Hello, I need help with the following problem. Our password authetication should use SASL but we don't see any requests in our Logs or by tcpdump. The password authentication should work as follows - userPassword-Attribute: {SASL}User@Domain - saslauthd -> use PAM - PAM -> use kerberos - kerberos -> send request to Active-Directory Server RPM list: --------------------- lshxx0693:~ # rpm -qa | grep sasl cyrus-sasl-gssapi-32bit-2.1.22-182.20.1 cyrus-sasl-gssapi-2.1.22-182.20.1 cyrus-sasl-2.1.22-182.20.1 cyrus-sasl-32bit-2.1.22-182.20.1 cyrus-sasl-digestmd5-2.1.22-182.20.1 cyrus-sasl-digestmd5-32bit-2.1.22-182.20.1 cyrus-sasl-devel-2.1.22-182.20.1 cyrus-sasl-saslauthd-2.1.22-182.19 lshxx0693:~ # rpm -qa | grep krb krb5-1.6.3-133.49.64.1 krb5-32bit-1.6.3-133.49.64.1 pam_krb5-2.3.1-47.12.1 pam_krb5-32bit-2.3.1-47.12.1 krb5-doc-1.6.3-133.49.64.1 krb5-plugin-kdb-ldap-1.6.3-133.49.64.1 krb5-server-1.6.3-133.49.64.1 krb5-client-1.6.3-133.49.64.1 lshxx0693:~ # rpm -qa | grep ldap openldap2-2.4.26-0.28.5 openldap2-client-2.4.26-0.28.5 openldap2-devel-2.4.26-0.28.5 pam_ldap-184-147.20 pam_ldap-32bit-184-147.20 nss_ldap-262-11.32.39.1 nss_ldap-32bit-262-11.32.39.1 libldap-2_4-2-2.4.26-0.28.5 libldap-2_4-2-32bit-2.4.26-0.28.5 libldapcpp1-0.3.0-0.9.29 libevoldap-2_4-2-2.4.12-4.19 yast2-ldap-2.17.8-0.7.61 yast2-ldap-client-2.17.38-0.7.2 yast2-ldap-server-2.17.44-0.5.1 lshxx0693:~ # rpm -qa | grep cyrus cyrus-sasl-gssapi-2.1.22-182.20.1
cyrus-sasl-gssapi-32bit-2.1.22-182.20.1 cyrus-sasl-saslauthd-2.1.22-182.19 cyrus-sasl-devel-2.1.22-182.20.1 cyrus-sasl-2.1.22-182.20.1 cyrus-sasl-32bit-2.1.22-182.20.1 cyrus-sasl-digestmd5-2.1.22-182.20.1 cyrus-sasl-digestmd5-32bit-2.1.22-182.20.1 Configuration files: ---------------------------- lshxx0693:~ # cat /etc/sasl2/slapd.conf mech_list: plain login pwcheck_method: saslauthd lshxx0693:~ # cat /etc/sysconfig/saslauthd SASLAUTHD_AUTHMECH=pam SASLAUTHD_THREADS=5 SASLAUTHD_PARAMS="-r" lshxx0693:~ # cat /etc/pam.d/ldap
auth required pam_krb5.so no_user_check account required pam_permit.so lshxx0693:/etc/pam.d/ # cat common-account | egrep -v "^#" account requisite pam_unix2.so
account sufficient pam_localuser.so
account required pam_ldap.so use_first_pass lshxx0693:/etc/pam.d/ # cat common-account-pc | egrep -v "^#" account requisite pam_unix2.so
account sufficient pam_localuser.so
account required pam_ldap.so use_first_pass lshxx0693:/etc/pam.d/ # cat common-auth | egrep -v "^#" auth required pam_env.so
auth sufficient pam_unix2.so
auth required pam_ldap.so use_first_pass lshxx0693:/etc/pam.d/ # cat common-auth-pc | egrep -v "^#" auth required pam_env.so
auth sufficient pam_unix2.so
auth required pam_ldap.so use_first_pass shxx0693:/etc/pam.d/ # cat common-password | egrep -v "^#" password requisite pam_pwcheck.so nullok cracklib
password sufficient pam_unix2.so use_authtok nullok
password required pam_ldap.so try_first_pass use_authtok
lshxx0693:/etc/pam.d/ # cat common-session | egrep -v "^#" session optional pam_mkhomedir.so
session required pam_limits.so
session required pam_unix2.so
session optional pam_ldap.so
session optional pam_umask.so
lshxx0693:/etc/pam.d/ # cat common-session-pc | egrep -v "^#" session optional pam_mkhomedir.so
session required pam_limits.so
session required pam_unix2.so
session optional pam_ldap.so
session optional pam_umask.so
lshxx0693:/etc/pam.d/ # cat common-password-pc | egrep -v "^#" password requisite pam_pwcheck.so nullok cracklib
password sufficient pam_unix2.so use_authtok nullok
password required pam_ldap.so try_first_pass use_authtok lshxx0693:~ # pam-config --verify lshxx0693:~ #
lshxx0693:~ # cat /etc/krb5.conf [libdefaults] default_realm = INT.IT.DPP dns_lookup_kdc = true [realms] INT.IT.DPP = { kdc = 10.150.10.10 kdc = 10.150.10.10 } [logging] default = SYSLOG:NOTICE:DAEMON lshxx0693:~ # cat /etc/nsswitch.conf | egrep -v "#" passwd: compat group: files ldap hosts: files dns networks: files dns services: files ldap protocols: files rpc: files ethers: files netmasks: files netgroup: files ldap publickey: files bootparams: files automount: files nis aliases: files ldap passwd_compat: ldap Tell me, if you need more informations, please. I would like to thank you in advance for your help. Best wishes S. Kuechler |