Using SASL from CentOS 7 Host to Authenticate to Active Directory

Question

Trying to configure SASL on a CentOS 7 box to talk to an Active Directory installation. I've tried a couple different configurations that generate different errors. The latest:

No worthy mechs found
ldap_sasl_interactive_bind() failed -6 (Unknown authentication method).
Authentication failed for <user>: Retry condition (ldap server connection reset or broken) (-3)
do_auth         : auth failure: [user=<user>] [service=imap] [realm=] [mech=ldap] [reason=Unknown]

The contents of my saslauthd.conf:

ldap_servers: ldap://thinger.foo.bar.com:3299/
ldap_search_base: DC=foo,DC=bar,DC=com
ldap_filter: (&(cn=%u)(objectClass=user))
ldap_use_sasl: yes
ldap_auth_method: fastbind
ldap_mech: DIGEST-MD5

Starting to run low on ideas.

Yea, it's a bogus port. I try not to disclosing IPs, ports, names, etc. unless it's relevant to the question. — Adam, Nov 08 '18 at 21:20
You should be careful with that. In this case it was a bad idea; it only led to needless confusion. The default LDAP port is hardly private information, for instance. — Michael Hampton, Nov 08 '18 at 21:25

score 1 · Answer 1 · answered Nov 07 '18 at 11:46

1

I vaguely remember that DIGEST-MD5 requires a specific option to be enabled for the user in the MMC.

Honestly I see no value using SASL / DIGEST-MD5 today. Because to reach a sufficient security level you have to use TLS to also protect the DIGEST-MD5 authentication flow anyway.

answered Nov 07 '18 at 11:46

Michael Ströder

909
5
9

Gotcha. I... installed the cyrus-sasl-ldap package. I changed the mech (in /etc/saslauthd.conf) to ldap. When I run testauthsasld, it gives me a new message about `ldapdb_canonuser_plug_init() failed in sasl_canonuser_add_plugin(): invalid parameter supplied` This was helpful. I've got a little more digging to do. Ty! – Adam Nov 08 '18 at 22:48

Using SASL from CentOS 7 Host to Authenticate to Active Directory

1 Answers1