Hi All Using settings as stated by Stéphane Gaubert there was a small step in the right direction. -------------------------------------------------------------------------------------------------------------------------------------------------------- First Test: Executing: sudo cyradm -u username localhost output:
verify error:num=18:self signed certificate IMAP Password: Login failed: authentication failure at /usr/lib/x86_64-linux-gnu/perl5/5.30/Cyrus/IMAP/Admin.pm line 134. cyradm: cannot authenticate to server as username Executing: sudo journalctl -u cyrus-imapd.service output: inittls: Loading hard-coded DH parameters Mar 14 16:46:52 mail3 cyrus/imap[4807]: starttls: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new) no authentication Mar 14 16:46:58 mail3 cyrus/imap[4807]: badlogin: localhost [127.0.0.1] plaintext username SASL(-13): authentication failure: checkpass failed Executing: sudo journalctl -u saslauthd.service output: Mar 14 16:46:58 mail3 saslauthd[3033]: ldap_simple_bind() failed -1 (Can't contact LDAP server). Mar 14 16:46:58 mail3 saslauthd[3033]: Retrying authentication Mar 14 16:46:58 mail3 saslauthd[3033]: ldap_simple_bind() failed -1 (Can't contact LDAP server). Mar 14 16:46:58 mail3 saslauthd[3033]: Authentication failed for username: Retry condition (ldap server connection reset or broken) (-3) Mar 14 16:46:58 mail3 saslauthd[3033]: : auth failure: [user=username] [service=imap] [realm=] [mech=ldap] [reason=Unknown] Sniffer output (tcpdump + wireshark): NO TLSv packets NO hello packets ------------------------------------------------------------------------------------------------------------------------------------------------------------- Second test: Executing : ~$ ldapwhoami -x -H ldaps://xxxxx.xxx -D "CN=xxxx,CN=Users,DC=xxxxxxx,DC=xxx" -W output: was correct Sniffer output (tcpdump + wireshark): lot of TLSv1.3 related packets Windows AD requested change cipher spec. and cipher spec was changed to TLS_AES_256_GCM_SHA384 (0x1302) -------------------------------------------------------------------------------------------------------------------------------------------------------------- Third test: I switched OFF the Windows AD Executing : ~$ ldapwhoami -x -H ldaps://xxxxx.xxx -D "CN=xxxx,CN=Users,DC=xxxxxxx,DC=xxx" -W output: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) This suggests that ldapwhoami is using saslauthd -------------------------------------------------------------------------------------------------------------------------------------------------------------- It is very strange that there were no TLSv packets not even a hello packet in the first test. this could be a bug? Is there a way to force saslauthd to use TLS_AES_256_GCM_SHA384 (0x1302) reg ------------------------------------------ Cyrus: Info Permalink: https://cyrus.topicbox.com/groups/info/T1c604a219c5fa805-M37932e3d02ec14d56474cc6b Delivery options: https://cyrus.topicbox.com/groups/info/subscription
