[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: can't get slapd to do pass-through authentication
Quanah Gibson-Mount wrote:
--On Thursday, August 05, 2010 2:00 PM -0700 Brent Bice <bbice@sgi.com>
wrote:
I also notice when I
export this record as an LDIF file the userPassword attribute has been
hashed:
userPassword:: e1NBU0x9YmJpY2VAbGRhcA==
This is not a hash. This is base64 encoding, as has been discussed a
few thousand times on this list. ;) You simply need to decode it to see
the actual value. This is per RFC.
(slaps forehead) I realized that a bit after I sent the email. I
was thinking perhaps I didn't have the userPassword set right to
convince slapd to use SASL pass-through authentication, but... it is set
right so I still don't know why it's not contacting saslauthd. Hmph.
Dan White wrote:
See if you can find out what --with-configdir option was passed to your
cyrus sasl ./configure when it was compiled, which defaults to
/usr/lib/sasl2 (regardless of where the libraries are actually installed).
I built all the sasl, openldap, openssl, zlib, etc from source. On
all of them I set a --prefix to the same place (a directory containing
this version of our LDAP server binaries). So I didn't specify a
--with-configdir option but I'd expect it'd default to the
prefix_dir/lib/sasl2/.
Aha! The config.status file contains this, however:
s,@configdir@,/usr/lib/sasl2:/etc/sasl2,;t t
So perhaps it's not using my prefix_dir/lib/sasl2/slapd.conf file.
I'll drop something in /usr/lib/sasl2 just to see if this is the case or
I'll rebuild using an explicit --with-configdir.
If you were not creating it in the correct location, then libsasl would
default to using sasldb auxprop for authentication. You could create a test
user:
saslpasswd -c bbice
to see if sasldb is being used.
I don't think testsaslauthd uses libsasl itself, so if none of that works,
you may still need to verify your libsasl is installed and linked
correctly. sample-server and sample-client might help (create a
/usr/lib/sasl2/sample.conf).
You might also try a direct SASL bind against the server to see if that
works. Add 'sasl-secprops none' to your slapd.conf, then do:
ldapwhoami -Y PLAIN -U bbice ...
which should also use saslauthd to authenticate, with pwcheck_method:
saslauthd.
Thanks for the tips! I'll try these out too.
Brent