[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: LDAP + Kerberos not allowing simple binds
"Jose Gonzalez Gomez" <jgonzalez@opentechnet.com> wrote in message
411E7C85.2090002@opentechnet.com">news:411E7C85.2090002@opentechnet.com...
> Robert wrote:
>
> >
> Then you should make that work before trying to use the {SASL} in
> userPassword. Have you taken a look at log files? I think you may run
> saslauthd with some verbose flag (-v?) so you may see the result of the
> authentication attempt. You may also look at the log files generated by
> sasl to see the cause of failed authentications.
>
The message generated by saslauthd looks like:
saslauthd[816]: do_auth : auth failure: [user=user] [service=ldap]
[realm=DOMAIN.REALM] [mech=kerberos5] [reason=saslauthd internal error]
I have added the host/fully.qualified.domain-name and
ldap/fully.qualified.domain-name to both the system keytab, /etc/krb5.keytab
and the /etc/openldap/ldap.keytab files. There is a file
/usr/local/lib/sasl2/slapd.conf which contains:
pwcheck_method: saslauthd
keytab: /etc/openldap/ldap.keytab
saslauthd_path: /var/run/saslauthd/mux
The strange thing is that if I supply the wrong password, testsaslauthd or
simple binding to the ldap directory fails immediately. If I supply the
correct password for the principal, the verification process stalls for a
couple seconds, then it returns failure. Another thing is that when I
supply the correct the correct dn and password, there is a credentials cache
/ ticket file in the temp directory. The kdc log also shows that it issued
a ticket for the user but the authentication still fails.
I have googled away and found this exact issue and it was solved. I can't
seem to get it solved on my end. Anything that I missed?
Thanks.
Robert