Re: ldap auxprop plugin on centos4/rhel4?

• Previous message: Craig White: "Re: How to activate sieve script for users?"
• Maybe in reply to: Aleksandar Milivojevic: "ldap auxprop plugin on centos4/rhel4?"
• Next in thread: Igor Brezac: "Re: ldap auxprop plugin on centos4/rhel4?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

OK, I got the newer cyrus-sasl installed on the imap server, with ldap
module. I've placed this into imapd.conf:

sasl_pwcheck_method: auxprop
sasl_auxprop_plugin: ldapdb
sasl_ldapdb_uri: ldaps://ldap.foobar.com/

And things were still failing. slapd.log showed clinet conencting and
disconnected right away, without attempting to bind. Figured it was
the certificate verification problem. I don't see in options.html file
from cyrus-sasl docs that there's option for ldapdb to specify CA
certificate directly in imapd.conf file, so I created
/etc/openldap/ldap.conf as follows:

BASE dc=foobar,dc=com
URI ldaps://ldap.foobar.com
TLS_CACERT /usr/share/ssl/certs/cacert.pem

The cacert.pem contains certificate of CA used to sign LDAP server's
certificate. The exact same ldap.conf works perfectly for all other
programs/servers/tools/whatever. However, seems that ldap SASL module
chokes on TLS_CACERT line. If it is present in ldap.conf file (and
only if it is present), I get following in system log:

Mar 9 14:07:32 mail imap[10643]: Unexpectedly missing a prompt result

The LDAP server itslef offers only simple bind, SASL PLAIN and SASL
LOGIN, and requires SSL or TLS to use them.

Using ldapsearch (from the same box cyrus-imapd is running on), I can
authenticate correctly, so I know that LDAP server is configured as it
should be:

$ ldapsearch -U foobar -H ldaps://ldap.foobar.com/ -W '(uid=foobar)'
Enter LDAP Password:
SASL/LOGIN authentication started
SASL username: foobar
SASL SSF: 0
# extended LDIF follows...

Same thing if I try StartTLS using -ZZ instead of ldaps URI. Also all
works fine if I try simple bind either over SSL or using StartTLS.

BTW, would it be possible to use simple bind with ldapdb cyrus-sasl
module? Simple bind ovar SSL/TLS would work for me. It would even
simplify things on LDAP server side since I wouldn't need to support
SASL on it.

-- 
See Ya' later, alligator!
http://www.8-P.ca/
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
----
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

• Previous message: Craig White: "Re: How to activate sieve script for users?"
• Maybe in reply to: Aleksandar Milivojevic: "ldap auxprop plugin on centos4/rhel4?"
• Next in thread: Igor Brezac: "Re: ldap auxprop plugin on centos4/rhel4?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]