[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: kpasswd

To: Allan Streib <astreib@indiana.edu>
Subject: Re: kpasswd
From: Paul M Fleming <pfleming@siumed.edu>
Date: Fri, 17 Oct 2003 15:49:35 -0500
Cc: openldap-software@OpenLDAP.org, Howard Chu <hyc@highlandsun.com>, "'Frank Swasey'" <Frank.Swasey@uvm.edu>, "'Allan E Johannesen'" <aej@WPI.EDU>
Organization: SIUMED Information Resources
References: <CB3CE534-00E2-11D8-8CF1-000393033826@indiana.edu>

Can slapd read/write the saslauthd file mux in your saslauthd dir? In my
case /var/lib/saslauthd/mux ?? did you recompile openldap after re
compiling sasl if you changed the above path?? the path to the unix
named socket is hardcoded in the library unless you override it which
I'm unsure how to do in openldap?? 

Allan Streib wrote:
> 
> Well this helped me get a bit farther.  I found out about the
> testsaslauthd program, and tried it.  I was getting:
> 
> ./testsaslauthd -u astreib -p WRONG_PASSSORD -r IU.EDU -s ldap
> 0: NO "authentication failed"
> 
> ./testsaslauthd -u astreib -p CORRECT_PASSSORD -r IU.EDU -s ldap
> size read failed
> 
> and syslog had:
> 
> saslauthd[30397]: auth_krb5: krb5_get_init_creds_password
> saslauthd[30397]: do_auth         : auth failure: [user=astreib]
> [service=ldap] [realm=IU.EDU] [mech=kerberos5] [reason=saslauthd
> internal error]
> 
> However, adding a host key, as you suggested, to /etc/krb5.keytab go me
> to the point where I now get:
> 
> ./testsaslauthd -u astreib -p CORRECT_PASSSORD -r IU.EDU -s ldap
> 0: OK "Success."
> 
> BUT, I'm *still* getting "Invalid Credentials (49)" from slapd trying
> to bind.
> 
> Allan
> 
> On Friday, October 17, 2003, at 03:21 PM, Paul M Fleming wrote:
> 
> > if you want SASL for just kerberos -- disable building sasl with db
> > support and also disable _ALL_ plugins you don't plan on using. My
> > configure which supports Sendmail, Cyrus IMAP and eventually OPenLDAP
> > with SASL support (still using kpasswd) -- this is from my RedHat RPM
> > for sasl 2.1.13 Also remember saslauthd checks the HOST ticket not a
> > specific app so you need host/hostname.domainname.edu for example not
> > just ldap/hostname.
> >
> > export LDFLAGS="-L/usr/kerberos/lib"
> > export CPPFLAGS="-I /usr/kerberos/include"
> > export CFLAGS="-I /usr/kerberos/include"
> > ./configure --prefix=/usr \
> >         --with-dblib=no \
> >         --with-saslauthd=/var/lib/saslauthd \
> >         --enable-cram=no \
> >         --with-pam=no \
> >         --enable-digest=no \
> >         --enable-otp=no \
> >         --enable-srp=no \
> >         --enable-krb4=no \
> >         --enable-checkapop=no \
> >         --enable-gssapi
> >
> >
> > Allan Streib wrote:
> >>
> >> On Friday, October 17, 2003, at 11:13 AM, I wrote:
> >>
> >>> I'm running into some difficulty -- started saslauthd as:
> >>>    saslauthd -a kerberos5
> >>>
> >>> Edited my userPassword attribute to be:
> >>>
> >>>    userPassword: {SASL}astreib@IU.EDU
> >>>
> >>> I get an invalid credentials error trying to bind.  Also tried
> >>> omitting the @IU.EDU and the same error.  My ldap logs show:
> >>>
> >>> Oct 17 11:06:56 slapd[30324]: SASL [conn=10] Error: unable to open
> >>> Berkeley db /etc/sasldb2: No such file or directory
> >>> Oct 17 11:06:56 slapd[30324]: SASL [conn=10] Failure: Invalid
> >>> credentials
> >>
> >> I created the /etc/sasldb2 and that made no difference (other than
> >> making that log message stop).  Here's some more detailed logging --
> >> if
> >> anyone can spot a clue here I'd appreciate some guidance.  I'm
> >> thinking
> >> the "Converted SASL name to <nothing>" message might be a problem?
> >>
> >> .
> >> .
> >> .
> >> SASL Canonicalize [conn=1]: authcid="astreib@IU.EDU"
> >> slap_sasl_getdn: id=astreib@IU.EDU [len=14]
> >> getdn: u:id converted to uid=astreib,cn=IU.EDU,cn=auth
> >>>>> dnNormalize: <uid=astreib,cn=IU.EDU,cn=auth>
> >> => ldap_bv2dn(uid=astreib,cn=IU.EDU,cn=auth,0)
> >> <= ldap_bv2dn(uid=astreib,cn=IU.EDU,cn=auth,0)=0
> >> => ldap_dn2bv(272)
> >> <= ldap_dn2bv(uid=astreib,cn=iu.edu,cn=auth,272)=0
> >> <<< dnNormalize: <uid=astreib,cn=iu.edu,cn=auth>
> >> ==>slap_sasl2dn: converting SASL name uid=astreib,cn=iu.edu,cn=auth to
> >> a DN
> >> slap_sasl_regexp: converting SASL name uid=astreib,cn=iu.edu,cn=auth
> >> <==slap_sasl2dn: Converted SASL name to <nothing>
> >> SASL Canonicalize [conn=1]: authcDN="uid=astreib,cn=iu.edu,cn=auth"
> >> slap_sasl_getdn: id=astreib@IU.EDU [len=0]
> >> getdn: u:id converted to uid=astreib,cn=IU.EDU,cn=auth
> >>>>> dnNormalize: <uid=astreib,cn=IU.EDU,cn=auth>
> >> => ldap_bv2dn(uid=astreib,cn=IU.EDU,cn=auth,0)
> >> <= ldap_bv2dn(uid=astreib,cn=IU.EDU,cn=auth,0)=0
> >> => ldap_dn2bv(272)
> >> <= ldap_dn2bv(uid=astreib,cn=iu.edu,cn=auth,272)=0
> >> <<< dnNormalize: <uid=astreib,cn=iu.edu,cn=auth>
> >> ==>slap_sasl2dn: converting SASL name uid=astreib,cn=iu.edu,cn=auth to
> >> a DN
> >> slap_sasl_regexp: converting SASL name uid=astreib,cn=iu.edu,cn=auth
> >> <==slap_sasl2dn: Converted SASL name to <nothing>
> >> ldap_err2string
> >> SASL [conn=1] Failure: Invalid credentials
> >> .
> >> .
> >> .
> >
> >
> >

Follow-Ups:
- Re: kpasswd
  - From: Allan Streib <astreib@indiana.edu>

References:
- Re: kpasswd
  - From: Allan Streib <astreib@indiana.edu>

Prev by Date: Re: kpasswd
Next by Date: Re: kpasswd
Index(es):
- Chronological
- Thread