Re: Simple Bind pass-through to SASL/PLAIN

[Zach Schimke <zschimke@mars.asu.edu>]

I'm using openldap-2.3.32, loglevel = -1 (log grows at 2MB/minute), and 
neither of those tests work. I've even tried with and without the @REALM.


Zach Schimke
Mars Space Flight Facility


On 3/4/2011 1:48 PM, Dan White wrote:
> On 04/03/11 13:22 -0700, Zach Schimke wrote:
> > It was complied with '--enable-spasswd', defined properly in 
> > portable.h,   and I confirm that an ldd of the slapd binary show that 
> > it is linked to sasl.
> >
> > include/portable.h:
> >    /* define to support SASL passwords */
> >    #define SLAPD_SPASSWD 1
> >
> > BUT, the logs say nothing about SASL when a simple bind is performed 
> > to my account with a {SASL} userPassword.
>
> What log level are you capturing at? What version of OpenLDAP are you
> using?
>
> You said you were able to get a SASL PLAIN bind working, so I don't
> believe you have a problem with your /etc/sasl2/slapd.conf config.
>
> What happens if you provide the '{SASL}username@REALM' (or the value in
> your userPassword attribute) as the password? Does it succeed?
>
> > On 3/4/2011 7:54 AM, Dan White wrote:
> > > On 03/03/11 17:07 -0700, Zach Schimke wrote:
> > > > Is there any trick to this?
> > > >
> > > > I am able to get SASL/PLAIN and SASL/GSSAPI binds to work perfectly 
> > > > with my ldap server. What I want to get working is the 
> > > > authentication pass-through.
> > > >
> > > > From what I can gather, it appears that LDAP should be able to 
> > > > authenticate a simple bind, take a look at the userPassword 
> > > > attribute (which contains '{SASL}username@REALM) and perform a 
> > > > SASL/PLAIN from there.
> > > >
> > > > We want to avoid maintaining two separate passwords (LDAP and 
> > > > Kerberos V) although some applications (like phpLDAPAdmin, Drupal, 
> > > > etc) do not allow the use of Kerberos natively.
> > > >
> > > > /etc/sasl2/slapd.conf (using CentOS):
> > > >   pwcheck_method: saslauthd
> > > >
> > > > Here's a snippet of my openldap.log during a simple bind:
> > > >   Mar  3 16:45:49 kdc1 slapd[28132]: conn=2009 fd=39 ACCEPT from 
> > > > IP=149.169.147.254:56106 (IP=0.0.0.0:636)
> > > >   Mar  3 16:45:49 kdc1 slapd[28132]: conn=2009 fd=39 TLS 
> > > > established tls_ssf=256 ssf=256
> > > >   Mar  3 16:45:49 kdc1 slapd[28132]: conn=2009 op=0 BIND 
> > > > dn="cn=test account,ou=people,o=mars" method=128
> > > >   Mar  3 16:45:49 kdc1 slapd[28132]: send_ldap_result: conn=2009 
> > > > op=0 p=3
> > > >   Mar  3 16:45:49 kdc1 slapd[28132]: conn=2009 op=0 RESULT tag=97 
> > > > err=49 text=
> > > >   Mar  3 16:45:49 kdc1 slapd[28132]: connection_closing: readying 
> > > > conn=2009 sd=39 for close
> > > >   Mar  3 16:45:49 kdc1 slapd[28132]: connection_close: conn=2009 sd=-1
> > > >   Mar  3 16:45:49 kdc1 slapd[28132]: conn=2009 fd=39 closed 
> > > > (connection lost)
> > > >
> > > > Anything I should double-check, modify, etc?
> > >
> > > Verify that your openldap installation was compiled with
> > > '--enable-spasswd'.
> > >
> > > Try running saslauthd in debug mode to see if slapd is passing an
> > > authentication attempt.