[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authenticate to ldap using Kerberos



On Wed, 2010-09-08 at 21:34 -0500, Dan White wrote: 
> On 09/09/10 10:21 +0800, Wouter van Marle wrote:
> >> That requires pass-through authentication.
> >
> >I see.
> >Well with the above instructions nothing seems to have changed.
> >I have restarted saslauthd and slapd after making the changes, and when
> >now accessing the ldap addressbook using Evolution, I still have to use
> >the ldap stored password, not the krb password.
> >
> >Wouter.
> 
> To be a little more explicit, to enable pass-through authentication, you
> will need to replace the password (userPassword attribute) with:
> 
> userPassword: {SASL}username@realm

When I got it working I am considering to write some tutorial - maybe
useful. I haven't been able to find anything like it on the internet.
The above I have never seen; just once a suggestion to change the
password to {KERBEROS}username but well that also didn't work :)

It's much harder to get working than I ever expected, really. And even
more so I'm surprised that openldap doesn't support this "out of the
box", or with some minor settings.

Anyway I have changed my userPassword field (using GQ) to
{SASL}wouter@SQUIRREL 
It still doesn't work of course. 
Also not when I set it to {SASL}wouter

In syslog I found the following error related to my attempt to open the
address book in evolution:
Sep  9 12:15:32 acorn slapd[15925]: conn=14 op=43 SEARCH RESULT tag=101
err=0 nentries=59 text=
Sep  9 12:15:39 acorn slapd[15925]: conn=135 fd=54 ACCEPT from
IP=192.168.2.4:39863 (IP=0.0.0.0:389)
Sep  9 12:15:39 acorn slapd[15925]: conn=135 op=0 BIND
dn="uid=wouter,ou=People,dc=squirrel" method=128
Sep  9 12:15:39 acorn slapd[15925]: SASL [conn=135] Failure: cannot
connect to saslauthd server: Permission denied
Sep  9 12:15:39 acorn slapd[15925]: conn=135 op=0 RESULT tag=97 err=49
text=

So there is something in saslauthd that does not accept connections from
slapd. Now the big question is why? As I have no idea where to start
searching for this.

Wouter.



> 
> for instance:
> 
> dn: uid=jsmith,dc=example,dc=com
> ...
> userPassword: {SASL}jsmith
> 
> In this case, the user will have no valid password defined in LDAP (or at
> least not in the userPassword attribute).
> 
> When attempting to perform a non-sasl bind, slapd will use saslauthd to
> authenticate, by taking the username (from the userPassword field), and the
> password that was submitted.
>