Occasional saslauthd LDAP failure
Andrea Venturoli
ml at netfence.it
Tue Jan 12 10:31:31 UTC 2021
Hello.
I've got several services authenticating against a Samba AD DC via
"saslauthd -a ldap"
This works perfectly from the users' point of view.
However I often find failures in the logs:
> saslauthd[89676]: ldap_simple_bind() failed -1 (Can't contact LDAP server).
> saslauthd[89676]: Retrying authentication
This happens hundreds of times a day.
Almost surely retrying succeeds, as no user ever complained.
I tried getting some logs from Samba, but was not able to.
I ran saslauthd in debug mode and, when the above happens, this is what
I see:
> TLS certificate verification: Error, unable to get local issuer certificate
> TLS certificate verification: Error, unable to verify the first certificate
Any hint?
Why would either saslauthd or the openldap client library fail occasionally?
Since I'm using a stateful firewall, I though perhaps connections time
out, but disabling it did not help.
My saslauthd.conf:
> ldap_servers: ldap://x.x.x.x/
> ldap_bind_dn: cn=xxx,cn=Users,dc=xxx,dc=xxx,dc=xxx
> ldap_password: XXXXXXXX
> ldap_start_tls: yes
> ldap_search_base: cn=Users,dc=xxx,dc=xxx,dc=xxx
> ldap_tls_cert: /.../cert.pem
> ldap_tls_key: /.../key.pem
> ldap_filter: (sAMAccountName=%u)
> ldap_scope: sub
> ldap_debug: 100
> ldap_verbose: on
> ldap_tls_check_peer: no
>
My ldap.conf:
> TLS_CACERT /.../cert.pem
> TLS_CERT /.../key.pem
> TLS_REQCERT allow
> ssl_check_cert off
bye & Thanks
av.
More information about the freebsd-ports
mailing list