On 15/11/11 12:00 +0100, Raffael Sahli wrote:
Date: Fri, 11 Nov 2011 08:41:21 -0600 From: dwhite@olp.net To: raffi.sahli@hotmail.com CC: openldap-technical@openldap.org Subject: Re: OpenLDAP SASL Passthrough On 11/11/11 12:48 +0100, Raffael Sahli wrote: >testsaslauthd works well: >[root@ldap-master001 /]#---> testsaslauthd -u test -p MYPASSWORD -r MY_REALM -s ldap > >0: OK "Success." > >sasl debug log: >saslauthd[26077] :do_auth : auth success: [user=test] [service=ldap] >[realm=MY_REALM] [mech=kerberos5] > >saslauthd[26077] :do_request : response: OK
>And the sasl debug log shows: > >saslauthd[26076] :do_auth : auth failure: [user=test] [service=ldap] >[realm=MY_REALM] [mech=kerberos5] [reason=saslauthd internal error] For a more apples to apples comparison, try running testsaslauthd as the same user that your slapd process is running under. I can't see how this would be a permissions problem though.Nop, same problem (or same success message ^^ ) with the slapd running user "openldap". saslauthd works with sasl user "test" running with user openldap or root, and ldapsearch with user "test" doesn't.....
For mech=kerberos5, there are several possible reasons for 'saslauthd internal error'. Each of them should log an explanation to syslog (to auth.err). You should see one of: auth_krb5: could not generate ccache name auth_krb5: krb5_cc_resolve auth_krb5: krb5_kt_resolve auth_krb5: NULL password or username? auth_krb5: krb5_init_context auth_krb5: krb5_parse_name auth_krb5: could not generate ticket file name auth_krb5: krb5_cc_resolve auth_krb5: krb5_cc_initialize auth_krb5: krb5_get_init_creds_password: %d auth_krb5: krb5_cc_store_cred auth_krb5: k5support_verify_tgt -- Dan White