Jeremy Davis's picture

Back in my days of Win Admin I only used Windows, so AD authentication was relatively straight forward. Just before the end of that, I had started using LDAP to authenticate third party stuff.

Since I've switched to Linux, I have very little to do with Windows, so my experience with AD & LDAP is very rusty (and was pretty poor to start with). Also my Linux knowledge tends to be broad rather than deep. Much general OS stuff I'm pretty handy with, but many specifics (especially stuff that relates to complex authentication systems) I have little to no experience with.

I've only ever used SASL to authenticate against Google accounts (for sending mail via Google's SMTP relay service), but I assume that your approach should work ok too.

I've just had a quick google and by my reading, when you run 'testsaslauthd' it appears that by default you need to specify (using the '-s' switch) the service you would like to authenticate against. If it's not explicitly stated, SASL will fall back to authenticate via local PAM (i.e. normal local Linux user authentication). Assuming I read right, that might explain why your test is failing?

OTOH, perhaps it uses the socket to communicate with a running SASL server (on your Redmine instance)? In which case, if the socket doesn't exist where it's looking for it (e.g. path wrong, or SASL service not currently running), then it wouldn't be able to use LDAP (and would again fall back to PAM)?

Another possibility is that I note you are using the FQDN of 'server.local'. It might be worth double checking that that is resolving correctly within your Redmine server.

Finally, it might be worth searching on the Redmine forums and docs. Perhaps they already have something written up? If not, perhaps cross post this on their forums too? Maybe someone with deeper knowledge of LDAP/SASL will be able to get you going in the right direction.

I hope my post adds something of value. And hopefully someone else with greater knowledge than me will be along to help you out. If you find answers elsewhere, please post back as no doubt it will help someone else in the future!