[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL pass-through fails

To: Joshua Schaeffer <jschaeffer0922@gmail.com>, openldap-technical@openldap.org
Subject: Re: SASL pass-through fails
From: Howard Chu <hyc@symas.com>
Date: Sat, 17 Sep 2016 21:11:31 +0100
In-reply-to: <WM!f96677c72d54a81fe4deca7285393f19afb8038064d8cfb520646c896c55f13ecd7e61574df6856a31df8ca692777dad!@mailstronghold-3.zmailcloud.com>
References: <332d3440-93ff-5062-7a01-05bef790a399@gmail.com> <WM!f96677c72d54a81fe4deca7285393f19afb8038064d8cfb520646c896c55f13ecd7e61574df6856a31df8ca692777dad!@mailstronghold-3.zmailcloud.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0 SeaMonkey/2.46a2

Joshua Schaeffer wrote:

Hey all,

I've been using OpenLDAP and Kerberos for central authentication for a while
now, but I have a couple programs that can't use GSSAPI directly and I want to
setup SASL pass-through authentication to allow those services to use my
Kerberos passwords, but I'm having trouble getting saslauthd to work correctly.

I can authentication as myself using GSSAPI without any issue:

jschaeffer@zipmaster07 ~/Downloads $ ldapwhoami
SASL/GSSAPI authentication started
SASL username: jschaeffer@HARMONYWAVE.COM
SASL SSF: 56
SASL data security layer installed.
dn:uid=jschaeffer,ou=end users,ou=people,dc=harmonywave,dc=com

But whenever I run the testsaslauthd command I can't get a successful
authentication:

root@baneling:~# testsaslauthd -u jschaeffer@HARMONYWAVE.COM -p <password>
0: NO "authentication failed"

When I debug the saslauthd daemon all i get is this:

root@baneling:~# saslauthd -a kerberos5 -m /var/run/saslauthd -n 5 -d
saslauthd[1121] :main            : num_procs  : 5
saslauthd[1121] :main            : mech_option: NULL
saslauthd[1121] :main            : run_path   : /var/run/saslauthd
saslauthd[1121] :main            : auth_mech  : kerberos5
saslauthd[1121] :ipc_init        : using accept lock file:
/var/run/saslauthd/mux.accept
saslauthd[1121] :detach_tty      : master pid is: 0
saslauthd[1121] :ipc_init        : listening on socket: /var/run/saslauthd/mux
saslauthd[1121] :main            : using process model
saslauthd[1121] :have_baby       : forked child: 1122
saslauthd[1122] :get_accept_lock : acquired accept lock
saslauthd[1121] :have_baby       : forked child: 1123
saslauthd[1121] :have_baby       : forked child: 1124
saslauthd[1121] :have_baby       : forked child: 1125
saslauthd[1122] :rel_accept_lock : released accept lock
saslauthd[1124] :get_accept_lock : acquired accept lock
saslauthd[1122] :do_auth         : auth failure:
[user=jschaeffer@HARMONYWAVE.COM] [service=imap] [realm=] [mech=kerberos5]
[reason=saslauthd internal error]

Kinda at a loss at what else I should look at. Any tips would be appreciated.

Your testsaslauthd is trying to use the imap service. If you don't have animap service in your KDC, then of course it will fail.




--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- Re: SASL pass-through fails
  - From: Joshua Schaeffer <jschaeffer0922@gmail.com>

References:
- SASL pass-through fails
  - From: Joshua Schaeffer <jschaeffer0922@gmail.com>

Prev by Date: Re: SASL pass-through fails
Next by Date: Re: SASL pass-through fails
Index(es):
- Chronological
- Thread