[Date Prev][Date Next] [Chronological] [Thread] [Top]

some users failing to authenticate others working fine.



I have a couple of users whom the following sasl-regexp stanza is not
catching.  Strange since all user accounts are identical.

sasl-regexp
        uid=(.*),cn=internal.epo.org,cn=gssapi,cn=auth
        uid=$1,ou=people,ou=internal,dc=epo,dc=org

I am fairly sure that OpenLDAP is not passing them to saslauthd for
authentication.  I can see the uid, password, service and kerberos
realm being passed to saslauthd for some users but nothing leaving
the OpenLDAP server for the failing user (tested using strace on
saslauthd with only one child running).  Instead I receive the
following back from OpenLDAP without it trying to authenticate the user:

[LDAP: error code 49 - Invalid Credentials]

Here is an LDAP account that is working:

version: 1
dn: uid=st81418,ou=people,ou=internal,dc=epo,dc=org
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
cn: Simon Tennant
displayName: Simon Tennant
gidNumber: 666
givenName: Simon
homeDirectory: /home/sysman/st81418
loginShell: /bin/bash
preferredLanguage: EN
sn: Tennant
uid: st81418
uidNumber: 81418
userPassword: {sasl}st81418@INTERNAL.EPO.ORG

and here is one that is failing:

version: 1
dn: uid=ls22367,ou=people,ou=internal,dc=epo,dc=org
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
gidNumber: 666
homeDirectory: /home/sysman/ls22367
loginShell: /usr/bin/ksh
uid: ls22367
uidNumber: 22367
cn: blah (changed to protect the innocent from Google searches)
sn: blah2 (ditto)
userPassword: {sasl}ls22367@INTERNAL.EPO.ORG

I have tried the following to debug:

changing the userPassword field to point to another user and then tried logging
in with the new user's password.

tried using a plain text password for the failing user.  Still cannot
login.  This suggests it has nothing to do with the sasl-regex
statement although I cannot see a significant difference between a
working and non-working account.

tried deleting and recreating the record.

the user's name contains 2 accented characters - I ripped them out for
testing.  Other users have accented characters but they seem to work.

We're using OpenLDAP: slapd 2.2.24.

Any ideas welcome.

S.

-- 
Simon Tennant ________________ http://imaginator.com/~simon/contact

Attachment: signature.asc
Description: Digital signature