > #rootdn can always read and write EVERYTHING!
    >
    > #######################################################################
    > # ldbm and/or bdb database definitions
    > #######################################################################
    >
    > database bdb
    > suffix "dc=cabm.rutgers,dc=edu"
    > rootdn "cn=roadrunner.cabm.rutgers.edu,dc=cabm.rutgers,dc=edu"
    > checkpoint 1024 30
    > # Cleartext passwords, especially for the rootdn, should
    > # be avoided. See slappasswd(8) and slapd.conf(5) for details.
    > # Use of strong authentication encouraged.
    > # rootpw secret
    > # rootpw {crypt}ijFYNcSNctBYg
    > rootpw {MD5}s1VGPKQuI+rRKYM1jtPp+g==
    > password-hash {CRYPT}
    > password-crypt-salt-format "$1$%s
    >
    > # The database directory MUST exist prior to running slapd AND
    > # should only be accessible by the slapd and slap tools.
    > # Mode 700 recommended.
    > directory /var/lib/ldap
    >
    > # Indices to maintain for this database
    > index objectClass eq,pres
    > index ou,cn,mail,surname,givenname eq,pres,sub
    > index uidNumber,gidNumber,loginShell eq,pres
    > index uid,memberUid eq,pres,sub
    > index nisMapName,nisMapEntry eq,pres,sub
    >
    >
    > /etc/saslauthd.conf
    > ldap_servers: ldap://localhost/
    > ldap_version: 3
    > ldap_timeout: 10
    > ldap_timelimit: 10
    > ldap_cache_ttl: 30
    > ldap_cache_mem: 32768
       
       ldap_cache are not valid options. See 'man saslauthd' for caching options.
    > ldap_restart: yes
    > ldap_scope: sub
    > ldap_search_base: dc=cabm.rutgers,dc=edu
    > ldap_auth_method: bind
    > ldap_bind_dn: cn=roadrunner.cabm.rutgers.edu,dc=cabm.rutgers,dc=edu
    > ldap_password: {MD5}s1VGPKQuI+rRKYM1jtPp+g==
       
       ldap_password needs to be clear text.
       
       I suggest you use sasl and the ldapdb auxprop plugin.
       
       I hope this helps.
       
       -Igor
       
    > ldap_filter: mail=%u
    > ldap_debug: 128
    > ldap_verbose: 1
    > ldap_ssl: no
    >
    > I have a similar configuration running with much older versions of
    > openldap/sasl.
    >
    > The objective is to have my imapd/smtp server autheticate users
    > using uid/userPassword from my LDAP database in PLAINTEXT with TLS.
    > The uid in my LDAP database is simple the username without any domain
    > attached. The userPassword is in {CRYPT} in the LDAP database.
    >
    > I have the certificates installed and working and an ldapsearch
    >
    > ldapsearch -x -W -ZZ -b 'dc=cabm.rutgers,dc=edu' -H ldap:/// -D
    > 'cn=roadrunner.cabm.rutgers.edu,dc=cabm.rutgers,dc=edu' '(objectclass=*)'
    >
    > asks for the rootdn password and produces the listing.
    >
    > When I try the testsaslauthd with a uid/userPassword from my LDAP databse,
    > however, the authentication fails ...
    >
    > testsaslauthd -u shelley -p mypassword
    > 0: NO "authentication failed"
    >
    > and in /var/log/secure ...
    > Dec 4 09:56:18 roadrunner saslauthd[6164]: Authentication failed for
    > shelley: Bind to ldap server failed (invalid user/password or insufficient
    > access) (-7)
    > Dec 4 09:56:18 roadrunner saslauthd[6164]: do_auth : auth failure:
    > [user=shelley] [service=imap] [realm=] [mech=ldap] [reason=Unknown]
    >
    > and in the debug from -d 128 ldap log ...
    > => access_allowed: auth access to
    > "cn=roadrunner.cabm.rutgers.edu,dc=cabm.rutgers,dc=edu" "userPassword"
    > requested
    > => access_allowed: backend default auth access granted to "(anonymous)"
    >
    > I allowed the default acls for LDAP, which should allow the rootdn to bind
    > and verify the password.
    >
    > What is the issue here, the ldap_filter? I do not have virtual domains,
    > just a single domain. I have the following in
    > /etc/imapd.conf
    > [root at roadrunner etc]# cat /etc/imapd.conf
    > configdirectory: /var/lib/imap
    > partition-default: /var/spool/imap
    > admins: cyrus
    > sievedir: /var/lib/imap/sieve
    > sendmail: /usr/sbin/sendmail
    > hashimapspool: true
    > allowplaintext: yes
    > sasl_pwcheck_method: saslauthd
    > sasl_mech_list: PLAIN
    > tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
    > tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
    > tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt
    >
    > S.Waltz
       
       
       

  • Next message: Igor Brezac: "Re: LDAP simple bind"





    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs



    		Powered By FreeBSD   Powered By FreeBSD