Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

SASL LDAP authentication failure

Trying to use SASL AND LDAP to authenticate user in RedHat Linux. So far I've setup the saslauthd service and its up and running. My /etc/saslauthd.conf looks like follows:

ldap_servers: ldaps://test.ldap.server:1234
ldap_use_sasl: yes
ldap_mech: DIGEST-MD5
ldap_auth_method: fastbind
ldap_search_base: Ou=PeopleAuthSrch,DC=abc,DC=com

My /etc/sasl2/smtpd.conf looks like the following:

pwcheck_method: saslauthd
mech_list: plain login

Now when I try to test the authentication with following command:

testsaslauthd -u username -p password -f /var/run/saslauthd/mux

I get 0: NO "authentication failed"

and when i look at the logs it says:

Retrying authentication
do_auth   :auth failure: [user:myuser]  [service=imap] [realm=] [mech=ldap] [reason=unknown]

What am i missing here? thanks in advance!!

UPDATE:

installed OpenLdap to do a search with the following command:

ldapsearch -x -h ldaps://my.ldap.server:port -d8

for ldapsearch command to work i modified /etc/openldap/ldap.conf file as follows:

tls_reqcert allow
TLS_CACERTDIR /home/myuser/cacertss
LDAPTLS_CACERT /home/myuser/cacertss

It returns all the entries but i still cant authenticate using

testsaslauthd -u username -p password -f /var/run/saslauthd/mux

what do i need to do here to get this authenticated?

like image 414
Gurkha Avatar asked Apr 26 '16 19:04

Gurkha


People also ask

What is SASL authentication in LDAP?

SASL authentication consists of the client and the server exchanging SASL messages embedded inside LDAP "bind" requests and responses. The "bind" request contains a name field, which is the DN of the directory object that the client wishes to authenticate as.

Is LDAP SASL secure?

LDAP sessions not using TLS/SSL, binding by using SASL You don't have to have Extended Protection for Authentication (EPA) information. The SASL method that is chosen may have its own attack vectors, such as NTLMv1. But the LDAP session itself is secure.

What is SASL error?

“SASL login authentication failed generic failure” error mainly happens due to wrong configuration of authentication mechanism in mail server. Today, we've seen the causes for the error and how our Support Engineers fix it.

How to troubleshoot LDAP over SSL connection problems?

Troubleshoot LDAP over SSL connection problems Step 1: Verify the Server Authentication certificate Make sure that the Server Authentication certificate that you use... Step 2: Verify the Client Authentication certificate In some cases, LDAPS uses a Client Authentication certificate if it... Step 3: ...

What is LDAP authentication failed error?

Authentication to the LDAP server is done through a binding in the form of either a distinguished name or anonymous login. Having an incorrect bind is the most common reason for seeing the Authentication Failed error when attempting to import Users/Groups or test Users/Groups on the SonicWall.

What are the most common SASL authentication failures?

SASL LOGIN authentication failed: Invalid authentication mechanism 36 Mac OS X 10.10 Yosemite Postfix SASL authentication failed 1 Regex for fail2ban to filter mail from a specific top level domain 12 SASL LDAP authentication failure 0 SASL authentication failed using login context 'Client'

Does LDAPS use client authentication certificates?

In some cases, LDAPS uses a Client Authentication certificate if it is available on the client computer. If such a certificate is available, make sure that the certificate meets the following requirements:


2 Answers

After 5 days of struggle found out that the settings i used was for Active directory where i should be using settings for LDAP as following:

ldap_servers: ldaps://test.ldap.server:1234
ldap_search_base: Ou=PeopleAuthSrch,DC=abc,DC=com
ldap_filters: (uid=%u)
ldap_tls_cacert_file: /path/to/my/certificate

I did install cyrus-sasl-md5 as Bertold Kolics mentioned, i'm not sure if that played the part on authenticating the user.

like image 171
Gurkha Avatar answered Oct 05 '22 11:10

Gurkha


I went through the exercise of setting SASL setup with OpenLDAP and TLS on RedHat Linux 7.2 and I managed to get something similar working fine.

As I mentioned in my previous post, make sure that you have the cyrus-sasl-md5 package installed.

I would first try to get everything working without SSL. Only after you have your setup working without SSL move to the SSL part.

  • You need to make sure that saslauthd accepts the CA certificate of the certificate used by the LDAP server. In particular,
    ldap_tls_cacert_file option in /etc/saslauthd.conf is your friend
  • If you have SELinux enabled, make sure that saslauthd can access the certificate files. If you are unsure, tail the /var/log/audit/audit.log file and look for entries with the "denied" keyword. I have found the audit2allow tool a great way to enable access that was previously denied. You can also just disable SELinux temporarily using the setenforce Permissive command
like image 42
Bertold Kolics Avatar answered Oct 05 '22 13:10

Bertold Kolics