[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: can't get slapd to do pass-through authentication

To: Dan White <dwhite@olp.net>
Subject: Re: can't get slapd to do pass-through authentication
From: Brent Bice <bbice@sgi.com>
Date: Thu, 05 Aug 2010 14:00:19 -0700
Cc: Dieter Kluenter <dieter@dkluenter.de>, openldap-technical@openldap.org
In-reply-to: <20100805014722.GD2613@dan.olp.net>
References: <4C521855.70307@sgi.com> <87wrs9v8oi.fsf@magenta.l4b.de> <4C59E195.4040908@sgi.com> <20100805014722.GD2613@dan.olp.net>
User-agent: Thunderbird 2.0.0.24 (X11/20100411)

Dan White wrote:

On 04/08/10 14:54 -0700, Brent Bice wrote:

Dieter Kluenter wrote:

Did you create a lib/sasl2/slapd.conf, or wherever your sasl
configuration files are located?


   I created a lib/sasl2/slapd.conf file again and in it specified:
pwcheck_method:    saslauthd
saslauthd_path:    /var/state/saslauthd/mux


If testsaslauth works without specifying a '-f' option, then you shouldn't
need to specify saslauthd_path.

I didn't think so either. I put it in just in case slapd was tryingto figure out where the socket was by reading this file.

And I confirmed that that is, indeed, the path that saslauthd islistening on (it shows when I run saslauthd with the -d -V flags).But when I ask OpenLDAP to authenticate a user whose userPasswordattribute is {SASL}bbice@ldap the saslauthd daemon shows no sign ofhaving received an auth request.
Make sure the user that slapd is running under has permissions to access
the saslauthd mux. You may need to do a 'addgroup openldap sasl' or
something similar to give it permissions.

Yep. At the moment saslauthd and slapd are both being run by thesame account (they're both running as bbice right now). The socket thatgot created should definitely be writable by slapd running as the bbiceuser:

srwxrwxrwx 1 bbice dco 0 2010-08-05 13:33 /var/state/saslauthd/mux

If I run testsaslauthd -u bbice, however, the authentication worksok and saslauthd shows testsaslauthd connecting to it. So it appearsslapd isn't contacting saslauthd at all? How does slapd determinewhat path to use for the saslauthd socket? lib2/sasl/slapd.conf? Orsaslauthd.conf?
The location is compiled into the sasl glue library at configure time, but
can be changed with the saslauthd_path config option.

Since I didn't see any config options in OpenLDAP's slapd.conf tospecify it, I figured some way of finding the socket must be built intothe SASL libs but I was just guessing.

So... I'm stumped. I took another look at the user record I'mtrying to authenticate with. I reset the userPassword attribute withthis LDIF file:

dn: uid=46313,ou=Employees,ou=People,dc=sgi,dc=com
changetype: modify
replace: userPassword
userPassword: {SASL}bbice@ldap

So that ought to tell slapd to contact saslauthd whenever someonetries to authenticate against this DN, right? I also notice when Iexport this record as an LDIF file the userPassword attribute has beenhashed:

userPassword:: e1NBU0x9YmJpY2VAbGRhcA==

And even if I use a tool like DirectoryStudio and select a hash of"Plaintext" and enter in {SASL}bbice@ldap the userPassword attributestill gets exported hashed. Would this matter? Perhaps slapd isn'tcontacting SASL because I haven't set the userPassword attributecorrectly???


Brent

Follow-Ups:
- Re: can't get slapd to do pass-through authentication
  - From: Quanah Gibson-Mount <quanah@zimbra.com>
- Re: can't get slapd to do pass-through authentication
  - From: Dan White <dwhite@olp.net>

References:
- can't get slapd to do pass-through authentication
  - From: Brent Bice <bbice@sgi.com>
- Re: can't get slapd to do pass-through authentication
  - From: "Dieter Kluenter" <dieter@dkluenter.de>
- Re: can't get slapd to do pass-through authentication
  - From: Brent Bice <bbice@sgi.com>
- Re: can't get slapd to do pass-through authentication
  - From: Dan White <dwhite@olp.net>

Prev by Date: RE: How to check LDAP replication status?
Next by Date: Re: can't get slapd to do pass-through authentication
Index(es):
- Chronological
- Thread