[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Openldap for proxy AD



This is all that's contained in my saslauthd.conf:

ldap_servers: ldaps://server2 ldaps://server1                                               
ldap_search_base: OU=<usersOU>,DC=foo,DC=bar
ldap_filter: sAMAccountName=%u
ldap_bind_dn: cn=saslauthd,cn=users,dc=foo,dc=bar
ldap_password: <password>


The obvious thing that jumps out at me is that you're pointing to ldap_servers: localhost, instead of your AD servers.


On Wed, Nov 20, 2013 at 7:37 AM, Jason Brandt <jbrandt@fsmail.bradley.edu> wrote:
I can get you my SASL config from my test environment when I get to the office.  One thing to keep in mind, is that you MUST do an authenticated bind to AD, you cannot do anonymous bind, so you have to have a service account setup to allow SASL to authenticate to AD.  It can be the most basic user account, just has to be able to log into AD.


On Wed, Nov 20, 2013 at 6:26 AM, Clément OUDOT <clem.oudot@gmail.com> wrote:
2013/11/20  <wrm@cdtn.br>:
> Thank you.
>
> Yes, the credentials are stored in AD.
>
> I saw this documentation,
> http://ltb-project.org/wiki/documentation/general/sasl_delegation
>
> Helped me very much, but I think there are some wrong in my saslauth.conf,
> because when I put the AD server and ldap_filter = (sAMAccountName=%u is
> Ok Success SASL, " but when I put my localhost like this:
>
> ldap_servers: ldaps://127.0.0.1        #or ldap://localhost
> #ldap_servers: ldaps://1.1.2.1
> ldap_version: 3
> ldap_auth_method: bind
> ldap_search_base: cn=users,dc=foobar,dc=br
> #ldap_filter: (sAMAccountname=%u)
> #ldap_filter: (userPrincipalName=%u)
> ldap_filter: uid=%u
> ldap_bind_dn: cn=vmail,cn=users,dc=foobar,dc=br     #or cn=admin,dc=foobar
> ldap_password: abc@123
> ldap_deref: never
> ldap_restart: yes
> ldap_scope: sub
> ldap_use_sasl: no
> ldap_start_tls: no
> ldap_timeout: 10
>
>
> testsaslauthd -u usertst -p password
>
> NO "authentication failed"
>
> See the log:
>
> Nov 20 09:13:23 mail slapd[12776]: conn=1139 fd=18 ACCEPT from
> IP=127.0.0.1:50194 (IP=0.0.0.0:636)
> Nov 20 09:13:23 mail slapd[12776]: conn=1139 fd=18 TLS established
> tls_ssf=256 ssf=256
> Nov 20 09:13:23 mail slapd[12776]: conn=1139 op=0 BIND
> dn="cn=vmail,cn=users,dc=foobar,dc=br" method=128
> Nov 20 09:13:23 mail slapd[12776]: conn=1139 op=0 BIND
> dn="cn=vmail,cn=users,dc=foobar,dc=br" mech=SIMPLE ssf=0
> Nov 20 09:13:23 mail slapd[12776]: conn=1139 op=0 RESULT tag=97 err=0 text=
> Nov 20 09:13:23 mail slapd[12776]: conn=1139 op=1 SRCH
> base="cn=users,dc=foobar,dc=br" scope=2 deref=0 filter="(uid=usertst)"
> Nov 20 09:13:23 mail slapd[12776]: conn=1139 op=1 SRCH attr=dn
> Nov 20 09:13:23 mail slapd[12776]: conn=1139 op=1 SEARCH RESULT tag=101
> err=0 nentries=0 text=
>
> What can I do to fix this?
>

The log says that the entry is not found (nentries=0) either because
it does not exist, either because you can't read it (ACL).

But what are you using localhost behind your SASL pass trough? Seems
like you are doing a loop on your LDAP server.


Clément.



--
Jason K. Brandt
Systems Administrator
Bradley University
(309) 677-2958



--
Jason K. Brandt
Systems Administrator
Bradley University
(309) 677-2958