[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Pass-though Authentication with Saslauthd and Kerberos

To: Andreas Ntaflos <daff@pseudoterminal.org>
Subject: Re: Pass-though Authentication with Saslauthd and Kerberos
From: Jan-Piet Mens <jpmens.dns@gmail.com>
Date: Wed, 6 Jun 2012 20:22:35 +0200
Cc: Jeff B <jeffb.list@gmail.com>, openldap-technical@openldap.org
Content-disposition: inline
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent:sender; bh=FIULjofYfsRr+/wO+8eBtFQLDaNKK25Tle3TpDdXB70=; b=BRknl3zORMvh5Au6nqgD5euPl7uz6CYk/z/kEfdHH6FsT90fW/8DboB10xkgzp9myh 5xbUEWSUWXOx4kFlbd/D/WvFfy1LirBnQsIbCkL+0JkcYosAFTtfIP72iiSuCB/l+ajw bQTElv2+pkDPf0gF+Q1tn5ojiTnixaZq/LGWTy2ysr45lpKrY2xLlVmgwel1lF+GNvx5 qL4fqY/c8dT5d7aqx5t8uDJgmnkuFwhxi8NWHx38bE82RwyTp1B/KIwby69jm+fRq37J Y1dRr7wBZwI88Y/Qzq5DkbO4ZfkGo0udWSTPq4nSYmYnUPX3rfP06ZsIzyLxndbYRwmy LsKg==
In-reply-to: <4F0B340D.3010103@pseudoterminal.org>
References: <CANWKOdhq6Ykjqz=N7OyT9EhCM_HzrZjDSBPpQBzKGgi9frq5LQ@mail.gmail.com> <CANWKOdjgpoSD_pg_6HV3_jN-yM1WB8QHnyVVuXhLBVXrMXd5Ug@mail.gmail.com> <CANWKOdgPhMTEnLxgWSMGHLMx++9RXnv8XqaPRqguC5J2sYiHZg@mail.gmail.com> <4F0B340D.3010103@pseudoterminal.org>
User-agent: vim (7.2)/Mutt (1.5.21)

On Mon Jan 09 2012 at 19:38:05 CET, Andreas Ntaflos wrote:

> On 2012-01-06 22:10, Jeff B wrote:
> > Upon more reflection It appears to be a row locking problem in BDB.
> > In the example where I found the SASL pass though example their
> > kerberos principal data was not stored in the user's ldap record.
> > and the example where you could store your kerberos principal in the
> > same record as the user wasn't using pass though auth.   Combining the
> > two options got me here.

> For what it's worth, I can confirm that this problem only occurs whith
> the kdb5-ldap backend when the Kerberos principal is stored in the same
> DN as the user, i.e. using
> 
> addprinc -x dn="uid=foo,ou=people,dc=example,dc=com" foo
> 
> to create the principal. Separating the principal data from the user's
> DN makes SASL pass-through authentication work again.

I'm running OpenLDAP 2.4.31 in Multi-Master Replication mode with BDB
4.7.25.NC (with 4 patches) and am experiencing the same issue. (Have
tried with BDB 5.1.29 which doesn't change anything.) I have one slapd
running on Centos 6.2 (2.6.32-220.13.1.el6.x86_64 SMP x86_64) and the
other on OS/X 10.6.8. Kerberos is MIT krb5-1.10.1 on both.

If I launch saslsauthd with a KRB5_CONFIG pointing to a second KDC which
access a slapd mirror, all works fine.

When both KDC (with kldap back-end) and slapd run on the same machine,
and krb5.conf points to that KDC, saslauthd fails if the Kerberos
principal objects are in the user's DN:

        # /usr/sbin/saslauthd -d -a kerberos5  -m  /var/run/openldap

        saslauthd[96294] :main            : num_procs  : 5
        saslauthd[96294] :main            : mech_option: NULL
        saslauthd[96294] :main            : run_path   : /var/run/openldap
        saslauthd[96294] :main            : auth_mech  : kerberos5
        saslauthd[96294] :ipc_init        : using accept lock file: /var/run/openldap/mux.accept
        saslauthd[96294] :detach_tty      : master pid is: 0
        saslauthd[96294] :ipc_init        : listening on socket: /var/run/openldap/mux
        saslauthd[96294] :main            : using process model
        saslauthd[96294] :have_baby       : forked child: 96295
        saslauthd[96294] :have_baby       : forked child: 96296
        saslauthd[96295] :get_accept_lock : acquired accept lock
        saslauthd[96294] :have_baby       : forked child: 96297
        saslauthd[96294] :have_baby       : forked child: 96298


        saslauthd[96295] :rel_accept_lock : released accept lock
        saslauthd[96297] :get_accept_lock : acquired accept lock
        saslauthd[96295] :do_auth         : auth failure: [user=jpm] [service=ldap] [realm=MENS.DE] [mech=kerberos5] [reason=saslauthd internal error]


If, on the other hand, the kerberos principal data in LDAP is separate
from the user's entry, authentication works:

        saslauthd[96298] :rel_accept_lock : released accept lock
        saslauthd[96294] :get_accept_lock : acquired accept lock
        saslauthd[96298] :do_auth         : auth success: [user=f5] [service=ldap] [realm=MENS.DE] [mech=kerberos5]
        saslauthd[96298] :do_request      : response: OK 

Has anybody found a solution? I want to keep Kerberos principal data in
the users' entries.

        -JP

Prev by Date: Re: slapd hangs - subtree insert failed: -30995
Next by Date: Re: attrs=@objectClassName affects objectClass attribute
Index(es):
- Chronological
- Thread