[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Openldap for proxy AD



Well, if you're going to use SASL, then you need to configure your saslauth.conf like my example, making sure your ldap servers point to your Active Directory servers.  Otherwise if you're going to use some method besides SASL, then I won't be much help.


On Wed, Nov 20, 2013 at 10:55 AM, Willy Ramos <wrm@cdtn.br> wrote:
Em 20/11/2013 10:26, Clément OUDOT escreveu:
2013/11/20  <wrm@cdtn.br>:

Thank you.

Yes, the credentials are stored in AD.

I saw this documentation,
http://ltb-project.org/wiki/documentation/general/sasl_delegation

Helped me very much, but I think there are some wrong in my saslauth.conf,
because when I put the AD server and ldap_filter = (sAMAccountName=%u is
Ok Success SASL, " but when I put my localhost like this:

ldap_servers: ldaps://127.0.0.1        #or ldap://localhost
#ldap_servers: ldaps://1.1.2.1
ldap_version: 3
ldap_auth_method: bind
ldap_search_base: cn=users,dc=foobar,dc=br
#ldap_filter: (sAMAccountname=%u)
#ldap_filter: (userPrincipalName=%u)
ldap_filter: uid=%u
ldap_bind_dn: cn=vmail,cn=users,dc=foobar,dc=br     #or cn=admin,dc=foobar
ldap_password: abc@123
ldap_deref: never
ldap_restart: yes
ldap_scope: sub
ldap_use_sasl: no
ldap_start_tls: no
ldap_timeout: 10


testsaslauthd -u usertst -p password

NO "authentication failed"

See the log:

Nov 20 09:13:23 mail slapd[12776]: conn=1139 fd=18 ACCEPT from
IP=127.0.0.1:50194 (IP=0.0.0.0:636)
Nov 20 09:13:23 mail slapd[12776]: conn=1139 fd=18 TLS established
tls_ssf=256 ssf=256
Nov 20 09:13:23 mail slapd[12776]: conn=1139 op=0 BIND
dn="cn=vmail,cn=users,dc=foobar,dc=br" method=128
Nov 20 09:13:23 mail slapd[12776]: conn=1139 op=0 BIND
dn="cn=vmail,cn=users,dc=foobar,dc=br" mech=SIMPLE ssf=0
Nov 20 09:13:23 mail slapd[12776]: conn=1139 op=0 RESULT tag=97 err=0 text=
Nov 20 09:13:23 mail slapd[12776]: conn=1139 op=1 SRCH
base="cn=users,dc=foobar,dc=br" scope=2 deref=0 filter="(uid=usertst)"
Nov 20 09:13:23 mail slapd[12776]: conn=1139 op=1 SRCH attr=dn
Nov 20 09:13:23 mail slapd[12776]: conn=1139 op=1 SEARCH RESULT tag=101
err=0 nentries=0 text=

What can I do to fix this?

The log says that the entry is not found (nentries=0) either because
it does not exist, either because you can't read it (ACL).

But what are you using localhost behind your SASL pass trough? Seems
like you are doing a loop on your LDAP server.


Clément.


That is a problem, because don´t found the base but when I´m using ldapsearch my search is acepted, very strange.

how this example:
ldapsearch -x -H ldaps://localhost -b dc=foobar,dc=com -D cn=usertst,cn=users,dc=foobar,dc=com -w password

I see all objects in database, when I do this command.

If you had another idea please tell me, I just was seeing that link in the ltb-project.org. where tell me to use in localhost SASL.

--
Att.


Willy R. M
CDTN/System Software
31-3069-3303





--
Jason K. Brandt
Systems Administrator
Bradley University
(309) 677-2958