[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: kpasswd

Well this helped me get a bit farther. I found out about the testsaslauthd program, and tried it. I was getting:

./testsaslauthd -u astreib -p WRONG_PASSSORD -r IU.EDU -s ldap
0: NO "authentication failed"

./testsaslauthd -u astreib -p CORRECT_PASSSORD -r IU.EDU -s ldap
size read failed

and syslog had:

saslauthd[30397]: auth_krb5: krb5_get_init_creds_password
saslauthd[30397]: do_auth : auth failure: [user=astreib] [service=ldap] [realm=IU.EDU] [mech=kerberos5] [reason=saslauthd internal error]


However, adding a host key, as you suggested, to /etc/krb5.keytab go me to the point where I now get:

./testsaslauthd -u astreib -p CORRECT_PASSSORD -r IU.EDU -s ldap
0: OK "Success."

BUT, I'm *still* getting "Invalid Credentials (49)" from slapd trying to bind.

Allan

On Friday, October 17, 2003, at 03:21 PM, Paul M Fleming wrote:

if you want SASL for just kerberos -- disable building sasl with db
support and also disable _ALL_ plugins you don't plan on using. My
configure which supports Sendmail, Cyrus IMAP and eventually OPenLDAP
with SASL support (still using kpasswd) -- this is from my RedHat RPM
for sasl 2.1.13 Also remember saslauthd checks the HOST ticket not a
specific app so you need host/hostname.domainname.edu for example not
just ldap/hostname.

export LDFLAGS="-L/usr/kerberos/lib"
export CPPFLAGS="-I /usr/kerberos/include"
export CFLAGS="-I /usr/kerberos/include"
./configure --prefix=/usr \
        --with-dblib=no \
        --with-saslauthd=/var/lib/saslauthd \
        --enable-cram=no \
        --with-pam=no \
        --enable-digest=no \
        --enable-otp=no \
        --enable-srp=no \
        --enable-krb4=no \
        --enable-checkapop=no \
        --enable-gssapi


Allan Streib wrote: 

On Friday, October 17, 2003, at 11:13 AM, I wrote:

I'm running into some difficulty -- started saslauthd as:
   saslauthd -a kerberos5

Edited my userPassword attribute to be:

   userPassword: {SASL}astreib@IU.EDU

I get an invalid credentials error trying to bind.  Also tried
omitting the @IU.EDU and the same error.  My ldap logs show:

Oct 17 11:06:56 slapd[30324]: SASL [conn=10] Error: unable to open
Berkeley db /etc/sasldb2: No such file or directory
Oct 17 11:06:56 slapd[30324]: SASL [conn=10] Failure: Invalid
credentials

I created the /etc/sasldb2 and that made no difference (other than
making that log message stop). Here's some more detailed logging -- if
anyone can spot a clue here I'd appreciate some guidance. I'm thinking
the "Converted SASL name to <nothing>" message might be a problem?

.
.
.
SASL Canonicalize [conn=1]: authcid="astreib@IU.EDU"
slap_sasl_getdn: id=astreib@IU.EDU [len=14]
getdn: u:id converted to uid=astreib,cn=IU.EDU,cn=auth
dnNormalize: <uid=astreib,cn=IU.EDU,cn=auth> 
=> ldap_bv2dn(uid=astreib,cn=IU.EDU,cn=auth,0)
<= ldap_bv2dn(uid=astreib,cn=IU.EDU,cn=auth,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=astreib,cn=iu.edu,cn=auth,272)=0
<<< dnNormalize: <uid=astreib,cn=iu.edu,cn=auth>
==>slap_sasl2dn: converting SASL name uid=astreib,cn=iu.edu,cn=auth to
a DN
slap_sasl_regexp: converting SASL name uid=astreib,cn=iu.edu,cn=auth
<==slap_sasl2dn: Converted SASL name to <nothing>
SASL Canonicalize [conn=1]: authcDN="uid=astreib,cn=iu.edu,cn=auth"
slap_sasl_getdn: id=astreib@IU.EDU [len=0]
getdn: u:id converted to uid=astreib,cn=IU.EDU,cn=auth
dnNormalize: <uid=astreib,cn=IU.EDU,cn=auth> 
=> ldap_bv2dn(uid=astreib,cn=IU.EDU,cn=auth,0)
<= ldap_bv2dn(uid=astreib,cn=IU.EDU,cn=auth,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=astreib,cn=iu.edu,cn=auth,272)=0
<<< dnNormalize: <uid=astreib,cn=iu.edu,cn=auth>
==>slap_sasl2dn: converting SASL name uid=astreib,cn=iu.edu,cn=auth to
a DN
slap_sasl_regexp: converting SASL name uid=astreib,cn=iu.edu,cn=auth
<==slap_sasl2dn: Converted SASL name to <nothing>
ldap_err2string
SASL [conn=1] Failure: Invalid credentials
.
.
.