Hello, I want to achieve the following configuration:
LDAPClient -- (ldap) --> OpenLDAP -- (pass-throug Authentication) --> Cyrus SASLAUTHD -- (ldaps) --> Active Directory The configuration works fine when I use LDAP between Cyrus SASLAUTHD and Active Directory. As soon as I turn on LDAPS in the saslauthd.conf, I receive an auth failure (invalid credentials) : saslauthd[12276] :rel_accept_lock : released accept lock saslauthd[12277] :get_accept_lock : acquired accept lock saslauthd[12276] :do_auth : auth failure: [user=myu...@luinternal.subsidiary.bank] [service=ldap] [realm=internal.subsidiary.bank] [mech=ldap] [reason=Unknown] saslauthd[12276] :do_request : response: NO I can sucessfully bind in LDAPS with a standard LDAP Client (Like LDAP Browser/Editor 2.8.2 from Jarek Gawor) Note that I only want to bind over an encrypted channel. No need to do client authentication against the AD LDAP. Here is my saslauthd.conf : ldap_servers: ldaps://internal.subsidiary.bank/ ldap_search_base: OU=Standard,OU=User_Accounts,DC=internal,DC=subsidiary,DC=bank ldap_filter: (userPrincipalName=%u) ldap_bind_dn: CN=myuser,OU=Standard,OU=User_Accounts,DC=internal,DC=subsidiary,DC=bank ldap_password: secret ldap_tls_cacert_file: /tmp/cert.pem I have verified the Root CA in /tmp/cert.pem and I can successfully view it. The AD LDAP server certificate is well signed by this Root CA. Where am I wrong in the configuration ? How can I enable more tracing on the saslauthd daemon ? All components running on Solaris 10. /usr/local/sbin/saslauthd -v saslauthd 2.1.21 authentication mechanisms: getpwent pam rimap shadow ldap Claude. ============================================ Internet communications are not secure and therefore BGL BNP Paribas does not accept legal responsibility for the contents of this message. The information contained in this e-mail is confidential and may be legally privileged. It is intended solely for the addressee. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Nothing in the message is capable or intended to create any legally binding obligations on either party and it is not intended to provide legal advice. ============================================
