[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: SASL auth not working
On 23/06/10 10:27 -0300, Diego Lima wrote:
I'm trying to set up openldap to authenticate using my kerberos
service, but I'm not having success so far. I've already set up MIT
Kerberos V and I can successfully get tickets from it:
root@filesystem:~# kinit diego.lima
Password for diego.lima@USERS:
root@filesystem:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: diego.lima@USERS
Valid starting Expires Service principal
06/23/10 09:44:49 06/23/10 19:44:49 krbtgt/USERS@USERS
renew until 06/24/10 09:44:46
I've also set up SASL to use the kerberos5 auth mechanism and it seems to work:
root@filesystem:~# testsaslauthd -u diego.lima@USERS -p 123456
0: OK "Success."
The userPassword value translates to {SASL}diego.lima@USERS
When I try to do an authenticated search on LDAP I see the following:
# ldapsearch -D
krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br -b
dc=domain,dc=com,dc=br '(objectClass=*)' -W
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
When doing a SASL bind, you should specify the same username that you are
authentication with, for saslauthd. Use a '-U diego.lima@USERS' instead of
a -D option:
ldapwhoami -U diego.lima@USERS
I see nothing on the saslauthd output when I try to log in. Did I miss
anything? Please note that I'm trying to use the same kerberos
principal as my user, and this is intended. I did try adding another
user (account and posixAccount objectClasses) with a separate kerberos
principal and that did not work either.
By default, the cyrus sasl library will not use saslauthd. You'll need to
create a /usr/lib/sasl2/slapd.conf file with:
pwcheck_method: saslauthd
--
Dan White