|
> Date: Fri, 11 Nov 2011 08:41:21 -0600 > From: dwhite@olp.net > To: raffi.sahli@hotmail.com > CC: openldap-technical@openldap.org > Subject: Re: OpenLDAP SASL Passthrough > > On 11/11/11 12:48 +0100, Raffael Sahli wrote: > > > >Hi, > > > >I'm so confused with the sasl passthrough implementation. > > > >I set for the user test in my ldap tree the password {SASL}test@MY_REALM > > > >Keytab: > >[test@ldap-master001 /]#--> ls /etc/krb5.keytab -l > > > >-rw-r----- 1 root openldap 1078 2011-11-11 11:56 /etc/krb5.keytab > > Happy 11-11-11 day. ^^ > > >SASL GSSAPI Auth: works well > > > >[test@ldap-master001 /]#--> ldapwhoami > > > >SASL/GSSAPI authentication started > > > >SASL username: test@MY_REALM > >SASL SSF: 56 > > > >SASL data security layer installed. > > > >dn:uid=test,cn=mycomany.net,cn=gssapi,cn=auth > > > > > > > > > >SASL SLAPD Config: > >[root@ldap-master001 /]#---> cat /usr/lib/sasl2/slapd.conf > > > >pwcheck_method: saslauthd > > > >saslauthd_path: /var/run/saslauthd/mux > > > >keytab: /etc/krb5.keytab > > > > > > > >testsaslauthd works well: > >[root@ldap-master001 /]#---> testsaslauthd -u test -p MYPASSWORD -r MY_REALM -s ldap > > > >0: OK "Success." > > > > > > > >sasl debug log: > >saslauthd[26077] :do_auth : auth success: [user=test] [service=ldap] > >[realm=MY_REALM] [mech=kerberos5] > > > >saslauthd[26077] :do_request : response: OK > > > > > > > > > > > >But the ldapsearch simplebind command takes 7-10s... > > > >[test@ldap-master001 /]#--> ldapsearch -D > >uid=test,ou=users,dc=my,dc=company -w MYPASSWORD > >-s base -b '' > >-x > >ldap_bind: Invalid credentials (49) > > > > > > > > > >And the sasl debug log shows: > > > >saslauthd[26076] :do_auth : auth failure: [user=test] [service=ldap] > >[realm=MY_REALM] [mech=kerberos5] [reason=saslauthd internal error] > > For a more apples to apples comparison, try running testsaslauthd as the > same user that your slapd process is running under. I can't see how this > would be a permissions problem though. Nop, same problem (or same success message ^^ ) with the slapd running user "openldap". saslauthd works with sasl user "test" running with user openldap or root, and ldapsearch with user "test" doesn't..... > Try running saslauthd in debug mode to see if you get any additional > errors. Nop, just a success message with testsaslauthd: > >saslauthd[26077] :do_auth : auth success: [user=test] [service=ldap] > >[realm=MY_REALM] [mech=kerberos5] > > > >saslauthd[26077] :do_request : response: OK > > and with ldap simple auth an error: > >saslauthd[26076] :do_auth : auth failure: [user=test] [service=ldap] > >[realm=MY_REALM] [mech=kerberos5] [reason=saslauthd internal error] > Do you see anything useful in your kdc logs? Yes, but I think everything is fine... I became this message on the kdc syslog with ldapsearch (simple bind + sasl pass..) Nov 15 11:48:03 kerberos001 krb5kdc[25110]: AS_REQ (4 etypes {18 17 16 23}) 192.168.20.54: ISSUE: authtime 1321354083, etypes {rep=18 tkt=18 ses=18}, test@REALM for krbtgt/REALM@REALM Nov 15 11:48:20 kerberos001 krb5kdc[25110]: DISPATCH: repeated (retransmitted?) request from 192.168.20.54, resending previous response And with testsaslauthd (success), there are no no syslog entries on the kdc master.. |