[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Simple Bind pass-through to SASL/PLAIN
- To: openldap-technical@openldap.org
- Subject: Simple Bind pass-through to SASL/PLAIN
- From: Zach Schimke <zschimke@mars.asu.edu>
- Date: Thu, 03 Mar 2011 17:07:09 -0700
- Organization: Mars Space Flight Facility
- User-agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.14) Gecko/20110221 Thunderbird/3.1.8 ThunderBrowse/3.3.5
Is there any trick to this?
I am able to get SASL/PLAIN and SASL/GSSAPI binds to work perfectly with
my ldap server. What I want to get working is the authentication
pass-through.
From what I can gather, it appears that LDAP should be able to
authenticate a simple bind, take a look at the userPassword attribute
(which contains '{SASL}username@REALM) and perform a SASL/PLAIN from there.
We want to avoid maintaining two separate passwords (LDAP and Kerberos
V) although some applications (like phpLDAPAdmin, Drupal, etc) do not
allow the use of Kerberos natively.
/etc/sasl2/slapd.conf (using CentOS):
pwcheck_method: saslauthd
Here's a snippet of my openldap.log during a simple bind:
Mar 3 16:45:49 kdc1 slapd[28132]: conn=2009 fd=39 ACCEPT from
IP=149.169.147.254:56106 (IP=0.0.0.0:636)
Mar 3 16:45:49 kdc1 slapd[28132]: conn=2009 fd=39 TLS established
tls_ssf=256 ssf=256
Mar 3 16:45:49 kdc1 slapd[28132]: conn=2009 op=0 BIND dn="cn=test
account,ou=people,o=mars" method=128
Mar 3 16:45:49 kdc1 slapd[28132]: send_ldap_result: conn=2009 op=0
p=3
Mar 3 16:45:49 kdc1 slapd[28132]: conn=2009 op=0 RESULT tag=97
err=49 text=
Mar 3 16:45:49 kdc1 slapd[28132]: connection_closing: readying
conn=2009 sd=39 for close
Mar 3 16:45:49 kdc1 slapd[28132]: connection_close: conn=2009 sd=-1
Mar 3 16:45:49 kdc1 slapd[28132]: conn=2009 fd=39 closed
(connection lost)
Anything I should double-check, modify, etc?
--
Zach Schimke
Mars Space Flight Facility