This is all that's contained in my saslauthd.conf: ldap_servers: ldaps://server2 ldaps://server1
ldap_search_base: OU=<usersOU>,DC=foo,DC=bar ldap_filter: sAMAccountName=%u ldap_bind_dn: cn=saslauthd,cn=users,dc=foo,dc=bar ldap_password: <password> The obvious thing that jumps out at me is that you're pointing to ldap_servers: localhost, instead of your AD servers. On Wed, Nov 20, 2013 at 7:37 AM, Jason Brandt <[email protected]>wrote: > I can get you my SASL config from my test environment when I get to the > office. One thing to keep in mind, is that you MUST do an authenticated > bind to AD, you cannot do anonymous bind, so you have to have a service > account setup to allow SASL to authenticate to AD. It can be the most > basic user account, just has to be able to log into AD. > > > On Wed, Nov 20, 2013 at 6:26 AM, Clément OUDOT <[email protected]>wrote: > >> 2013/11/20 <[email protected]>: >> > Thank you. >> > >> > Yes, the credentials are stored in AD. >> > >> > I saw this documentation, >> > http://ltb-project.org/wiki/documentation/general/sasl_delegation >> > >> > Helped me very much, but I think there are some wrong in my >> saslauth.conf, >> > because when I put the AD server and ldap_filter = (sAMAccountName=%u is >> > Ok Success SASL, " but when I put my localhost like this: >> > >> > ldap_servers: ldaps://127.0.0.1 #or ldap://localhost >> > #ldap_servers: ldaps://1.1.2.1 >> > ldap_version: 3 >> > ldap_auth_method: bind >> > ldap_search_base: cn=users,dc=foobar,dc=br >> > #ldap_filter: (sAMAccountname=%u) >> > #ldap_filter: (userPrincipalName=%u) >> > ldap_filter: uid=%u >> > ldap_bind_dn: cn=vmail,cn=users,dc=foobar,dc=br #or >> cn=admin,dc=foobar >> > ldap_password: abc@123 >> > ldap_deref: never >> > ldap_restart: yes >> > ldap_scope: sub >> > ldap_use_sasl: no >> > ldap_start_tls: no >> > ldap_timeout: 10 >> > >> > >> > testsaslauthd -u usertst -p password >> > >> > NO "authentication failed" >> > >> > See the log: >> > >> > Nov 20 09:13:23 mail slapd[12776]: conn=1139 fd=18 ACCEPT from >> > IP=127.0.0.1:50194 (IP=0.0.0.0:636) >> > Nov 20 09:13:23 mail slapd[12776]: conn=1139 fd=18 TLS established >> > tls_ssf=256 ssf=256 >> > Nov 20 09:13:23 mail slapd[12776]: conn=1139 op=0 BIND >> > dn="cn=vmail,cn=users,dc=foobar,dc=br" method=128 >> > Nov 20 09:13:23 mail slapd[12776]: conn=1139 op=0 BIND >> > dn="cn=vmail,cn=users,dc=foobar,dc=br" mech=SIMPLE ssf=0 >> > Nov 20 09:13:23 mail slapd[12776]: conn=1139 op=0 RESULT tag=97 err=0 >> text= >> > Nov 20 09:13:23 mail slapd[12776]: conn=1139 op=1 SRCH >> > base="cn=users,dc=foobar,dc=br" scope=2 deref=0 filter="(uid=usertst)" >> > Nov 20 09:13:23 mail slapd[12776]: conn=1139 op=1 SRCH attr=dn >> > Nov 20 09:13:23 mail slapd[12776]: conn=1139 op=1 SEARCH RESULT tag=101 >> > err=0 nentries=0 text= >> > >> > What can I do to fix this? >> > >> >> The log says that the entry is not found (nentries=0) either because >> it does not exist, either because you can't read it (ACL). >> >> But what are you using localhost behind your SASL pass trough? Seems >> like you are doing a loop on your LDAP server. >> >> >> Clément. >> > > > > -- > Jason K. Brandt > Systems Administrator > Bradley University > (309) 677-2958 > -- Jason K. Brandt Systems Administrator Bradley University (309) 677-2958
