[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Openldap for proxy AD



Thank you.

Yes, the credentials are stored in AD.

I saw this documentation,
http://ltb-project.org/wiki/documentation/general/sasl_delegation

Helped me very much, but I think there are some wrong in my saslauth.conf,
because when I put the AD server and ldap_filter = (sAMAccountName=%u is
Ok Success SASL, " but when I put my localhost like this:

ldap_servers: ldaps://127.0.0.1        #or ldap://localhost
#ldap_servers: ldaps://1.1.2.1
ldap_version: 3
ldap_auth_method: bind
ldap_search_base: cn=users,dc=foobar,dc=br
#ldap_filter: (sAMAccountname=%u)
#ldap_filter: (userPrincipalName=%u)
ldap_filter: uid=%u
ldap_bind_dn: cn=vmail,cn=users,dc=foobar,dc=br     #or cn=admin,dc=foobar
ldap_password: abc@123
ldap_deref: never
ldap_restart: yes
ldap_scope: sub
ldap_use_sasl: no
ldap_start_tls: no
ldap_timeout: 10


testsaslauthd -u usertst -p password

NO "authentication failed"

See the log:

Nov 20 09:13:23 mail slapd[12776]: conn=1139 fd=18 ACCEPT from
IP=127.0.0.1:50194 (IP=0.0.0.0:636)
Nov 20 09:13:23 mail slapd[12776]: conn=1139 fd=18 TLS established
tls_ssf=256 ssf=256
Nov 20 09:13:23 mail slapd[12776]: conn=1139 op=0 BIND
dn="cn=vmail,cn=users,dc=foobar,dc=br" method=128
Nov 20 09:13:23 mail slapd[12776]: conn=1139 op=0 BIND
dn="cn=vmail,cn=users,dc=foobar,dc=br" mech=SIMPLE ssf=0
Nov 20 09:13:23 mail slapd[12776]: conn=1139 op=0 RESULT tag=97 err=0 text=
Nov 20 09:13:23 mail slapd[12776]: conn=1139 op=1 SRCH
base="cn=users,dc=foobar,dc=br" scope=2 deref=0 filter="(uid=usertst)"
Nov 20 09:13:23 mail slapd[12776]: conn=1139 op=1 SRCH attr=dn
Nov 20 09:13:23 mail slapd[12776]: conn=1139 op=1 SEARCH RESULT tag=101
err=0 nentries=0 text=

What can I do to fix this?



Willy R.M


> Clément OUDOT wrote:
>> 2013/11/19 Jason Brandt <jbrandt@fsmail.bradley.edu>:
>>> You are trying to authenticate through the credentials stored in your
>>> active
>>> directory servers, not the passwords stored in LDAP, correct?  If that
>>> is
>>> the case, then the easiest means to accomplish that are to use SASL for
>>> authentication.
>
> Or he could just read up on slapo-pbind.
>>
>> You can check this how-to:
>> http://ltb-project.org/wiki/documentation/general/sasl_delegation
>>
>> Clément.
>>
>>
>
>
> --
>    -- Howard Chu
>    CTO, Symas Corp.           http://www.symas.com
>    Director, Highland Sun     http://highlandsun.com/hyc/
>    Chief Architect, OpenLDAP  http://www.openldap.org/project/
>
>