[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Openldap for proxy AD



2013/11/20  <wrm@cdtn.br>:
> Thank you.
>
> Yes, the credentials are stored in AD.
>
> I saw this documentation,
> http://ltb-project.org/wiki/documentation/general/sasl_delegation
>
> Helped me very much, but I think there are some wrong in my saslauth.conf,
> because when I put the AD server and ldap_filter = (sAMAccountName=%u is
> Ok Success SASL, " but when I put my localhost like this:
>
> ldap_servers: ldaps://127.0.0.1        #or ldap://localhost
> #ldap_servers: ldaps://1.1.2.1
> ldap_version: 3
> ldap_auth_method: bind
> ldap_search_base: cn=users,dc=foobar,dc=br
> #ldap_filter: (sAMAccountname=%u)
> #ldap_filter: (userPrincipalName=%u)
> ldap_filter: uid=%u
> ldap_bind_dn: cn=vmail,cn=users,dc=foobar,dc=br     #or cn=admin,dc=foobar
> ldap_password: abc@123
> ldap_deref: never
> ldap_restart: yes
> ldap_scope: sub
> ldap_use_sasl: no
> ldap_start_tls: no
> ldap_timeout: 10
>
>
> testsaslauthd -u usertst -p password
>
> NO "authentication failed"
>
> See the log:
>
> Nov 20 09:13:23 mail slapd[12776]: conn=1139 fd=18 ACCEPT from
> IP=127.0.0.1:50194 (IP=0.0.0.0:636)
> Nov 20 09:13:23 mail slapd[12776]: conn=1139 fd=18 TLS established
> tls_ssf=256 ssf=256
> Nov 20 09:13:23 mail slapd[12776]: conn=1139 op=0 BIND
> dn="cn=vmail,cn=users,dc=foobar,dc=br" method=128
> Nov 20 09:13:23 mail slapd[12776]: conn=1139 op=0 BIND
> dn="cn=vmail,cn=users,dc=foobar,dc=br" mech=SIMPLE ssf=0
> Nov 20 09:13:23 mail slapd[12776]: conn=1139 op=0 RESULT tag=97 err=0 text=
> Nov 20 09:13:23 mail slapd[12776]: conn=1139 op=1 SRCH
> base="cn=users,dc=foobar,dc=br" scope=2 deref=0 filter="(uid=usertst)"
> Nov 20 09:13:23 mail slapd[12776]: conn=1139 op=1 SRCH attr=dn
> Nov 20 09:13:23 mail slapd[12776]: conn=1139 op=1 SEARCH RESULT tag=101
> err=0 nentries=0 text=
>
> What can I do to fix this?
>

The log says that the entry is not found (nentries=0) either because
it does not exist, either because you can't read it (ACL).

But what are you using localhost behind your SASL pass trough? Seems
like you are doing a loop on your LDAP server.


Clément.