[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Trying to get passthrough auth working with OpenLDAP and Kerberos

To: Raffael Sahli <public@raffaelsahli.com>
Subject: Re: Trying to get passthrough auth working with OpenLDAP and Kerberos
From: Howard Chu <hyc@symas.com>
Date: Thu, 26 Jan 2012 14:38:44 -0800
Cc: Chastity Blackwell <chas@aggregateknowledge.com>, openldap-technical@openldap.org
In-reply-to: <4F21D1E9.2090706@raffaelsahli.com>
References: <1327522485.16182.17.camel@localhost.localdomain> <20120125221601.GI4556@dan.olp.net> <1327607031.16182.20.camel@localhost.localdomain> <20120126202313.GE4618@dan.olp.net> <1327614786.16182.23.camel@localhost.localdomain> <4F21D1E9.2090706@raffaelsahli.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0a1) Gecko/20111224 Firefox/12.0a1 SeaMonkey/2.9a1

Raffael Sahli wrote:

On 26.01.2012 22:53, Chastity Blackwell wrote:

On Thu, 2012-01-26 at 15:23 -0500, Dan White wrote:

That indicates a mistake in your /etc/sasl2/slapd.conf, which should have:

saslauthd_path: /var/run/saslauthd/mux

not /var/run/sasl2/mux

Well, now I just feel like an idiot. :) That did move things along a
bit, though now I'm getting this error:

2012-01-26T13:48:28-08:00 ldapsandbox10-1-qa-sjc saslauthd[15889]:
do_auth         : auth failure: [user=chas@test.com] [service=ldap]
[realm=test.com] [mech=kerberos5] [reason=saslauthd internal error]

I'm guessing the problem here is that the realm should match my Kerberos
realm, which is called "KRBTEST", not test.com -- is this something that
needs to be fixed with an authz-regexp?

No, authz-regexp is to map a sasl dn to a real user account in your ldap
directory.

But your user is chas@test.com with a realm named test.com, your
userPassword should be {SASL}chas@KRBTEST

What the heck are you talking about? If the username is chas@test.com thenthat is what goes in the password:


  userpassword: {SASL}chas@test.com

If the realm is actually KRBTEST then the username should be chas@KRBTEST.

and also exists as a principal on your kerberos db ;)


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- Re: Trying to get passthrough auth working with OpenLDAP and Kerberos
  - From: Chastity Blackwell <chas@aggregateknowledge.com>

References:
- Trying to get passthrough auth working with OpenLDAP and Kerberos
  - From: Chastity Blackwell <chas@aggregateknowledge.com>
- Re: Trying to get passthrough auth working with OpenLDAP and Kerberos
  - From: Dan White <dwhite@olp.net>
- Re: Trying to get passthrough auth working with OpenLDAP and Kerberos
  - From: Chastity Blackwell <chas@aggregateknowledge.com>
- Re: Trying to get passthrough auth working with OpenLDAP and Kerberos
  - From: Dan White <dwhite@olp.net>
- Re: Trying to get passthrough auth working with OpenLDAP and Kerberos
  - From: Chastity Blackwell <chas@aggregateknowledge.com>
- Re: Trying to get passthrough auth working with OpenLDAP and Kerberos
  - From: Raffael Sahli <public@raffaelsahli.com>

Prev by Date: Re: Trying to get passthrough auth working with OpenLDAP and Kerberos
Next by Date: Openldap 2.4.28 master/slave crash after upgrade?
Index(es):
- Chronological
- Thread