Trying to use SASL
AND LDAP
to authenticate user in RedHat Linux
. So far I've setup the saslauthd
service and its up and running. My /etc/saslauthd.conf
looks like follows:
ldap_servers: ldaps://test.ldap.server:1234
ldap_use_sasl: yes
ldap_mech: DIGEST-MD5
ldap_auth_method: fastbind
ldap_search_base: Ou=PeopleAuthSrch,DC=abc,DC=com
My /etc/sasl2/smtpd.conf
looks like the following:
pwcheck_method: saslauthd
mech_list: plain login
Now when I try to test the authentication with following command:
testsaslauthd -u username -p password -f /var/run/saslauthd/mux
I get 0: NO "authentication failed"
and when i look at the logs it says:
Retrying authentication
do_auth :auth failure: [user:myuser] [service=imap] [realm=] [mech=ldap] [reason=unknown]
What am i missing here? thanks in advance!!
UPDATE:
installed OpenLdap to do a search with the following command:
ldapsearch -x -h ldaps://my.ldap.server:port -d8
for ldapsearch command to work i modified /etc/openldap/ldap.conf
file as follows:
tls_reqcert allow
TLS_CACERTDIR /home/myuser/cacertss
LDAPTLS_CACERT /home/myuser/cacertss
It returns all the entries but i still cant authenticate using
testsaslauthd -u username -p password -f /var/run/saslauthd/mux
what do i need to do here to get this authenticated?
SASL authentication consists of the client and the server exchanging SASL messages embedded inside LDAP "bind" requests and responses. The "bind" request contains a name field, which is the DN of the directory object that the client wishes to authenticate as.
LDAP sessions not using TLS/SSL, binding by using SASL You don't have to have Extended Protection for Authentication (EPA) information. The SASL method that is chosen may have its own attack vectors, such as NTLMv1. But the LDAP session itself is secure.
“SASL login authentication failed generic failure” error mainly happens due to wrong configuration of authentication mechanism in mail server. Today, we've seen the causes for the error and how our Support Engineers fix it.
Troubleshoot LDAP over SSL connection problems Step 1: Verify the Server Authentication certificate Make sure that the Server Authentication certificate that you use... Step 2: Verify the Client Authentication certificate In some cases, LDAPS uses a Client Authentication certificate if it... Step 3: ...
Authentication to the LDAP server is done through a binding in the form of either a distinguished name or anonymous login. Having an incorrect bind is the most common reason for seeing the Authentication Failed error when attempting to import Users/Groups or test Users/Groups on the SonicWall.
SASL LOGIN authentication failed: Invalid authentication mechanism 36 Mac OS X 10.10 Yosemite Postfix SASL authentication failed 1 Regex for fail2ban to filter mail from a specific top level domain 12 SASL LDAP authentication failure 0 SASL authentication failed using login context 'Client'
In some cases, LDAPS uses a Client Authentication certificate if it is available on the client computer. If such a certificate is available, make sure that the certificate meets the following requirements:
After 5 days of struggle found out that the settings i used was for Active directory
where i should be using settings for LDAP
as following:
ldap_servers: ldaps://test.ldap.server:1234
ldap_search_base: Ou=PeopleAuthSrch,DC=abc,DC=com
ldap_filters: (uid=%u)
ldap_tls_cacert_file: /path/to/my/certificate
I did install cyrus-sasl-md5
as Bertold Kolics mentioned, i'm not sure if that played the part on authenticating the user.
I went through the exercise of setting SASL setup with OpenLDAP and TLS on RedHat Linux 7.2 and I managed to get something similar working fine.
As I mentioned in my previous post, make sure that you have the cyrus-sasl-md5
package installed.
I would first try to get everything working without SSL. Only after you have your setup working without SSL move to the SSL part.
saslauthd
accepts the CA certificate of
the certificate used by the LDAP server. In particular,ldap_tls_cacert_file
option in /etc/saslauthd.conf
is your friendsaslauthd
can access the certificate files. If you are unsure, tail the /var/log/audit/audit.log
file and look for entries with the "denied" keyword. I have found the audit2allow
tool a great way to enable access that was previously denied. You can also just disable SELinux temporarily using the setenforce Permissive
commandIf you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With