From: Igor Brezac (no email)
Date: Fri Mar 10 2006 - 13:12:54 EST
On Thu, 9 Mar 2006, Aleksandar Milivojevic wrote:
> OK, I got the newer cyrus-sasl installed on the imap server, with ldap
> module. I've placed this into imapd.conf:
>
> sasl_pwcheck_method: auxprop
> sasl_auxprop_plugin: ldapdb
> sasl_ldapdb_uri: ldaps://ldap.foobar.com/
>
> And things were still failing. slapd.log showed clinet conencting and
> disconnected right away, without attempting to bind. Figured it was the
> certificate verification problem. I don't see in options.html file from
> cyrus-sasl docs that there's option for ldapdb to specify CA certificate
> directly in imapd.conf file, so I created /etc/openldap/ldap.conf as follows:
>
> BASE dc=foobar,dc=com
> URI ldaps://ldap.foobar.com
> TLS_CACERT /usr/share/ssl/certs/cacert.pem
>
> The cacert.pem contains certificate of CA used to sign LDAP server's
> certificate. The exact same ldap.conf works perfectly for all other
> programs/servers/tools/whatever. However, seems that ldap SASL module chokes
> on TLS_CACERT line. If it is present in ldap.conf file (and only if it is
> present), I get following in system log:
>
> Mar 9 14:07:32 mail imap[10643]: Unexpectedly missing a prompt result
>
> The LDAP server itslef offers only simple bind, SASL PLAIN and SASL LOGIN,
> and requires SSL or TLS to use them.
>
> Using ldapsearch (from the same box cyrus-imapd is running on), I can
> authenticate correctly, so I know that LDAP server is configured as it should
> be:
>
> $ ldapsearch -U foobar -H ldaps://ldap.foobar.com/ -W '(uid=foobar)'
> Enter LDAP Password:
> SASL/LOGIN authentication started
> SASL username: foobar
> SASL SSF: 0
> # extended LDIF follows...
>
> Same thing if I try StartTLS using -ZZ instead of ldaps URI. Also all works
> fine if I try simple bind either over SSL or using StartTLS.
You need to configure proxy authorization in order for ldapdb to work.
This is noted in the cyrus-sasl docs (options.html). If you have trouble
configuring proxy authorization, I suggest you move this discussion to the
openldap software list.
> BTW, would it be possible to use simple bind with ldapdb cyrus-sasl module?
> Simple bind ovar SSL/TLS would work for me. It would even simplify things on
> LDAP server side since I wouldn't need to support SASL on it.
There may be some complexity on the openldap server side, but the client
config becomes far more simple.
-- Igor ---- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
|
|
|