Y'ello,
First of all, make sure to read the LDAP Admin Guide at www.openldap.org! Then, make sure to double check with Turbo's KRB + SASL + OpenLDAP Howto at www.bayour.com. (Forget about the KRB stuff there, he's got some very good hints at testing the security install etc.) As a general rule, you don't want LDAP to be your password database, instead you want LDAP to use SASL to connect to something more useful like Kerberos or RADIUS or a combination or something else. This is simply because LDAP is not meant to be a password database, but rather an information store (as in: the telephone book in your country doesn't list the PIN code for the people's bank cards...). If all else fails, you can always post the exact error you are getting, increase debug levels all over the place, and make sure to cut and paste the relevant log entries to the mailing list. A query akin your own query will not necessarily give any useful hints to other people as to why things would fail in your particular situation. Regards, Guus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of NguyenHuynh Sent: 11 December 2007 04:24 To: cyrus-sasl@lists.andrew.cmu.edu Subject: SASL over LDAP don't work SASL over LDAP I'm trying to using SASL over LDAP for authentication but I don't still work yet Details: OS: FreeBSD Packages: cyrus-sasl-2.1.22 RFC 2222 SASL (Simple Authentication and Security Layer) cyrus-sasl-ldapdb-2.1.22 SASL LDAPDB auxprop plugin cyrus-sasl-saslauthd-2.1.22 SASL authentication server for cyrus-sasl2 postfix-current-2.5.20071006,4 A secure alternative to widely-used Sendmail Configure SASL in main.cf for postfix: ........ smtpd_sasl_auth_enable = yes smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unauth_destination, permit_mynetworks, reject smtpd_sasl_authenticated_header = yes ........ Configure SASL for authentication: #vi /usr/local/lib/sasl2/smtpd.conf pwcheck_method: saslauthd auxprop_plugin: ldap mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 Configure LDAP server's details for SASL-ldapdb: #vi /usr/local/etc/saslauthd.conf ldap_servers: ldap://192.168.1.70 ldap_search_base: dc=yescall,dc=com,dc=vn ldap_bind_dn: cn=admin,dc=yescall,dc=com,dc=vn ldap_password: 123 ldap_filter: (&(objectClass=qmailUser)(mail=%u)(accountStatus=active)) the details of one node in my LDAP dn: cn=huynhnguyen,dc=yescall.com.vn,o=hosting,dc=yescall,dc=com,dc=vn accountStatus: active cn: huynhnguyen homeDirectory: /vmail/hosting/yescall.com.vn/huynhnguyen mailMessageStore: /vmail/hosting/yescall.com.vn/huynhnguyen/Maildir/ objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: qmailUser objectClass: CourierMailAccount sn: Nguyen Dac Huynh2 structuralObjectClass: inetOrgPerson entryUUID: f069f88e-1c17-102c-93d5-25c7f79a19b1 creatorsName: cn=admin,dc=yescall,dc=com,dc=vn createTimestamp: 20071031161319Z mailHost: mail.mikorn.com userPassword:: aWtvcm40MTI4NA== mail: [EMAIL PROTECTED] entryCSN: 20071205114520.832948Z#000000#000#000000 modifiersName: cn=admin,dc=yescall,dc=com,dc=vn modifyTimestamp: 20071205114520Z Start saslauthd: #saslauthd -a ldap /usr/local/etc/saslauthd.conf I always have authentication fails when using testsaslauth My problems: - Must I have a schema in LDAP for SASL only? - Does it neccessary to change my node in LDAP to another structure which is suitable with SASL - How can I use ldap_filter better in this case? Could anybody help me to solve this problem? I'm a newbie in OpenSource. I'm not good in English. Sorry if any problem Thank you for your careness Thanks & Best Regards, Nguyen Dac Huynh System Engineer Mirae Ikorn Co., Ltd
