# SASL2 + OpenLDAP Help needed

## hardaur

Good afternoon folks,

  I'm at wit's end.  I've been working days on getting postfix+cyrus-imap+cyrus-sasl2+dspam+amavisd+clamav+openldap configured and running (considering doing a HOWTO when/if I get it up).  I've come down to one last little problem when trying to authenticate imap, sasl2 is failing to authenticate.  Following are the appropriate config files.

/etc/saslauthd.conf

```

ldap_servers: ldap://ldap.mydomain.com:389/

ldap_bind_dn: cn=Manager,dc=mydomain,dc=com

ldap_bind_pw: {MD5}/hW/7KEABCDL36eK/x0PYzQ==

ldap_search_base: ou=People,dc=mydomain,dc=com

```

/etc/conf.d/saslauthd

```

SASLAUTHD_OPTS="-a ldap -O /etc/saslauthd.conf"

```

/etc/openldap/slapd.conf

```

# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24 23:19:14 kurt Exp $

#

# See slapd.conf(5) for details on configuration options.

# This file should NOT be world readable.

#

include         /etc/openldap/schema/core.schema

include         /etc/openldap/schema/cosine.schema

include         /etc/openldap/schema/inetorgperson.schema

include         /etc/openldap/schema/nis.schema

include         /etc/openldap/schema/phpgwaccount.schema

include         /etc/openldap/schema/phpgwcontact.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory

# service AND an understanding of referrals.

#referral       ldap://root.openldap.org

pidfile         /var/run/openldap/slapd.pid

argsfile        /var/run/openldap/slapd.args

# Load dynamic backend modules:

# modulepath    /usr/lib/openldap/openldap

# moduleload    back_bdb.la

# moduleload    back_ldap.la

# moduleload    back_ldbm.la

# moduleload    back_passwd.la

# moduleload    back_shell.la

# Sample security restrictions

#       Require integrity protection (prevent hijacking)

#       Require 112-bit (3DES or better) encryption for updates

#       Require 63-bit encryption for simple bind#               Allow self write access

#               Allow authenticated users read access

#               Allow anonymous users to authenticate

#       Directives needed to implement policy:

# access to dn.base="" by * read

# access to dn.base="cn=Subschema" by * read

# access to *

#       by self write

#       by users read

#       by anonymous auth

#

# if no access controls are present, the default policy is:suffix          "dc=mydomain,dc=com"

rootdn          "cn=Manager,dc=mydomain,dc=com"

# Cleartext passwords, especially for the rootdn, should

# be avoid.  See slappasswd(8) and slapd.conf(5) for details.

# Use of strong authentication encouraged.

rootpw          {MD5}/hW/7KEABCDL36eK/x0PYzQ==

# The database directory MUST exist prior to running slapd AND

# should only be accessible by the slapd and slap tools.

# Mode 700 recommended.

directory       /var/lib/openldap-data

# Indices to maintain

index default eq

index objectClass eq

index phpgwContactOwner pres,eq,sub

index uidNumber pres,eq

                                   

#       Allow read by all

#

# rootdn can always write!

#######################################################################

# ldbm database definitions

#######################################################################

database        bdb

# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:

#       Root DSE: allow anyone to read it

#       Subschema (sub)entry DSE: allow anyone to read it

#       Other DSEs:

```

/etc/openldap/ldap.conf

```

# $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04 19:57:01 kurt Exp $

#

# LDAP Defaults

#

# See ldap.conf(5) for details

# This file should be world readable but not world writable.

BASE    dc=mydomain,dc=com

URI     ldap://ldap.mydomain.com/

#SIZELIMIT      12

#TIMELIMIT      15

#DEREF          never

```

Ok, now I'm going to test.  Start saslauthd attached to shell with full debugging added.  I'm going to do a test for a user "bob" and his correct password.  Bob exists in ou=People,dc=mydomain,dc=com.

 *Quote:*   

> 
> 
> root # saslauthd -a ldap -O /etc/saslauthd.conf -d -V
> 
> saslauthd[30782] :main            : num_procs  : 5
> ...

 

 *Quote:*   

> 
> 
> root # saslauthd -v
> 
> saslauthd 2.1.20
> ...

 

And here are the logs

 *Quote:*   

> 
> 
> ==> /var/log/secure <==
> 
> Feb 21 11:13:38 ganges saslauthd[30785]: rel_accept_lock : released accept lock
> ...

 

So SASL is querying LDAP, and for some reason LDAP is unhappy about what it's getting.  So does anybody have any idea?    I know that my Manager password is correct, as is Bob's uid and password as it's successful in other operations (logging into my groupware, for instance), just can't authenticate IMAP because of this problem.

Any help is appreciated, my mind is a terrible thing to waste ; )  (my personal opinion, of course )

Thanks,

H

----------

## hardaur

Hate to do it, but I'm beyond desperate at this point. . . .

bump

----------

## UberLord

Why not have saslauthd go via pam and then get pam togo to ldap?

But to me it looks like the error is because you're binding as Manager with an incorrect password

----------

## hardaur

It would seem to me that using PAM as a middle-man would complicate things unecessarily.  I guess I could do it, but I'd REALLY rather avoid it.  

I am admittedly a newb with all of those technologies (typically a sendmail, wu-imap, passwd, pam, etc man).  My understanding is that the password defined in slapd.conf is what defines the Manager password?  If so, it, and the password in saslauthd.conf match (cut and paste).  If I'm misunderstanding, by all means, please let me know.  This whole project is stalled on this last little piece, hehe.

Thanks,

H

----------

## UberLord

```
ldap_simple_bind() failed 48 (Inappropriate authentication). 
```

Are you allowing simple binds? Maybe you've specified the need for encryption with simple binds?

----------

## hardaur

Hmm, I don't know that I have.  I did play with ldap_auth_method (in sasl config) for a bit, but couldn't really notice any changes.   Sorry to be so ignorant, but how would I check/configure  this?

I really appreciate you taking the time to help me out a bit UberLord.

----------

## UberLord

Maybe ldap_bind_pw needs to be the password in cleartext

----------

## hardaur

Tried that as well.  Maybe I'm just cursed?  I can't find any documentation anywhere that I can read as saying different than what I've done.   : /

----------

## BlaaT0001

I copy / pasted your configuration and it worked for me just fine. I know this response is a bit late, I just happend to run into your post though. The one thing I did change is the ldap_bind_pw value, it needs to be in cleartext format. 

You can put an encrypted password in /etc/openldap/slapd.conf (using slappasswd), but in every service that wants to connect to slapd (ldapclients) you must use the unencrypted (clear text) password. Otherwise encrypting your password in slapd.conf wouldn't do you much good now would it?

Thnx for your config, saved me a whole lot of figuring out  :Smile: 

BlaaT

----------

