[Date Prev][Date Next] [Chronological] [Thread] [Top]

Can't get password passthrough to work with openldap



Hi,
I am trying to get Pass-Through authentication to work for password
verification.

Following the 'Pass-Through authentication' (14.5) in the openldap 2.4
admin guide, I hve configured saslauthd and slapd.conf (sasl) and
managed to successfully authenticate with Active Directory (AD) using
the 'testsaslauthd' utility.

Setting a user password in my openldap database in the form

dn: uid=user,ou=org,dc=org.com
userPassword: {SASL}joe@ad.example.com

where joe@ad.example.com is the userPrincipalName defined for this
user in AD.

I can't authenticate, when using the ldapsearch command

$ ldapsearch -x -v -D 'uid=joe,ou=people,dc=myorg.com' -W -h ldaphost

Comes up with error (49)

I have enabled --enable-spasswd --with-cyrus-sasl when compiling openldap


Has anybody configured this type of setup successfully?

My question is - how do I configure my openldap server to talk to
'saslauthd' - which openldap's passthrough delegates password
authentication to, when the userpassword is in the form

userPassword: {SASL}joe@ad.example.com

Do I need to have some extra configurations in my openldap slapd.conf
file? Currently I only have sasl-host and sasl-secprops defined, as:-

sasl-host 127.0.0.1 # (where my openldap server runs as well)
sasl-secprops none


Do I need to do any auth-regex for any translation?


This is my openldap entry for user joe

dn: uid=joe,ou=people,dc=myorg.com
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: Joe
sn: Bloggs
telephoneNumber: 3333
userPassword: {SASL}joe@ad.example.com
physicalDeliveryOfficeName: J2B/1
givenName: joe
uid: joe


Below is my /usr/lib/sasl2/slapd.conf file

mech_list: plain
pwcheck_method: saslauthd
saslauthd_path: /var/run/saslauthd/mux


Below is my /etc/saslauthd.conf file

ldap_servers: ldap://ad.example.com:389

ldap_search_base: ou=People,dc=ad,dc=example,dc=com
ldap_filter: (userPrincipalName=%u)

ldap_bind_dn: cn=admin,cn=Users,dc=ad,dc=example,dc=com
ldap_password: mypassword


Any help will be greatly appreciated.


Many Thanks

krishan