[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: can't get slapd to do pass-through authentication
Dan White wrote:
On 04/08/10 14:54 -0700, Brent Bice wrote:
Dieter Kluenter wrote:
Did you create a lib/sasl2/slapd.conf, or wherever your sasl
configuration files are located?
I created a lib/sasl2/slapd.conf file again and in it specified:
pwcheck_method: saslauthd
saslauthd_path: /var/state/saslauthd/mux
If testsaslauth works without specifying a '-f' option, then you shouldn't
need to specify saslauthd_path.
I didn't think so either. I put it in just in case slapd was trying
to figure out where the socket was by reading this file.
And I confirmed that that is, indeed, the path that saslauthd is
listening on (it shows when I run saslauthd with the -d -V flags).
But when I ask OpenLDAP to authenticate a user whose userPassword
attribute is {SASL}bbice@ldap the saslauthd daemon shows no sign of
having received an auth request.
Make sure the user that slapd is running under has permissions to access
the saslauthd mux. You may need to do a 'addgroup openldap sasl' or
something similar to give it permissions.
Yep. At the moment saslauthd and slapd are both being run by the
same account (they're both running as bbice right now). The socket that
got created should definitely be writable by slapd running as the bbice
user:
srwxrwxrwx 1 bbice dco 0 2010-08-05 13:33 /var/state/saslauthd/mux
If I run testsaslauthd -u bbice, however, the authentication works
ok and saslauthd shows testsaslauthd connecting to it. So it appears
slapd isn't contacting saslauthd at all? How does slapd determine
what path to use for the saslauthd socket? lib2/sasl/slapd.conf? Or
saslauthd.conf?
The location is compiled into the sasl glue library at configure time, but
can be changed with the saslauthd_path config option.
Since I didn't see any config options in OpenLDAP's slapd.conf to
specify it, I figured some way of finding the socket must be built into
the SASL libs but I was just guessing.
So... I'm stumped. I took another look at the user record I'm
trying to authenticate with. I reset the userPassword attribute with
this LDIF file:
dn: uid=46313,ou=Employees,ou=People,dc=sgi,dc=com
changetype: modify
replace: userPassword
userPassword: {SASL}bbice@ldap
So that ought to tell slapd to contact saslauthd whenever someone
tries to authenticate against this DN, right? I also notice when I
export this record as an LDIF file the userPassword attribute has been
hashed:
userPassword:: e1NBU0x9YmJpY2VAbGRhcA==
And even if I use a tool like DirectoryStudio and select a hash of
"Plaintext" and enter in {SASL}bbice@ldap the userPassword attribute
still gets exported hashed. Would this matter? Perhaps slapd isn't
contacting SASL because I haven't set the userPassword attribute
correctly???
Brent