[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Openldap for proxy AD



2013/11/20 Willy Ramos <wrm@cdtn.br>:
> Em 20/11/2013 10:26, Clément OUDOT escreveu:
>
>> 2013/11/20  <wrm@cdtn.br>:
>>>
>>> Thank you.
>>>
>>> Yes, the credentials are stored in AD.
>>>
>>> I saw this documentation,
>>> http://ltb-project.org/wiki/documentation/general/sasl_delegation
>>>
>>> Helped me very much, but I think there are some wrong in my
>>> saslauth.conf,
>>> because when I put the AD server and ldap_filter = (sAMAccountName=%u is
>>> Ok Success SASL, " but when I put my localhost like this:
>>>
>>> ldap_servers: ldaps://127.0.0.1        #or ldap://localhost
>>> #ldap_servers: ldaps://1.1.2.1
>>> ldap_version: 3
>>> ldap_auth_method: bind
>>> ldap_search_base: cn=users,dc=foobar,dc=br
>>> #ldap_filter: (sAMAccountname=%u)
>>> #ldap_filter: (userPrincipalName=%u)
>>> ldap_filter: uid=%u
>>> ldap_bind_dn: cn=vmail,cn=users,dc=foobar,dc=br     #or
>>> cn=admin,dc=foobar
>>> ldap_password: abc@123
>>> ldap_deref: never
>>> ldap_restart: yes
>>> ldap_scope: sub
>>> ldap_use_sasl: no
>>> ldap_start_tls: no
>>> ldap_timeout: 10
>>>
>>>
>>> testsaslauthd -u usertst -p password
>>>
>>> NO "authentication failed"
>>>
>>> See the log:
>>>
>>> Nov 20 09:13:23 mail slapd[12776]: conn=1139 fd=18 ACCEPT from
>>> IP=127.0.0.1:50194 (IP=0.0.0.0:636)
>>> Nov 20 09:13:23 mail slapd[12776]: conn=1139 fd=18 TLS established
>>> tls_ssf=256 ssf=256
>>> Nov 20 09:13:23 mail slapd[12776]: conn=1139 op=0 BIND
>>> dn="cn=vmail,cn=users,dc=foobar,dc=br" method=128
>>> Nov 20 09:13:23 mail slapd[12776]: conn=1139 op=0 BIND
>>> dn="cn=vmail,cn=users,dc=foobar,dc=br" mech=SIMPLE ssf=0
>>> Nov 20 09:13:23 mail slapd[12776]: conn=1139 op=0 RESULT tag=97 err=0
>>> text=
>>> Nov 20 09:13:23 mail slapd[12776]: conn=1139 op=1 SRCH
>>> base="cn=users,dc=foobar,dc=br" scope=2 deref=0 filter="(uid=usertst)"
>>> Nov 20 09:13:23 mail slapd[12776]: conn=1139 op=1 SRCH attr=dn
>>> Nov 20 09:13:23 mail slapd[12776]: conn=1139 op=1 SEARCH RESULT tag=101
>>> err=0 nentries=0 text=
>>>
>>> What can I do to fix this?
>>>
>> The log says that the entry is not found (nentries=0) either because
>> it does not exist, either because you can't read it (ACL).
>>
>> But what are you using localhost behind your SASL pass trough? Seems
>> like you are doing a loop on your LDAP server.
>>
>>
>> Clément.
>>
>
> That is a problem, because don´t found the base but when I´m using
> ldapsearch my search is acepted, very strange.
>
> how this example:
> ldapsearch -x -H ldaps://localhost -b dc=foobar,dc=com -D
> cn=usertst,cn=users,dc=foobar,dc=com -w password
>
> I see all objects in database, when I do this command.
>
> If you had another idea please tell me, I just was seeing that link in the
> ltb-project.org. where tell me to use in localhost SASL.
>

Seems you don't really understand how it works. OpenLDAP talks to
saslauthd on localhost, then saslauthd talks to AD. So don't configure
localhost in saslauthd, just set your AD settings in saslauthd.conf.

Clément.