[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: can't get slapd to do pass-through authentication



Quanah Gibson-Mount wrote:
--On Thursday, August 05, 2010 2:00 PM -0700 Brent Bice <bbice@sgi.com> wrote:

I also notice when I
export this record as an LDIF file the userPassword attribute has been
hashed:
userPassword:: e1NBU0x9YmJpY2VAbGRhcA==

This is not a hash. This is base64 encoding, as has been discussed a few thousand times on this list. ;) You simply need to decode it to see the actual value. This is per RFC.

(slaps forehead) I realized that a bit after I sent the email. I was thinking perhaps I didn't have the userPassword set right to convince slapd to use SASL pass-through authentication, but... it is set right so I still don't know why it's not contacting saslauthd. Hmph.

Dan White wrote:
See if you can find out what --with-configdir option was passed to your
cyrus sasl ./configure when it was compiled, which defaults to
/usr/lib/sasl2 (regardless of where the libraries are actually installed).

I built all the sasl, openldap, openssl, zlib, etc from source. On all of them I set a --prefix to the same place (a directory containing this version of our LDAP server binaries). So I didn't specify a --with-configdir option but I'd expect it'd default to the prefix_dir/lib/sasl2/.

   Aha!  The config.status file contains this, however:
s,@configdir@,/usr/lib/sasl2:/etc/sasl2,;t t

So perhaps it's not using my prefix_dir/lib/sasl2/slapd.conf file. I'll drop something in /usr/lib/sasl2 just to see if this is the case or I'll rebuild using an explicit --with-configdir.

If you were not creating it in the correct location, then libsasl would
default to using sasldb auxprop for authentication. You could create a test
user:

saslpasswd -c bbice

to see if sasldb is being used.

I don't think testsaslauthd uses libsasl itself, so if none of that works,
you may still need to verify your libsasl is installed and linked
correctly. sample-server and sample-client might help (create a
/usr/lib/sasl2/sample.conf).

You might also try a direct SASL bind against the server to see if that
works. Add 'sasl-secprops none' to your slapd.conf, then do:

ldapwhoami -Y PLAIN -U bbice ...

which should also use saslauthd to authenticate, with pwcheck_method:
saslauthd.

   Thanks for the tips!  I'll try these out too.

Brent