I have a couple of users whom the following sasl-regexp stanza is not catching. Strange since all user accounts are identical. sasl-regexp uid=(.*),cn=internal.epo.org,cn=gssapi,cn=auth uid=$1,ou=people,ou=internal,dc=epo,dc=org I am fairly sure that OpenLDAP is not passing them to saslauthd for authentication. I can see the uid, password, service and kerberos realm being passed to saslauthd for some users but nothing leaving the OpenLDAP server for the failing user (tested using strace on saslauthd with only one child running). Instead I receive the following back from OpenLDAP without it trying to authenticate the user: [LDAP: error code 49 - Invalid Credentials] Here is an LDAP account that is working: version: 1 dn: uid=st81418,ou=people,ou=internal,dc=epo,dc=org objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount cn: Simon Tennant displayName: Simon Tennant gidNumber: 666 givenName: Simon homeDirectory: /home/sysman/st81418 loginShell: /bin/bash preferredLanguage: EN sn: Tennant uid: st81418 uidNumber: 81418 userPassword: {sasl}st81418@INTERNAL.EPO.ORG and here is one that is failing: version: 1 dn: uid=ls22367,ou=people,ou=internal,dc=epo,dc=org objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount gidNumber: 666 homeDirectory: /home/sysman/ls22367 loginShell: /usr/bin/ksh uid: ls22367 uidNumber: 22367 cn: blah (changed to protect the innocent from Google searches) sn: blah2 (ditto) userPassword: {sasl}ls22367@INTERNAL.EPO.ORG I have tried the following to debug: changing the userPassword field to point to another user and then tried logging in with the new user's password. tried using a plain text password for the failing user. Still cannot login. This suggests it has nothing to do with the sasl-regex statement although I cannot see a significant difference between a working and non-working account. tried deleting and recreating the record. the user's name contains 2 accented characters - I ripped them out for testing. Other users have accented characters but they seem to work. We're using OpenLDAP: slapd 2.2.24. Any ideas welcome. S. -- Simon Tennant ________________ http://imaginator.com/~simon/contact
Attachment:
signature.asc
Description: Digital signature