[KLUG Members] saslauthd and LDAP

Adam Williams members@kalamazoolinux.org
Sat, 07 Feb 2004 15:33:08 -0500 

> > Yes;  there is no real correlation between Cyrus IMAP & Cyrus SASL;
> > imapd is just the most prominant application to use SASL.  You can
> > even make OpenLDAP rely on saslauthd to verify bind attempts.
> Well, since saslauthd won't authenticate against LDAP, that's pretty
> meaningless. Does SASL need passwords in sasldb2 before it will work? I
> have md5 and clear passwords in my uid=peter dn.

No.  I've used "saslauthd -a ldap", and used it for along time after
first implementing Cyrus IMAP.  It worked without incident; I switched
to PAM in order to implement time-of-day & group restictions which is
something SASL doesn't know anything about.

I've never used sasldb/sasldb2 since (IMHO) it entirely defeats the 
point.

Here is the contents of my old /etc/saslauthd.conf file -
ldap_version: 3
ldap_timeout: 2
ldap_time_limit: 5
ldap_deref: always
ldap_scope: sub
ldap_search_base: o=Morrison Industries,c=US
ldap_password_attr: userPassword
ldap_auth_method: custom
ldap_filter: (&(uid=%u)(objectclass=morrisonuser))

> This works without a password:
> # ldapsearch -H ldapi:/// -x uid=peter
> These don't:
> # ldapsearch -U uid=peter -R KILLDEVIL.ORG -H ldapi:/// -Y DIGEST-MD5 uid=peter
> # ldapsearch -D uid=peter,ou=People,dc=grimace,dc=killdevil,dc=org -H ldapi:/// \
> -Y DIGEST-MD5 uid=peter
> SASL/DIGEST-MD5 authentication started
> Please enter your password:
> ldap_sasl_interactive_bind_s: Internal (implementation specific) error
> (80) additional info: SASL(-13): user not found: no secret in database

Hrm, this seems very strange.

> # ldapmodify -H ldapi:/// -U "cn=admin,dc=killdevil,dc=org" -W 
> Enter LDAP Password: 
> SASL/DIGEST-MD5 authentication started
> ldap_sasl_interactive_bind_s: Internal (implementation specific) error
> (80) additional info: SASL(-13): user not found: no secret in database
> # ldapsearch -D uid=peter,ou=People,dc=grimace,dc=killdevil,dc=org -H ldapi:/// -x -W uid=peter 
> Enter LDAP Password: 
> ldap_bind: Invalid credentials (49)

Right, here we aren't using SASL (hence -x).

> This works with a password
> # ldapmodify -H ldapi:/// -D "cn=admin,dc=killdevil,dc=org" -W -x

Using the secret defined in slapd.conf, right?

I almost suspect the encoding of your userpassword attribute must be
wrong.  How did you set the value of the password in LDAP?