On 03/03/11 17:07 -0700, Zach Schimke wrote:
Is there any trick to this?
I am able to get SASL/PLAIN and SASL/GSSAPI binds to work perfectly
with my ldap server. What I want to get working is the
authentication pass-through.
From what I can gather, it appears that LDAP should be able to
authenticate a simple bind, take a look at the userPassword
attribute (which contains '{SASL}username@REALM) and perform a
SASL/PLAIN from there.
We want to avoid maintaining two separate passwords (LDAP and
Kerberos V) although some applications (like phpLDAPAdmin, Drupal,
etc) do not allow the use of Kerberos natively.
/etc/sasl2/slapd.conf (using CentOS):
pwcheck_method: saslauthd
Here's a snippet of my openldap.log during a simple bind:
Mar 3 16:45:49 kdc1 slapd[28132]: conn=2009 fd=39 ACCEPT from
IP=149.169.147.254:56106 (IP=0.0.0.0:636)
Mar 3 16:45:49 kdc1 slapd[28132]: conn=2009 fd=39 TLS
established tls_ssf=256 ssf=256
Mar 3 16:45:49 kdc1 slapd[28132]: conn=2009 op=0 BIND
dn="cn=test account,ou=people,o=mars" method=128
Mar 3 16:45:49 kdc1 slapd[28132]: send_ldap_result: conn=2009
op=0 p=3
Mar 3 16:45:49 kdc1 slapd[28132]: conn=2009 op=0 RESULT tag=97
err=49 text=
Mar 3 16:45:49 kdc1 slapd[28132]: connection_closing: readying
conn=2009 sd=39 for close
Mar 3 16:45:49 kdc1 slapd[28132]: connection_close: conn=2009 sd=-1
Mar 3 16:45:49 kdc1 slapd[28132]: conn=2009 fd=39 closed
(connection lost)
Anything I should double-check, modify, etc?
Verify that your openldap installation was compiled with
'--enable-spasswd'.
Try running saslauthd in debug mode to see if slapd is passing an
authentication attempt.