[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: can't get slapd to do pass-through authentication

To: Quanah Gibson-Mount <quanah@zimbra.com>
Subject: Re: can't get slapd to do pass-through authentication
From: Brent Bice <bbice@sgi.com>
Date: Thu, 05 Aug 2010 15:25:18 -0700
Cc: Dan White <dwhite@olp.net>, openldap-technical@openldap.org, Dieter Kluenter <dieter@dkluenter.de>
In-reply-to: <D346BB5C79CAAB2DBCFCE664@[192.168.1.2]>
References: <4C521855.70307@sgi.com> <87wrs9v8oi.fsf@magenta.l4b.de> <4C59E195.4040908@sgi.com> <20100805014722.GD2613@dan.olp.net> <4C5B2663.5090103@sgi.com> <D346BB5C79CAAB2DBCFCE664@[192.168.1.2]>
User-agent: Thunderbird 2.0.0.24 (X11/20100411)

Quanah Gibson-Mount wrote:

--On Thursday, August 05, 2010 2:00 PM -0700 Brent Bice <bbice@sgi.com>wrote:
I also notice when I
export this record as an LDIF file the userPassword attribute has been
hashed:
userPassword:: e1NBU0x9YmJpY2VAbGRhcA==
This is not a hash. This is base64 encoding, as has been discussed afew thousand times on this list. ;) You simply need to decode it to seethe actual value. This is per RFC.

(slaps forehead) I realized that a bit after I sent the email. Iwas thinking perhaps I didn't have the userPassword set right toconvince slapd to use SASL pass-through authentication, but... it is setright so I still don't know why it's not contacting saslauthd. Hmph.

Dan White wrote:
See if you can find out what --with-configdir option was passed to your
cyrus sasl ./configure when it was compiled, which defaults to
/usr/lib/sasl2 (regardless of where the libraries are actually installed).

I built all the sasl, openldap, openssl, zlib, etc from source. Onall of them I set a --prefix to the same place (a directory containingthis version of our LDAP server binaries). So I didn't specify a--with-configdir option but I'd expect it'd default to theprefix_dir/lib/sasl2/.


   Aha!  The config.status file contains this, however:
s,@configdir@,/usr/lib/sasl2:/etc/sasl2,;t t

So perhaps it's not using my prefix_dir/lib/sasl2/slapd.conf file.I'll drop something in /usr/lib/sasl2 just to see if this is the case orI'll rebuild using an explicit --with-configdir.

If you were not creating it in the correct location, then libsasl would
default to using sasldb auxprop for authentication. You could create a test
user:

saslpasswd -c bbice

to see if sasldb is being used.

I don't think testsaslauthd uses libsasl itself, so if none of that works,
you may still need to verify your libsasl is installed and linked
correctly. sample-server and sample-client might help (create a
/usr/lib/sasl2/sample.conf).

You might also try a direct SASL bind against the server to see if that
works. Add 'sasl-secprops none' to your slapd.conf, then do:

ldapwhoami -Y PLAIN -U bbice ...

which should also use saslauthd to authenticate, with pwcheck_method:
saslauthd.


   Thanks for the tips!  I'll try these out too.

Brent

References:
- can't get slapd to do pass-through authentication
  - From: Brent Bice <bbice@sgi.com>
- Re: can't get slapd to do pass-through authentication
  - From: "Dieter Kluenter" <dieter@dkluenter.de>
- Re: can't get slapd to do pass-through authentication
  - From: Brent Bice <bbice@sgi.com>
- Re: can't get slapd to do pass-through authentication
  - From: Dan White <dwhite@olp.net>
- Re: can't get slapd to do pass-through authentication
  - From: Brent Bice <bbice@sgi.com>
- Re: can't get slapd to do pass-through authentication
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

Prev by Date: Re: Re: Change User Password (passwd vs. ldappasswd)
Next by Date: Re: can't get slapd to do pass-through authentication
Index(es):
- Chronological
- Thread