Re: SASL auth not working

[Michael Ströder <michael@stroeder.com>]

Dan White wrote:
> On 23/06/10 10:27 -0300, Diego Lima wrote:
>> I'm trying to set up openldap to authenticate using my kerberos
>> service, but I'm not having success so far.
>  
>> The userPassword value translates to {SASL}diego.lima@USERS

IMO that's not needed for SASL/GSSAPI.

>> When I try to do an authenticated search on LDAP I see the following:
>>
>> # ldapsearch -D
>> krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br -b
>> dc=domain,dc=com,dc=br '(objectClass=*)' -W
>> Enter LDAP Password:
>> ldap_bind: Invalid credentials (49)
> 
> When doing a SASL bind, you should specify the same username that you are
> authentication with, for saslauthd. Use a '-U diego.lima@USERS' instead of
> a -D option:
> 
> ldapwhoami -U diego.lima@USERS

He would also have to specify -Y GSSAPI.
And off course slapd has to be kerberized first to make this work.

> By default, the cyrus sasl library will not use saslauthd. You'll need to
> create a /usr/lib/sasl2/slapd.conf file with:
> 
> pwcheck_method: saslauthd

Are you sure that's suitable for SASL/GSSAPI for Krb5?
Frankly I have some doubts because that's for password-based mechs.

Ciao, Michael.